Merge "Enable ARP spoofing prevention by default"

etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini

@@ -106,7 +106,7 @@
 # (e.g. bare metal or VMs attached to agents without this flag set to True).
 # Requires a version of OVS that can match ARP headers.
 #
-# prevent_arp_spoofing = False
+# prevent_arp_spoofing = True
 
 # (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
 # carrying GRE/VXLAN tunnel. The default value is True.

neutron/plugins/openvswitch/common/config.py

@@ -74,7 +74,7 @@ agent_opts = [
                        "Allows the switch (when supporting an overlay) "
                        "to respond to an ARP request locally without "
                        "performing a costly ARP broadcast into the overlay.")),
-    cfg.BoolOpt('prevent_arp_spoofing', default=False,
+    cfg.BoolOpt('prevent_arp_spoofing', default=True,
                 help=_("Enable suppression of ARP responses that don't match "
                        "an IP address that belongs to the port from which "
                        "they originate. Note: This prevents the VMs attached "

neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py

@@ -106,6 +106,7 @@ class TestOvsNeutronAgent(base.BaseTestCase):
                              'neutron.agent.firewall.NoopFirewallDriver',
                              group='SECURITYGROUP')
         cfg.CONF.set_default('quitting_rpc_timeout', 10, 'AGENT')
+        cfg.CONF.set_default('prevent_arp_spoofing', False, 'AGENT')
         kwargs = ovs_neutron_agent.create_agent_config_map(cfg.CONF)
 
         class MockFixedIntervalLoopingCall(object):