OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention

The flow rules to match on ARP headers for spoofing prevention fail to install when an IPv6 address is used. These should be skipped since the ARP spoofing prevention doesn't apply to IPv6. Co-authored-by: Kevin Benton <blak111@gmail.com> Closes-Bug: #1449363 Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
2015-04-28 12:37:22 +09:00 · 2015-04-28 12:37:22 +09:00 · dbe7ba1868
parent 8978516e49
commit dbe7ba1868
4 changed files with 18 additions and 1 deletions
--- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
@ -729,6 +729,8 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
        # allow ARP replies as long as they match addresses that actually
        # belong to the port.
        for ip in addresses:
+            if netaddr.IPNetwork(ip).version != 4:
+                continue
            bridge.add_flow(
                table=constants.ARP_SPOOF_TABLE, priority=2,
                proto='arp', arp_op=constants.ARP_REPLY, arp_spa=ip,
--- a/neutron/tests/common/machine_fixtures.py
+++ b/neutron/tests/common/machine_fixtures.py
@ -14,6 +14,7 @@
 #

 import fixtures
+import netaddr

 from neutron.agent.linux import ip_lib
 from neutron.tests.common import net_helpers
@ -28,7 +29,9 @@ class Pinger(object):

    def _ping_destination(self, dest_address):
        ns_ip_wrapper = ip_lib.IPWrapper(self.namespace)
-        ns_ip_wrapper.netns.execute(['ping', '-c', self._max_attempts,
+        ipversion = netaddr.IPAddress(dest_address).version
+        ping_command = 'ping' if ipversion == 4 else 'ping6'
+        ns_ip_wrapper.netns.execute([ping_command, '-c', self._max_attempts,
                                     '-W', self._timeout, dest_address])

    def assert_ping(self, dst_ip):
--- a/neutron/tests/contrib/functional-testing.filters
+++ b/neutron/tests/contrib/functional-testing.filters
@ -6,6 +6,7 @@
 [Filters]
 # enable ping from namespace
 ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root

 # enable curl from namespace
 curl_filter: CommandFilter, curl, root
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@ -53,6 +53,17 @@ class ARPSpoofTestCase(test_ovs_lib.OVSBridgeTestBase,
        self.dst_p.addr.add('%s/24' % self.dst_addr)
        self.pinger.assert_ping(self.dst_addr)

+    def test_arp_spoof_doesnt_block_ipv6(self):
+        self.src_addr = '2000::1'
+        self.dst_addr = '2000::2'
+        self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
+        self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
+        self.src_p.addr.add('%s/64' % self.src_addr)
+        self.dst_p.addr.add('%s/64' % self.dst_addr)
+        # IPv6 addresses seem to take longer to initialize
+        self.pinger._max_attempts = 4
+        self.pinger.assert_ping(self.dst_addr)
+
    def test_arp_spoof_blocks_response(self):
        # this will prevent the destination from responding to the ARP
        # request for it's own address