neutron

History

Chet Burgess 1b73fbd705 Add ARP spoofing protection for LinuxBridge agent This is a backport for the fix that went into master to address this bug. This patch adds ARP spoofing protection for the Linux Bridge agent based on ebtables. The protection is enabled and disabled with the same 'prevent_arp_spoofing' agent config flag added for the OVS agent in I7c079b779245a0af6bc793564fa8a560e4226afe. The protection works by setting up an ebtables chain for each port and jumping all ARP traffic to that chain. The port-specific chains have a default DROP policy and then have allow rules installed that only allow ARP traffic with a source CIDR that matches one of the port's fixed IPs or an allowed address pair. Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7 Closes-Bug: #1274034	2015-09-15 15:52:51 -07:00
..
plugins	CSCO:Tenants not to access unshared n/w profiles	2015-03-10 15:17:48 -07:00
rootwrap.d	Add ARP spoofing protection for LinuxBridge agent	2015-09-15 15:52:51 -07:00

Chet Burgess 1b73fbd705 Add ARP spoofing protection for LinuxBridge agent

This is a backport for the fix that went into master to address
this bug.

This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables.

The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.

The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.

Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7
Closes-Bug: #1274034

2015-09-15 15:52:51 -07:00

plugins

CSCO:Tenants not to access unshared n/w profiles

2015-03-10 15:17:48 -07:00

rootwrap.d

Add ARP spoofing protection for LinuxBridge agent

2015-09-15 15:52:51 -07:00