commit 1b73fbd70522a751f92120e776471c4deb159d0c
Author: Chet Burgess <email address hidden>
Date: Tue Aug 4 13:10:04 2015 -0700
Add ARP spoofing protection for LinuxBridge agent
This is a backport for the fix that went into master to address
this bug.
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Reviewed: https:/ /review. openstack. org/209708 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=1b73fbd7052 2a751f92120e776 471c4deb159d0c
Committed: https:/
Submitter: Jenkins
Branch: stable/juno
commit 1b73fbd70522a75 1f92120e776471c 4deb159d0c
Author: Chet Burgess <email address hidden>
Date: Tue Aug 4 13:10:04 2015 -0700
Add ARP spoofing protection for LinuxBridge agent
This is a backport for the fix that went into master to address
this bug.
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables.
The protection is enabled and disabled with the same arp_spoofing' agent config flag added for the OVS agent af6bc793564fa8a 560e4226afe.
'prevent_
in I7c079b779245a0
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Change-Id: I0b0e3b12724723 85dff060897ecbd 25e93fd78e7
Closes-Bug: #1274034