commit bf28c724ddbe8f7e67f91513da5f302d5372314d
Author: Kevin Benton <email address hidden>
Date: Mon Jun 29 21:05:08 2015 -0700
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Since this is a back-port to Kilo, it is disabled by default just
like the protection added for OVS.
This patch additionally pulls back the required ebtables filter and
the functional test helpers to support the tests.
Reviewed: https:/ /review. openstack. org/209705 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=bf28c724ddb e8f7e67f91513da 5f302d5372314d
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit bf28c724ddbe8f7 e67f91513da5f30 2d5372314d
Author: Kevin Benton <email address hidden>
Date: Mon Jun 29 21:05:08 2015 -0700
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same arp_spoofing' agent config flag added for the OVS agent af6bc793564fa8a 560e4226afe.
'prevent_
in I7c079b779245a0
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Since this is a back-port to Kilo, it is disabled by default just
like the protection added for OVS.
This patch additionally pulls back the required ebtables filter and
the functional test helpers to support the tests.
Conflicts: plugins/ linuxbridge/ agent/linuxbrid ge_neutron_ agent.py plugins/ linuxbridge/ common/ config. py tests/common/ machine_ fixtures. py
neutron/
neutron/
neutron/
Closes-Bug: #1274034 85dff060897ecbd 25e93fd78e7 11371060db83902 8c2686f87a)
Change-Id: I0b0e3b12724723
(cherry picked from commit 04197bc4bbf2bc6