Preventing ARP spoofing via ebtables

This blueprint describes a solution for bug 1274034 (https://bugs.launchpad.net/neutron/+bug/1274034).

We propose the addition of an 'ebtables manager', which drives the ebtables utility to add/remove filters on the Ethernet frame level. Whenever a new port for a VM is created, we use ebtables to also create frame-level filters, which prevent any gratuitous ARP broadcasts or ARP replies from that port, unless the actual assigned MAC address of that VMs interface is used as source.

An original attempt was made by Édouard Thuleau, who submitted the now abandoned patch: https://review.openstack.org/#/c/70067/

We propose to implement the ebtables-manager exactly the way Édouard did. However, his patch also changes a lot of code inside of the iptables firewall code, since it replaced several iptables filtering rules with new ebtables rules. This approach was rejected by the community, since the iptables code was seen in need of a re-write and shouldn't be changed at this point.

Therefore, we propose that ebtables are only going to be used for the ARP spoof filter and nothing else at this point. Then, only very small hooks need to be inserted in the iptables code, which merely call upon the ebtables code when ports are created or destroyed. The iptabled functionality would not be changed at all. The overall impact on the existing iptables code is just a few lines.