review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Kevin Benton <blak111@gmail.com>
	Tue, 30 Jun 2015 04:05:08 +0000 (21:05 -0700)
committer	Kevin Benton <blak111@gmail.com>
	Tue, 7 Jul 2015 06:04:06 +0000 (23:04 -0700)
commit	04197bc4bbf2bc611371060db839028c2686f87a
tree	29cfae558f1b70fd30a93a62e4a201a18d9dd81f	tree \| snapshot
parent	9ba8b79a7c48ff783021e2bd24b0b71e1dff37b5	commit \| diff

Add ARP spoofing protection for LinuxBridge agent

This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.

The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.

The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.

Closes-Bug: #1274034
Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7

neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py	[new file with mode: 0644]	blob
neutron/plugins/ml2/drivers/linuxbridge/agent/common/config.py		diff \| blob \| history
neutron/plugins/ml2/drivers/linuxbridge/agent/linuxbridge_neutron_agent.py		diff \| blob \| history
neutron/plugins/ml2/drivers/openvswitch/agent/common/config.py		diff \| blob \| history
neutron/tests/common/machine_fixtures.py		diff \| blob \| history
neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py	[new file with mode: 0644]	blob
neutron/tests/unit/plugins/ml2/drivers/linuxbridge/agent/test_linuxbridge_neutron_agent.py		diff \| blob \| history