review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Édouard Thuleau <edouard.thuleau@cloudwatt.com>
	Tue, 10 Feb 2015 00:43:34 +0000 (13:43 +1300)
committer	Juergen Brendel <jbrendel@cisco.com>
	Tue, 21 Apr 2015 21:32:02 +0000 (09:32 +1200)
commit	2414834ffeb8ba7ce2401236d01c88702fec5a14
tree	3037718a4bfa64a48fa170b80be2bd90715dee23	tree \| snapshot
parent	76d873a452e340944e2e3242e8bb1722e3c036e8	commit \| diff

ARP spoofing patch: Low level ebtables integration

ARP cache poisoning is not actually prevented by the firewall
driver 'iptables_firewall'. We are adding the use of the ebtables
command - with a corresponding ebtables-driver - in order to create
Ethernet frame filtering rules, which prevent the sending of ARP
cache poisoning frames.

The complete patch is broken into a set of smaller patches for easier review.

This patch here is th first of the series and includes the low-level ebtables
integration, unit and functional tests.

Note:
    This commit is based greatly on an original, now abandoned patch,
    presented for review here:

        https://review.openstack.org/#/c/70067/

    Full spec can be found here:

        https://review.openstack.org/#/c/129090/

SecurityImpact

Change-Id: I9ef57a86b1a1c1fa4ba1a034c920f23cb40072c0
Implements: blueprint arp-spoof-patch-ebtables
Related-Bug: 1274034
Co-Authored-By: jbrendel <jbrendel@cisco.com>

etc/neutron/rootwrap.d/ebtables.filters	[new file with mode: 0644]	blob
neutron/agent/linux/ebtables_driver.py	[new file with mode: 0644]	blob
neutron/cmd/sanity/checks.py		diff \| blob \| history
neutron/cmd/sanity_check.py		diff \| blob \| history
neutron/tests/functional/agent/linux/test_ebtables_driver.py	[new file with mode: 0644]	blob
neutron/tests/unit/agent/linux/test_ebtables_driver.py	[new file with mode: 0644]	blob
setup.cfg		diff \| blob \| history