review.fuel-infra Code Review - openstack-build/neutron-build.git/commit

author	Juergen Brendel <jbrendel@cisco.com>
	Thu, 26 Feb 2015 00:51:04 +0000 (13:51 +1300)
committer	Juergen Brendel <jbrendel@cisco.com>
	Thu, 7 May 2015 20:23:35 +0000 (08:23 +1200)
commit	f77c17ef9993ea8c545dc044ad2ac013a28dbc22
tree	bd1ec6f8dcbc20271525d6131e91d7279e0a026d	tree \| snapshot
parent	f6f9bff2db86185fefab644f9c306ae8d266af75	commit \| diff

ARP spoofing patch: Data structures for rules.

ARP cache poisoning is not actually prevented by the firewall
driver 'iptables_firewall'. We are adding the use of the ebtables
command - with a corresponding ebtables-driver - in order to create
Ethernet frame filtering rules, which prevent the sending of ARP
cache poisoning frames.

The complete patch is broken into smaller patch sets for easier review.

This patch set here includes the some classes for the maintenance of ebtable
chains and rules.

Note:
    This commit is based greatly on an original, now abandoned patch,
    presented for review here:

        https://review.openstack.org/#/c/70067/

Full spec can be found here: https://review.openstack.org/#/c/129090/

SecurityImpact

Change-Id: I3c66e92cbe8883dcad843ad243388def3a96dbe5
Implements: blueprint arp-spoof-patch-ebtables
Related-Bug: 1274034
Co-Authored-By: jbrendel <jbrendel@cisco.com>

neutron/agent/linux/ebtables_manager.py	[new file with mode: 0644]	blob
neutron/tests/unit/agent/linux/test_ebtables_manager.py	[new file with mode: 0644]	blob