]> review.fuel-infra Code Review - openstack-build/neutron-build.git/commitdiff
Code Review / openstack-build / neutron-build.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | review | tree
raw | patch | inline | side by side (parent: 9c0f00a)
Enable ARP spoofing prevention by default
authorKevin Benton <blak111@gmail.com>
Sun, 12 Apr 2015 21:14:38 +0000 (14:14 -0700)
committerKevin Benton <blak111@gmail.com>
Mon, 30 Mar 2015 19:27:03 +0000 (12:27 -0700)
Turn on the ARP spoofing prevention added in
I7c079b779245a0af6bc793564fa8a560e4226afe by
default. It was disabled by default since it
was going into Kilo at the last minute and we
didn't want to risk shipping with a default
that might have broken an edge case that we
didn't consider.

This patch enables it by default since there
shouldn't be any need to have it disabled.

Change-Id: Id17939914ebf8292dce76ccb7d0f6486c91f49e5

etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini patch | blob | history
neutron/plugins/openvswitch/common/config.py patch | blob | history
neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py patch | blob | history

diff --git a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
index 91cc86ceea1ece5892effb8c5a384cf8cd588c46..412a7d26c10feeea47c85cdaeb00e36a985031e6 100644 (file)
--- a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+++ b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
@@ -106,7 +106,7 @@
 # (e.g. bare metal or VMs attached to agents without this flag set to True).
 # Requires a version of OVS that can match ARP headers.
 #
-# prevent_arp_spoofing = False
+# prevent_arp_spoofing = True
 
 # (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
 # carrying GRE/VXLAN tunnel. The default value is True.
diff --git a/neutron/plugins/openvswitch/common/config.py b/neutron/plugins/openvswitch/common/config.py
index a26178f5093cb0d0aca459b13c24700609ae72e3..887a6c5cb861aa33c2072bf6eb8a7f7b07912ead 100644 (file)
--- a/neutron/plugins/openvswitch/common/config.py
+++ b/neutron/plugins/openvswitch/common/config.py
@@ -74,7 +74,7 @@ agent_opts = [
                        "Allows the switch (when supporting an overlay) "
                        "to respond to an ARP request locally without "
                        "performing a costly ARP broadcast into the overlay.")),
-    cfg.BoolOpt('prevent_arp_spoofing', default=False,
+    cfg.BoolOpt('prevent_arp_spoofing', default=True,
                 help=_("Enable suppression of ARP responses that don't match "
                        "an IP address that belongs to the port from which "
                        "they originate. Note: This prevents the VMs attached "
diff --git a/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py b/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
index 060fc4a631483f0f16831351bf0170f3a46e0312..ee14e967a1435e0fc7003ee55d8122622b6cc884 100644 (file)
--- a/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
+++ b/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
@@ -106,6 +106,7 @@ class TestOvsNeutronAgent(base.BaseTestCase):
                              'neutron.agent.firewall.NoopFirewallDriver',
                              group='SECURITYGROUP')
         cfg.CONF.set_default('quitting_rpc_timeout', 10, 'AGENT')
+        cfg.CONF.set_default('prevent_arp_spoofing', False, 'AGENT')
         kwargs = ovs_neutron_agent.create_agent_config_map(cfg.CONF)
 
         class MockFixedIntervalLoopingCall(object):