Don't setup ARP protection on LB for network ports

Skip adding ARP spoofing protection on Linux bridge ports
with a device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.

Change-Id: If53733fb3060e5ab44bac5388f42bdc384bcdb93
Closes-Bug: #1483315

diff --git a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
index 10fcae52a63a51d3a3d4c204d2c0ca4ad381f2a8..85be5888022ff1dcc91730408778300b506cf2ba 100644 (file)
--- a/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
+++ b/neutron/plugins/ml2/drivers/linuxbridge/agent/arp_protect.py
@@ -32,6 +32,12 @@ def setup_arp_spoofing_protection(vif, port_details):
         LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
                      "it has port security disabled"), vif)
         return
+    if port_details['device_owner'].startswith('network:'):
+        # clear any previous entries related to this port
+        delete_arp_spoofing_protection([vif], current_rules)
+        LOG.debug("Skipping ARP spoofing rules for network owned port "
+                  "'%s'.", vif)
+        return
     # collect all of the addresses and cidrs that belong to the port
     addresses = {f['ip_address'] for f in port_details['fixed_ips']}
     if port_details.get('allowed_address_pairs'):

diff --git a/neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py b/neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
index 8ccd7159dc2a7224aa606745f76b7d02da843118..1180e45af52595c4e3b5175344db293cbe571ebf 100644 (file)
--- a/neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
+++ b/neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
@@ -36,7 +36,8 @@ class LinuxBridgeARPSpoofTestCase(functional_base.BaseSudoTestCase):
             machine_fixtures.PeerMachines(bridge, amount=3)).machines
 
     def _add_arp_protection(self, machine, addresses, extra_port_dict=None):
-        port_dict = {'fixed_ips': [{'ip_address': a} for a in addresses]}
+        port_dict = {'fixed_ips': [{'ip_address': a} for a in addresses],
+                     'device_owner': 'nobody'}
         if extra_port_dict:
             port_dict.update(extra_port_dict)
         name = net_helpers.VethFixture.get_peer_name(machine.port.name)
@@ -88,6 +89,13 @@ class LinuxBridgeARPSpoofTestCase(functional_base.BaseSudoTestCase):
                                  {'port_security_enabled': False})
         arping(self.observer.namespace, self.source.ip)
 
+    def test_arp_protection_network_owner(self):
+        self._add_arp_protection(self.source, ['1.1.1.1'])
+        no_arping(self.observer.namespace, self.source.ip)
+        self._add_arp_protection(self.source, ['1.1.1.1'],
+                                 {'device_owner': 'network:router_gateway'})
+        arping(self.observer.namespace, self.source.ip)
+
     def test_arp_protection_dead_reference_removal(self):
         self._add_arp_protection(self.source, ['1.1.1.1'])
         self._add_arp_protection(self.destination, ['2.2.2.2'])