OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention

The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.

Conflicts:
	neutron/tests/common/machine_fixtures.py

Co-authored-by: Kevin Benton <blak111@gmail.com>
Closes-Bug: #1449363
Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde
(cherry picked from commit dbe7ba1868f35af0142f78c70693ed69e6f42ca3)

diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
index 457f1399fb64bd1089888e2deea819b04849231e..1bb8a9c69a73dae141a60f5a6824ea001abefae1 100644 (file)
--- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
@@ -729,6 +729,8 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         # allow ARP replies as long as they match addresses that actually
         # belong to the port.
         for ip in addresses:
+            if netaddr.IPNetwork(ip).version != 4:
+                continue
             bridge.add_flow(
                 table=constants.ARP_SPOOF_TABLE, priority=2,
                 proto='arp', arp_op=constants.ARP_REPLY, arp_spa=ip,

diff --git a/neutron/tests/contrib/functional-testing.filters b/neutron/tests/contrib/functional-testing.filters
index edfcec07ce44d82baeaca70042da472a559ee5c0..c0c7b18ea766cdbf48467c47529cd5fac9086586 100644 (file)
--- a/neutron/tests/contrib/functional-testing.filters
+++ b/neutron/tests/contrib/functional-testing.filters
@@ -6,6 +6,7 @@
 [Filters]
 # enable ping from namespace
 ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root
 
 # enable curl from namespace
 curl_filter: CommandFilter, curl, root

diff --git a/neutron/tests/functional/agent/linux/helpers.py b/neutron/tests/functional/agent/linux/helpers.py
index 1e51a9b81c0083195c8686fddcac1fd4793b549c..dd42761062fc8e02fe29b8cf2bcea7ef2462942a 100644 (file)
--- a/neutron/tests/functional/agent/linux/helpers.py
+++ b/neutron/tests/functional/agent/linux/helpers.py
@@ -21,6 +21,7 @@ import shlex
 import subprocess
 
 import fixtures
+import netaddr
 
 from neutron.agent.common import config
 from neutron.agent.linux import ip_lib
@@ -106,7 +107,9 @@ class Pinger(object):
         self._max_attempts = max_attempts
 
     def _ping_destination(self, dest_address):
-        self.namespace.netns.execute(['ping', '-c', self._max_attempts,
+        ipversion = netaddr.IPAddress(dest_address).version
+        ping_command = 'ping' if ipversion == 4 else 'ping6'
+        self.namespace.netns.execute([ping_command, '-c', self._max_attempts,
                                       '-W', self._timeout, dest_address])
 
     def assert_ping(self, dst_ip):

diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py
index 9fe1ffc47ff48424995139255e0f17b024d56e18..e5de61061af506fe75bd9f4adf4db347c3591ec7 100644 (file)
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@@ -50,6 +50,17 @@ class ARPSpoofTestCase(test_ovs_lib.OVSBridgeTestBase,
         pinger = helpers.Pinger(self.src_ns)
         pinger.assert_ping(self.dst_addr)
 
+    def test_arp_spoof_doesnt_block_ipv6(self):
+        self.src_addr = '2000::1'
+        self.dst_addr = '2000::2'
+        self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
+        self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
+        self.src_p.addr.add('%s/64' % self.src_addr)
+        self.dst_p.addr.add('%s/64' % self.dst_addr)
+        # IPv6 addresses seem to take longer to initialize
+        pinger = helpers.Pinger(self.src_ns, max_attempts=4)
+        pinger.assert_ping(self.dst_addr)
+
     def test_arp_spoof_blocks_response(self):
         # this will prevent the destination from responding to the ARP
         # request for it's own address