OVS-agent: Ignore IPv6 addresses for ARP spoofing prevention

The flow rules to match on ARP headers for spoofing prevention
fail to install when an IPv6 address is used. These should be
skipped since the ARP spoofing prevention doesn't apply to IPv6.

Co-authored-by: Kevin Benton <blak111@gmail.com>
Closes-Bug: #1449363
Change-Id: I4bb3135e62378c5c96d1ac0b646336ac9a637bde

diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
index 0be1b9c7e54dfa76fe241952a101418e8bca8835..19faf7c44c99bf996fe454d4f92f815e0fb5994c 100644 (file)
--- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
@@ -729,6 +729,8 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         # allow ARP replies as long as they match addresses that actually
         # belong to the port.
         for ip in addresses:
+            if netaddr.IPNetwork(ip).version != 4:
+                continue
             bridge.add_flow(
                 table=constants.ARP_SPOOF_TABLE, priority=2,
                 proto='arp', arp_op=constants.ARP_REPLY, arp_spa=ip,

diff --git a/neutron/tests/common/machine_fixtures.py b/neutron/tests/common/machine_fixtures.py
index 7cc626c887ff5c250f2a93bc6ebf8018b6601059..bc097d31fd8ec5ea41190b8db88ec87b51531a32 100644 (file)
--- a/neutron/tests/common/machine_fixtures.py
+++ b/neutron/tests/common/machine_fixtures.py
@@ -14,6 +14,7 @@
 #
 
 import fixtures
+import netaddr
 
 from neutron.agent.linux import ip_lib
 from neutron.tests.common import net_helpers
@@ -28,7 +29,9 @@ class Pinger(object):
 
     def _ping_destination(self, dest_address):
         ns_ip_wrapper = ip_lib.IPWrapper(self.namespace)
-        ns_ip_wrapper.netns.execute(['ping', '-c', self._max_attempts,
+        ipversion = netaddr.IPAddress(dest_address).version
+        ping_command = 'ping' if ipversion == 4 else 'ping6'
+        ns_ip_wrapper.netns.execute([ping_command, '-c', self._max_attempts,
                                      '-W', self._timeout, dest_address])
 
     def assert_ping(self, dst_ip):

diff --git a/neutron/tests/contrib/functional-testing.filters b/neutron/tests/contrib/functional-testing.filters
index edfcec07ce44d82baeaca70042da472a559ee5c0..c0c7b18ea766cdbf48467c47529cd5fac9086586 100644 (file)
--- a/neutron/tests/contrib/functional-testing.filters
+++ b/neutron/tests/contrib/functional-testing.filters
@@ -6,6 +6,7 @@
 [Filters]
 # enable ping from namespace
 ping_filter: CommandFilter, ping, root
+ping6_filter: CommandFilter, ping6, root
 
 # enable curl from namespace
 curl_filter: CommandFilter, curl, root

diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py
index 504f661edfbdcdf739d72bf7e28531eb76617e74..e1ccbeca6ad71b868c072529322567d8e8a7535e 100644 (file)
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@@ -53,6 +53,17 @@ class ARPSpoofTestCase(test_ovs_lib.OVSBridgeTestBase,
         self.dst_p.addr.add('%s/24' % self.dst_addr)
         self.pinger.assert_ping(self.dst_addr)
 
+    def test_arp_spoof_doesnt_block_ipv6(self):
+        self.src_addr = '2000::1'
+        self.dst_addr = '2000::2'
+        self._setup_arp_spoof_for_port(self.src_p.name, [self.src_addr])
+        self._setup_arp_spoof_for_port(self.dst_p.name, [self.dst_addr])
+        self.src_p.addr.add('%s/64' % self.src_addr)
+        self.dst_p.addr.add('%s/64' % self.dst_addr)
+        # IPv6 addresses seem to take longer to initialize
+        self.pinger._max_attempts = 4
+        self.pinger.assert_ping(self.dst_addr)
+
     def test_arp_spoof_blocks_response(self):
         # this will prevent the destination from responding to the ARP
         # request for it's own address