From: Kevin Benton <blak111@gmail.com>
Date: Sun, 12 Apr 2015 21:14:38 +0000 (-0700)
Subject: Enable ARP spoofing prevention by default
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=012840e2f5397454601c0eb332178da41ff707c8;p=openstack-build%2Fneutron-build.git

Enable ARP spoofing prevention by default

Turn on the ARP spoofing prevention added in
I7c079b779245a0af6bc793564fa8a560e4226afe by
default. It was disabled by default since it
was going into Kilo at the last minute and we
didn't want to risk shipping with a default
that might have broken an edge case that we
didn't consider.

This patch enables it by default since there
shouldn't be any need to have it disabled.

Change-Id: Id17939914ebf8292dce76ccb7d0f6486c91f49e5
---

diff --git a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
index 91cc86cee..412a7d26c 100644
--- a/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
+++ b/etc/neutron/plugins/openvswitch/ovs_neutron_plugin.ini
@@ -106,7 +106,7 @@
 # (e.g. bare metal or VMs attached to agents without this flag set to True).
 # Requires a version of OVS that can match ARP headers.
 #
-# prevent_arp_spoofing = False
+# prevent_arp_spoofing = True
 
 # (BoolOpt) Set or un-set the don't fragment (DF) bit on outgoing IP packet
 # carrying GRE/VXLAN tunnel. The default value is True.
diff --git a/neutron/plugins/openvswitch/common/config.py b/neutron/plugins/openvswitch/common/config.py
index a26178f50..887a6c5cb 100644
--- a/neutron/plugins/openvswitch/common/config.py
+++ b/neutron/plugins/openvswitch/common/config.py
@@ -74,7 +74,7 @@ agent_opts = [
                        "Allows the switch (when supporting an overlay) "
                        "to respond to an ARP request locally without "
                        "performing a costly ARP broadcast into the overlay.")),
-    cfg.BoolOpt('prevent_arp_spoofing', default=False,
+    cfg.BoolOpt('prevent_arp_spoofing', default=True,
                 help=_("Enable suppression of ARP responses that don't match "
                        "an IP address that belongs to the port from which "
                        "they originate. Note: This prevents the VMs attached "
diff --git a/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py b/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
index 060fc4a63..ee14e967a 100644
--- a/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
+++ b/neutron/tests/unit/plugins/openvswitch/agent/test_ovs_neutron_agent.py
@@ -106,6 +106,7 @@ class TestOvsNeutronAgent(base.BaseTestCase):
                              'neutron.agent.firewall.NoopFirewallDriver',
                              group='SECURITYGROUP')
         cfg.CONF.set_default('quitting_rpc_timeout', 10, 'AGENT')
+        cfg.CONF.set_default('prevent_arp_spoofing', False, 'AGENT')
         kwargs = ovs_neutron_agent.create_agent_config_map(cfg.CONF)
 
         class MockFixedIntervalLoopingCall(object):