From: Kevin Benton <blak111@gmail.com>
Date: Wed, 2 Sep 2015 13:50:36 +0000 (-0700)
Subject: Don't setup ARP protection on OVS for network ports
X-Git-Url: https://review.fuel-infra.org/gitweb?a=commitdiff_plain;h=da1ac497d2d10d008925311e3f14e9750f7b86b2;p=openstack-build%2Fneutron-build.git

Don't setup ARP protection on OVS for network ports

Skip adding ARP spoofing protection on OVS ports with a
device_owner field starting with 'network:'. This is
already the case for the other iptables-based spoofing
protection and is necessary for floating IPs to function
correctly on router gateway ports.

Closes-Bug: #1487338
Change-Id: I32cef17ff47fd62e6db16b9083104f07239be25f
---

diff --git a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
index f88a01301..269bd333c 100644
--- a/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py
@@ -858,6 +858,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
             LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
                          "it has port security disabled"), vif.port_name)
             return
+        if port_details['device_owner'].startswith('network:'):
+            LOG.debug("Skipping ARP spoofing rules for network owned port "
+                      "'%s'.", vif.port_name)
+            return
         # collect all of the addresses and cidrs that belong to the port
         addresses = {f['ip_address'] for f in port_details['fixed_ips']}
         if port_details.get('allowed_address_pairs'):
diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py
index e2eca7649..e0ddbb710 100644
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@@ -201,12 +201,24 @@ class _ARPSpoofTestCase(object):
         self.dst_p.addr.add('%s/24' % self.dst_addr)
         net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
 
-    def _setup_arp_spoof_for_port(self, port, addrs, psec=True):
+    def test_arp_spoof_disable_network_port(self):
+        # block first and then disable port security to make sure old rules
+        # are cleared
+        self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
+        self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
+                                       device_owner='network:router_gateway')
+        self.src_p.addr.add('%s/24' % self.src_addr)
+        self.dst_p.addr.add('%s/24' % self.dst_addr)
+        net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
+
+    def _setup_arp_spoof_for_port(self, port, addrs, psec=True,
+                                  device_owner='nobody'):
         vif = next(
             vif for vif in self.br.get_vif_ports() if vif.port_name == port)
         ip_addr = addrs.pop()
         details = {'port_security_enabled': psec,
                    'fixed_ips': [{'ip_address': ip_addr}],
+                   'device_owner': device_owner,
                    'allowed_address_pairs': [
                         dict(ip_address=ip) for ip in addrs]}
         ovsagt.OVSNeutronAgent.setup_arp_spoofing_protection(
diff --git a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
index 3eb2c6158..5d96bb36d 100644
--- a/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
+++ b/neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py
@@ -1360,6 +1360,13 @@ class TestOvsNeutronAgent(object):
             self.agent._handle_sigterm(None, None)
         self.assertFalse(mock_set_rpc.called)
 
+    def test_arp_spoofing_network_port(self):
+        int_br = mock.create_autospec(self.agent.int_br)
+        self.agent.setup_arp_spoofing_protection(
+            int_br, FakeVif(), {'device_owner': 'network:router_interface'})
+        self.assertTrue(int_br.delete_arp_spoofing_protection.called)
+        self.assertFalse(int_br.install_arp_spoofing_protection.called)
+
     def test_arp_spoofing_port_security_disabled(self):
         int_br = mock.create_autospec(self.agent.int_br)
         self.agent.setup_arp_spoofing_protection(
@@ -1369,7 +1376,7 @@ class TestOvsNeutronAgent(object):
 
     def test_arp_spoofing_basic_rule_setup(self):
         vif = FakeVif()
-        fake_details = {'fixed_ips': []}
+        fake_details = {'fixed_ips': [], 'device_owner': 'nobody'}
         self.agent.prevent_arp_spoofing = True
         int_br = mock.create_autospec(self.agent.int_br)
         self.agent.setup_arp_spoofing_protection(int_br, vif, fake_details)
@@ -1383,6 +1390,7 @@ class TestOvsNeutronAgent(object):
     def test_arp_spoofing_fixed_and_allowed_addresses(self):
         vif = FakeVif()
         fake_details = {
+            'device_owner': 'nobody',
             'fixed_ips': [{'ip_address': '192.168.44.100'},
                           {'ip_address': '192.168.44.101'}],
             'allowed_address_pairs': [{'ip_address': '192.168.44.102/32'},