From 747738d36572079307f228a861a067ca0cd815c2 Mon Sep 17 00:00:00 2001
From: Kevin Benton <blak111@gmail.com>
Date: Wed, 3 Jun 2015 15:20:27 -0700
Subject: [PATCH] Skip ARP protection if 0.0.0.0/0 in addr pairs

Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.

Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
---
 neutron/plugins/openvswitch/agent/ovs_neutron_agent.py | 4 ++++
 neutron/tests/functional/agent/test_ovs_flows.py       | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
index 968fec88a..791f36882 100644
--- a/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
+++ b/neutron/plugins/openvswitch/agent/ovs_neutron_agent.py
@@ -785,6 +785,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
 
         addresses = {ip for ip in addresses
                      if netaddr.IPNetwork(ip).version == 4}
+        if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
+            # don't try to install protection because a /0 prefix allows any
+            # address anyway and the ARP_SPA can only match on /1 or more.
+            return
 
         bridge.install_arp_spoofing_protection(port=vif.ofport,
                                                ip_addresses=addresses)
diff --git a/neutron/tests/functional/agent/test_ovs_flows.py b/neutron/tests/functional/agent/test_ovs_flows.py
index 0108577bb..fbc76f701 100644
--- a/neutron/tests/functional/agent/test_ovs_flows.py
+++ b/neutron/tests/functional/agent/test_ovs_flows.py
@@ -158,6 +158,13 @@ class _ARPSpoofTestCase(object):
         self.dst_p.addr.add('%s/24' % self.dst_addr)
         net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
 
+    def test_arp_spoof_allowed_address_pairs_0cidr(self):
+        self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
+                                                         '1.2.3.4'])
+        self.src_p.addr.add('%s/24' % self.src_addr)
+        self.dst_p.addr.add('%s/24' % self.dst_addr)
+        net_helpers.assert_ping(self.src_namespace, self.dst_addr)
+
     def test_arp_spoof_disable_port_security(self):
         # block first and then disable port security to make sure old rules
         # are cleared
-- 
2.45.2