Merge "Don't setup ARP protection on OVS for network ports"
This commit is contained in:
commit
0bc5c1ec4e
|
@ -858,6 +858,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
LOG.info(_LI("Skipping ARP spoofing rules for port '%s' because "
|
||||
"it has port security disabled"), vif.port_name)
|
||||
return
|
||||
if port_details['device_owner'].startswith('network:'):
|
||||
LOG.debug("Skipping ARP spoofing rules for network owned port "
|
||||
"'%s'.", vif.port_name)
|
||||
return
|
||||
# collect all of the addresses and cidrs that belong to the port
|
||||
addresses = {f['ip_address'] for f in port_details['fixed_ips']}
|
||||
if port_details.get('allowed_address_pairs'):
|
||||
|
|
|
@ -201,12 +201,24 @@ class _ARPSpoofTestCase(object):
|
|||
self.dst_p.addr.add('%s/24' % self.dst_addr)
|
||||
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
|
||||
|
||||
def _setup_arp_spoof_for_port(self, port, addrs, psec=True):
|
||||
def test_arp_spoof_disable_network_port(self):
|
||||
# block first and then disable port security to make sure old rules
|
||||
# are cleared
|
||||
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'])
|
||||
self._setup_arp_spoof_for_port(self.dst_p.name, ['192.168.0.3'],
|
||||
device_owner='network:router_gateway')
|
||||
self.src_p.addr.add('%s/24' % self.src_addr)
|
||||
self.dst_p.addr.add('%s/24' % self.dst_addr)
|
||||
net_helpers.assert_ping(self.src_namespace, self.dst_addr, count=2)
|
||||
|
||||
def _setup_arp_spoof_for_port(self, port, addrs, psec=True,
|
||||
device_owner='nobody'):
|
||||
vif = next(
|
||||
vif for vif in self.br.get_vif_ports() if vif.port_name == port)
|
||||
ip_addr = addrs.pop()
|
||||
details = {'port_security_enabled': psec,
|
||||
'fixed_ips': [{'ip_address': ip_addr}],
|
||||
'device_owner': device_owner,
|
||||
'allowed_address_pairs': [
|
||||
dict(ip_address=ip) for ip in addrs]}
|
||||
ovsagt.OVSNeutronAgent.setup_arp_spoofing_protection(
|
||||
|
|
|
@ -1360,6 +1360,13 @@ class TestOvsNeutronAgent(object):
|
|||
self.agent._handle_sigterm(None, None)
|
||||
self.assertFalse(mock_set_rpc.called)
|
||||
|
||||
def test_arp_spoofing_network_port(self):
|
||||
int_br = mock.create_autospec(self.agent.int_br)
|
||||
self.agent.setup_arp_spoofing_protection(
|
||||
int_br, FakeVif(), {'device_owner': 'network:router_interface'})
|
||||
self.assertTrue(int_br.delete_arp_spoofing_protection.called)
|
||||
self.assertFalse(int_br.install_arp_spoofing_protection.called)
|
||||
|
||||
def test_arp_spoofing_port_security_disabled(self):
|
||||
int_br = mock.create_autospec(self.agent.int_br)
|
||||
self.agent.setup_arp_spoofing_protection(
|
||||
|
@ -1369,7 +1376,7 @@ class TestOvsNeutronAgent(object):
|
|||
|
||||
def test_arp_spoofing_basic_rule_setup(self):
|
||||
vif = FakeVif()
|
||||
fake_details = {'fixed_ips': []}
|
||||
fake_details = {'fixed_ips': [], 'device_owner': 'nobody'}
|
||||
self.agent.prevent_arp_spoofing = True
|
||||
int_br = mock.create_autospec(self.agent.int_br)
|
||||
self.agent.setup_arp_spoofing_protection(int_br, vif, fake_details)
|
||||
|
@ -1383,6 +1390,7 @@ class TestOvsNeutronAgent(object):
|
|||
def test_arp_spoofing_fixed_and_allowed_addresses(self):
|
||||
vif = FakeVif()
|
||||
fake_details = {
|
||||
'device_owner': 'nobody',
|
||||
'fixed_ips': [{'ip_address': '192.168.44.100'},
|
||||
{'ip_address': '192.168.44.101'}],
|
||||
'allowed_address_pairs': [{'ip_address': '192.168.44.102/32'},
|
||||
|
|
Loading…
Reference in New Issue