Enable ARP spoofing protection for Neutron

ARP Spoofing protection in Neutron should be enabled be default Upstream patch: https://review.openstack.org/#/c/225131 Patch for master branch: https://review.fuel-infra.org/#/c/11865/ Closes-bug: #1496336 Change-Id: If7b25f0618f40040714b6e54c1498dd959c2a610
2015-09-18 16:08:50 +03:00 · 2015-09-18 16:08:50 +03:00 · 92a356fadd
parent 0623b4daad
commit 92a356fadd
5 changed files with 31 additions and 1 deletions
--- a/deployment/puppet/neutron/manifests/agents/ml2/ovs.pp
+++ b/deployment/puppet/neutron/manifests/agents/ml2/ovs.pp
@ -97,6 +97,10 @@
 #   flow tables resetting
 #   Defaults to false
 #
+# [*prevent_arp_spoofing*]
+#   (optional) Enable or not ARP Spoofing Protection
+#   Defaults to false
+#
 class neutron::agents::ml2::ovs (
  $package_ensure             = 'present',
  $enabled                    = true,
@ -115,6 +119,7 @@ class neutron::agents::ml2::ovs (
  $firewall_driver            = 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver',
  $enable_distributed_routing = false,
  $drop_flows_on_start        = false,
+  $prevent_arp_spoofing       = false,
 ) {

  include ::neutron::params
@ -176,6 +181,7 @@ class neutron::agents::ml2::ovs (
    'agent/arp_responder':              value => $arp_responder;
    'agent/enable_distributed_routing': value => $enable_distributed_routing;
    'agent/drop_flows_on_start':        value => $drop_flows_on_start;
+    'agent/prevent_arp_spoofing':       value => $prevent_arp_spoofing;
    'ovs/integration_bridge':           value => $integration_bridge;
  }

--- a/deployment/puppet/neutron/spec/classes/neutron_agents_ml2_ovs_spec.rb
+++ b/deployment/puppet/neutron/spec/classes/neutron_agents_ml2_ovs_spec.rb
@ -20,7 +20,8 @@ describe 'neutron::agents::ml2::ovs' do
      :arp_responder              => false,
      :enable_distributed_routing => false,
      :drop_flows_on_start        => false,
-      :firewall_driver            => 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver' }
+      :firewall_driver            => 'neutron.agent.linux.iptables_firewall.OVSHybridIptablesFirewallDriver',
+      :prevent_arp_spoofing       => false }
  end

  let :default_facts do
@ -44,6 +45,7 @@ describe 'neutron::agents::ml2::ovs' do
      is_expected.to contain_neutron_agent_ovs('agent/polling_interval').with_value(p[:polling_interval])
      is_expected.to contain_neutron_agent_ovs('agent/l2_population').with_value(p[:l2_population])
      is_expected.to contain_neutron_agent_ovs('agent/arp_responder').with_value(p[:arp_responder])
+      is_expected.to contain_neutron_agent_ovs('agent/prevent_arp_spoofing').with_value(p[:prevent_arp_spoofing])
      is_expected.to contain_neutron_agent_ovs('agent/drop_flows_on_start').with_value(p[:drop_flows_on_start])
      is_expected.to contain_neutron_agent_ovs('ovs/integration_bridge').with_value(p[:integration_bridge])
      is_expected.to contain_neutron_agent_ovs('securitygroup/firewall_driver').\
@ -101,6 +103,15 @@ describe 'neutron::agents::ml2::ovs' do
      end
    end

+    context 'when enabling ARP Spoofing Protection' do
+      before :each do
+        params.merge!(:prevent_arp_spoofing => true)
+      end
+      it 'should enable ARP Spoofing Protection' do
+        is_expected.to contain_neutron_agent_ovs('agent/prevent_arp_spoofing').with_value(true)
+      end
+    end
+
    context 'when enabling DVR' do
      before :each do
        params.merge!(:enable_distributed_routing => true,
--- a/deployment/puppet/openstack/manifests/network/neutron_agents.pp
+++ b/deployment/puppet/openstack/manifests/network/neutron_agents.pp
@ -94,6 +94,7 @@ class openstack::network::neutron_agents (
      tunnel_types               => $tunnel_types,
      enable_distributed_routing => $agent_mode ? { 'legacy' => false, default => true},
      l2_population              => $l2_population,
+      prevent_arp_spoofing       => true,
      manage_service             => true,
      enabled                    => true,
    }
--- a/tests/noop/spec/hosts/openstack-network/openstack-network-compute_spec.rb
+++ b/tests/noop/spec/hosts/openstack-network/openstack-network-compute_spec.rb
@ -53,6 +53,12 @@ describe manifest do
         'drop_flows_on_start' => 'false',
        )
      end
+
+      it 'should declare neutron::agents::ml2::ovs with prevent_arp_spoofing enabled' do
+        should contain_class('neutron::agents::ml2::ovs').with(
+          'prevent_arp_spoofing' => 'true',
+        )
+      end
    else
      it 'should declare openstack::network with neutron_server parameter set to false' do
        should contain_class('openstack::network').with(
--- a/tests/noop/spec/hosts/openstack-network/openstack-network-controller_spec.rb
+++ b/tests/noop/spec/hosts/openstack-network/openstack-network-controller_spec.rb
@ -37,6 +37,12 @@ describe manifest do
        )
      end

+      it 'should declare neutron::agents::ml2::ovs with prevent_arp_spoofing enabled' do
+        should contain_class('neutron::agents::ml2::ovs').with(
+          'prevent_arp_spoofing' => 'true',
+        )
+      end
+
      it 'should declare neutron::agents::dhcp with isolated metadata enabled' do
        should contain_class('neutron::agents::dhcp').with(
         'enable_isolated_metadata' => 'true',