Skip ARP protection if 0.0.0.0/0 in addr pairs

Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.

Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
(cherry picked from commit 747738d365)

neutron/plugins/openvswitch/agent/ovs_neutron_agent.py

@@ -738,6 +738,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         if port_details.get('allowed_address_pairs'):
             addresses += [p['ip_address']
                           for p in port_details['allowed_address_pairs']]
+        if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
+            # don't try to install protection because a /0 prefix allows any
+            # address anyway and the ARP_SPA can only match on /1 or more.
+            return
 
         # allow ARPs as long as they match addresses that actually
         # belong to the port.

neutron/tests/functional/agent/test_ovs_flows.py

@@ -95,6 +95,14 @@ class ARPSpoofTestCase(test_ovs_lib.OVSBridgeTestBase,
         pinger = helpers.Pinger(self.src_ns)
         pinger.assert_ping(self.dst_addr)
 
+    def test_arp_spoof_allowed_address_pairs_0cidr(self):
+        self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
+                                                         '1.2.3.4'])
+        self.src_p.addr.add('%s/24' % self.src_addr)
+        self.dst_p.addr.add('%s/24' % self.dst_addr)
+        pinger = helpers.Pinger(self.src_ns)
+        pinger.assert_ping(self.dst_addr)
+
     def test_arp_spoof_disable_port_security(self):
         # block first and then disable port security to make sure old rules
         # are cleared