Skip ARP protection if 0.0.0.0/0 in addr pairs
Don't setup ARP protection on ports with allowed address pairs
that allow them to use any IP address. This is necessary because
OVS doesn't support the /0 prefix in rules that match on ARP headers.
Related-Bug: #1461054
Closes-Bug: #1468009
Change-Id: I913a86f22b228aa11fa3dabd9493c3995198f7ec
(cherry picked from commit 747738d365
)
This commit is contained in:
parent
baf9fa2a94
commit
88d76bc37f
|
@ -738,6 +738,10 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
|
|||
if port_details.get('allowed_address_pairs'):
|
||||
addresses += [p['ip_address']
|
||||
for p in port_details['allowed_address_pairs']]
|
||||
if any(netaddr.IPNetwork(ip).prefixlen == 0 for ip in addresses):
|
||||
# don't try to install protection because a /0 prefix allows any
|
||||
# address anyway and the ARP_SPA can only match on /1 or more.
|
||||
return
|
||||
|
||||
# allow ARPs as long as they match addresses that actually
|
||||
# belong to the port.
|
||||
|
|
|
@ -95,6 +95,14 @@ class ARPSpoofTestCase(test_ovs_lib.OVSBridgeTestBase,
|
|||
pinger = helpers.Pinger(self.src_ns)
|
||||
pinger.assert_ping(self.dst_addr)
|
||||
|
||||
def test_arp_spoof_allowed_address_pairs_0cidr(self):
|
||||
self._setup_arp_spoof_for_port(self.dst_p.name, ['9.9.9.9/0',
|
||||
'1.2.3.4'])
|
||||
self.src_p.addr.add('%s/24' % self.src_addr)
|
||||
self.dst_p.addr.add('%s/24' % self.dst_addr)
|
||||
pinger = helpers.Pinger(self.src_ns)
|
||||
pinger.assert_ping(self.dst_addr)
|
||||
|
||||
def test_arp_spoof_disable_port_security(self):
|
||||
# block first and then disable port security to make sure old rules
|
||||
# are cleared
|
||||
|
|
Loading…
Reference in New Issue