Bug #1558658 “[OSSA-2016-009] Security Groups do not prevent MAC...” : Bugs : OpenStack Security Advisory

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-03-17:

#1

Since this report concerns a possible security risk, an incomplete security advisory task has been added while the core security reviewers for the affected project or projects confirm the bug and discuss the scope of any vulnerability along with potential solutions.

Changed in ossa:
status:	New → Incomplete
description:	updated

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-03-18:

#2

Looking.

Revision history for this message

Armando Migliaccio (armando-migliaccio) wrote on 2016-03-18:

#3

I think the issue exists, and under the circumstances identified there's the risk to intercept traffic on a shared medium. If the solution wouldn't involve tracking the source mac of all instances on the shared network, I'd say go for it, but the scalability implications concern me. Having said that, I think knowledge about this is already public domain because of the other issues being reported, therefore we may want to consider open the discussion for wider feedback.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-03-21:

#4

Thank you Armando for the investigation.

It's still unclear whenever shared network impacts do warrants an advisory.
If nobody objects, lets make this bug report public security.

Also, should the description be saying "the IPv6* case of public bug" instead of IPv4 ?

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-03-21:

#5

Tristan,

It's reasonable to assume IPv4 is much more widely deployed than IPv6, so the public IPv6 bug a significantly smaller number of installations. That being said, it wasn't a very difficult to examine the IPv4 case for the same vulnerability as the IPv6 case, so don't believe there is significant value in maintaining the embargo.

Armando,

Neutron presently maintains an ebtables chain for each instance port to prevent MAC spoofing, the overhead of expanding this to validate all source MAC as well as ARP messages is one additional rule in this chain (ebtables allows matching against multiple MAC addresses in a single rule). If Neutron chooses not to address this, first-hop security expectations should to be clearly defined in a policy somewhere so operators can make informed decisions on how they deploy Neutron.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-03-25:

#6

bug_1558658.patch Edit (23.1 KiB, text/plain)

I agree that this is something we need to address. I'm fine with it being opened to the public or being fixed first.

@Dustin,

Can you confirm that the attached patch fixes the mac spoofing issue? (Note that there are two patches in there, one for Linux Bridge and one for OVS)

I didn't do anything about the DHCP request source IP restriction in this patch because that one just seems to be a way to spam some DHCP requests for an incorrect address. Correct me if I'm wrong, but that doesn't pose any security issue (other than log noise), right?

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-03-28:

#7

@Kevin,

I've tested the patch on ML2 LinuxBridge, and in the process of testing on ML2 OVS now. I'm not positive that all potential instance operating systems would not insert an entry its ARP table after receiving a unicast UDP packet, although I've verified Linux does not learn neighbors from unicast UDP packets. I think we can remove the embargo once this patch is merged.

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-03-28:

#8

@Kevin

I've verified your patch prevents MAC address spoofing with both LinuxBridge and OVS mechanism drivers. The chunk in update_stale_ofport_rules didn't apply cleanly to master, but was trivial to resolve by hand.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2016-03-29:

#9

I agree the impact of this bug should be limited enough that it's worthwhile to work it in public and avoid complexities of the embargo process.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-03-29:

#10

@Dustin @Kevin, if it's ok for you, can you remove the privacy setting of this bug before submitting the proposed patch to gerrit ?

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-03-29:

#11

@Tristan @Jeremy, The MAC spoofing aspect of this could based used to DoS or intercept other tenants in a public cloud using shared networks. I'm not familiar with the review process for a patch under embargo, but releasing this could leave public deployments exposed. On the other hand, as I mentioned in the original bug report, this is the IPv4 case of a public IPv6 bug and a fix was first suggested in 2013. Hopefully public deployments have taken additional precautions to harden their environments.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2016-03-29:

#12

In the past we've considered some bugs only impacting shared tenant networks to be impractical vulnerabilities given the warnings in the security guide about shared network deployment models (though I'm failing to find specific precedent bugs to cite at the moment). That said, if the proposed patch fixes this and can be backported quickly to supported stable branches (mitaka, liberty, kilo) without an adverse behavior change then we could follow embargo process. I'm just wary, as the related IPv6 bug has been public for months with no movement.

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2016-03-29:

#13

I would be okay with a public release and then regular code review. It should be relatively quick since the patch is already prepared with tests.

Revision history for this message

Jeremy Stanley (fungi) wrote on 2016-03-29:

#14

I've switched this to public security. Changes can be pushed to public Gerrit while we continue to debate the impact and need for an advisory.

information type:	Private Security → Public Security
description:	updated

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29: Fix proposed to neutron (master)

#15

Fix proposed to branch: master
Review: https://review.openstack.org/299021

Changed in neutron:
assignee:	nobody → Kevin Benton (kevinbenton)
status:	New → In Progress

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29:

#16

Fix proposed to branch: master
Review: https://review.openstack.org/299022

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29: Fix proposed to neutron (stable/mitaka)

#17

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/299023

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29:

#18

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/299024

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29: Fix proposed to neutron (stable/liberty)

#19

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/299025

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29:

#20

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/299026

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29: Fix proposed to neutron (stable/kilo)

#21

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/299027

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-29:

#22

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/299028

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-03-31: Fix proposed to neutron (master)

#23

Fix proposed to branch: master
Review: https://review.openstack.org/300202

Changed in neutron:
assignee:	Kevin Benton (kevinbenton) → Dustin Lundquist (dlundquist)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-04-04: Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests

#24

About the OSSA status, is the impact for non shared network limited to single tenant scope (e.g. one instance can bypass neutron anti-spoof rules toward other instances of the same tenant only) ?

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-05: Fix merged to neutron (master)

#25

Reviewed: https://review.openstack.org/299021
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=be298f8bc35e6d006c7a9361e42755c9d6790e1e
Submitter: Jenkins
Branch: master

commit be298f8bc35e6d006c7a9361e42755c9d6790e1e
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.

Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
Partial-Bug: #1558658

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-04-05: Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests

#26

Covering both bug 1558658 and bug 1502933, here is impact description draft #1.
Is this accurate enough ?

Title: Neutron anti-spoof protection bypass
Reporter: Romain Aviolat (Nagravision) and Dustin Lundquist (Blue Box Group)
Products: Neutron
Affects: >=2015.1.0 <=2015.1.3, >=7.0.0 <=7.0.4, <=8.0.0

Description:
Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box Group, Inc independently reported a vulnerability in Neutron anti-spoof protection. By forging discovery protocol source address, an instance may spoof addresses on attached network resulting in Denial of Service and/or traffic interception. When L2population isn't used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected.

OpenStack Infra (hudson-openstack) on 2016-04-05

Changed in neutron:
assignee:	Dustin Lundquist (dlundquist) → Kevin Benton (kevinbenton)

Tristan Cacqueray (tristan-cacqueray) on 2016-04-05

Changed in ossa:
status:	Incomplete → Triaged

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-04-05:

#27

@Tristan, A few suggestions for impact description:
  1. s/forging discovery protocol source address/forging DHCP discovery source address/ (DHCP is the protocol, discovery is the message type, and could be confused with IPv6 neighbor discovery protocol).
  2. In bug/1558674 I generalized this to all non-IP traffic, I think this is relevant to the impact description since it is a more likely attack vector
  3. We should mention that both MAC and IP source spoofing where permitted. MAC spoofing effects are limited to local network, while IP spoofing could be used for either a direct DoS or interfering with DHCP leases on other networks.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-04-05:

#28

Thank you Dustin for this review! How about:

By forging non-IP traffic such as DHCP discovery or ARP messages, an instance may spoof IP or MAC source addresses on attached networks resulting in denial of services and/or traffic interception. Moreover when L2population isn't used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected.

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-04-05:

#29

Still a bit muddled, DHCP is IP traffic, and ARP is already filtered by ebtables. How about:

By forging DHCP discovery messages or non-IP traffic, an instance may spoof IP or MAC source addresses on attached networks resulting in denial of services and/or traffic interception. Moreover when L2population isn't used, other tenants attached to a shared network are also vulnerable. Neutron setups using the IPTables firewall driver are affected.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-05: Related fix proposed to ossa (master)

#30

Related fix proposed to branch: master
Review: https://review.openstack.org/301977

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-04-05: Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests

#31

Oups, dhcp discovery is indeed IP. Thank you for the correction.

https://review.openstack.org/301977 is the proposed OSSA, note that it is missing backports of the icmpv6 extra rules.
I'll request the CVE number once everything is ready.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-06: Fix merged to neutron (master)

#32

Reviewed: https://review.openstack.org/299022
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=997d7b03fb7f5528f0a3ce70867b9dcd9321509e
Submitter: Jenkins
Branch: master

commit 997d7b03fb7f5528f0a3ce70867b9dcd9321509e
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 04:47:28 2016 -0700

OVS: Add mac spoofing filtering to flows

    The mac-spoofing filtering done by iptables was
    not adequate. See the bug report and change
    I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
    more information.

    This patch adds flows to the OVS agent to block
    any traffic from the VM that isn't in the allowed
    address pairs macs or the mac address field of
    the port.

Closes-Bug: #1558658
Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f

Changed in neutron:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08:

#33

Reviewed: https://review.openstack.org/300202
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=6a93ee8ac1a901c255e3475a24f1afc11d8bf80f
Submitter: Jenkins
Branch: master

commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
Partial-Bug: #1558658

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Fix proposed to neutron (stable/mitaka)

#34

Fix proposed to branch: stable/mitaka
Review: https://review.openstack.org/303563

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Fix proposed to neutron (stable/liberty)

#35

Fix proposed to branch: stable/liberty
Review: https://review.openstack.org/303572

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-08: Fix proposed to neutron (stable/kilo)

#36

Fix proposed to branch: stable/kilo
Review: https://review.openstack.org/303617

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Fix merged to neutron (stable/mitaka)

#37

Reviewed: https://review.openstack.org/303563
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=5853af9cba6733725d6c9ac0db644f426713f0cf
Submitter: Jenkins
Branch: stable/mitaka

commit 5853af9cba6733725d6c9ac0db644f426713f0cf
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)

tags:	added: in-stable-mitaka
tags:	added: in-stable-liberty

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Fix merged to neutron (stable/liberty)

#38

Reviewed: https://review.openstack.org/303572
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fd5fd259a02156babdfcb12f66cde6ec9e7274ae
Submitter: Jenkins
Branch: stable/liberty

commit fd5fd259a02156babdfcb12f66cde6ec9e7274ae
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

Conflicts:
neutron/tests/functional/agent/test_firewall.py

    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)

tags:

added: in-stable-kilo

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-04-14: Fix merged to neutron (stable/kilo)

#39

Reviewed: https://review.openstack.org/303617
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b0f6984de3985b80c728dd282fe6148b28f01fe4
Submitter: Jenkins
Branch: stable/kilo

commit b0f6984de3985b80c728dd282fe6148b28f01fe4
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

    Conflicts:
     neutron/agent/linux/iptables_firewall.py
     neutron/tests/functional/agent/test_firewall.py
     neutron/tests/unit/agent/linux/test_iptables_firewall.py
     neutron/tests/unit/agent/test_securitygroups_rpc.py

    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)

Kevin Benton (kevinbenton) on 2016-04-20

Changed in neutron:
importance:	Undecided → High

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-09: Change abandoned on neutron (stable/kilo)

#40

Change abandoned by Dave Walker (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/299027
Reason:
stable/kilo closed for 2015.1.4

This release is now pending its final release and no freeze exception has
been seen for this changeset. Therefore, I am now abandoning this change.

If this is not correct, please urgently raise a thread on openstack-dev.

More details at: https://wiki.openstack.org/wiki/StableBranch

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-09:

#41

Change abandoned by Dave Walker (<email address hidden>) on branch: stable/kilo
Review: https://review.openstack.org/299028
Reason:
stable/kilo closed for 2015.1.4

This release is now pending its final release and no freeze exception has
been seen for this changeset. Therefore, I am now abandoning this change.

If this is not correct, please urgently raise a thread on openstack-dev.

More details at: https://wiki.openstack.org/wiki/StableBranch

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-09: Fix proposed to neutron (master)

#42

Fix proposed to branch: master
Review: https://review.openstack.org/314250

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10: Fix merged to neutron (stable/liberty)

#43

Reviewed: https://review.openstack.org/299025
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b57d9fa96967de4aa634fb32a683d6c37fd05fab
Submitter: Jenkins
Branch: stable/liberty

commit b57d9fa96967de4aa634fb32a683d6c37fd05fab
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.

    Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
    Partial-Bug: #1558658
    (cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10:

#44

Reviewed: https://review.openstack.org/299026
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=b33c16bb0e75015f3e75693d815cfd616c831112
Submitter: Jenkins
Branch: stable/liberty

commit b33c16bb0e75015f3e75693d815cfd616c831112
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 04:47:28 2016 -0700

OVS: Add mac spoofing filtering to flows

    The mac-spoofing filtering done by iptables was
    not adequate. See the bug report and change
    I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
    more information.

    This patch adds flows to the OVS agent to block
    any traffic from the VM that isn't in the allowed
    address pairs macs or the mac address field of
    the port.

    Conflicts:
      neutron/plugins/ml2/drivers/openvswitch/agent/openflow/ovs_ofctl/br_int.py
      (no 'dump_flows_for' method so dump_flows had to be used with an additional
       check of the in_port on existing rules)

    Closes-Bug: #1558658
    Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f
    (cherry picked from commit 997d7b03fb7f5528f0a3ce70867b9dcd9321509e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10: Fix merged to neutron (stable/mitaka)

#45

Reviewed: https://review.openstack.org/299023
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cc275e4975450947fa9d9e55ef42475a25bf611d
Submitter: Jenkins
Branch: stable/mitaka

commit cc275e4975450947fa9d9e55ef42475a25bf611d
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.

    Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
    Partial-Bug: #1558658
    (cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10:

#46

Reviewed: https://review.openstack.org/299024
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d7dc90946407d27eec9063f05f33e3f4888ad395
Submitter: Jenkins
Branch: stable/mitaka

commit d7dc90946407d27eec9063f05f33e3f4888ad395
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 04:47:28 2016 -0700

OVS: Add mac spoofing filtering to flows

    The mac-spoofing filtering done by iptables was
    not adequate. See the bug report and change
    I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
    more information.

    This patch adds flows to the OVS agent to block
    any traffic from the VM that isn't in the allowed
    address pairs macs or the mac address field of
    the port.

    Closes-Bug: #1558658
    Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f
    (cherry picked from commit 997d7b03fb7f5528f0a3ce70867b9dcd9321509e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10: Fix merged to neutron (stable/kilo)

#47

Reviewed: https://review.openstack.org/299027
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d626eb24a304a0ba53311aa1bb877f60c974da72
Submitter: Jenkins
Branch: stable/kilo

commit d626eb24a304a0ba53311aa1bb877f60c974da72
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.

    Conflicts:
     neutron/plugins/linuxbridge/agent/arp_protect.py
     neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
        (simple conflicts on both due to utils.is_trusted_port logic being gone)

    Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
    Partial-Bug: #1558658
    (cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-10:

#48

Reviewed: https://review.openstack.org/299028
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d48147b0fc192c49646951294479573e4ed9ae78
Submitter: Jenkins
Branch: stable/kilo

commit d48147b0fc192c49646951294479573e4ed9ae78
Author: Kevin Benton <email address hidden>
Date: Mon Mar 28 22:21:53 2016 -0700

OVS: Add mac spoofing filtering to flows

    The mac-spoofing filtering done by iptables was
    not adequate. See the bug report and change
    I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 for
    more information.

    This patch adds flows to the OVS agent to block
    any traffic from the VM that isn't in the allowed
    address pairs macs or the mac address field of
    the port.

    Conflicts:
        This had to be heavily modified to work with Kilo due to
        the lack of a pluggable openflow interface that was present
        in master, mitaka, and liberty.

    Closes-Bug: #1558658
    Change-Id: I02984b21872e0f183db7404c10d8180dbd89075f
    (cherry-picked from 997d7b03fb7f5528f0a3ce70867b9dcd9321509e)

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-05-10: Fix included in openstack/neutron 2015.1.4

#49

This issue was fixed in the openstack/neutron 2015.1.4 release.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-13: Fix proposed to neutron (master)

#50

Fix proposed to branch: master
Review: https://review.openstack.org/315828

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-05-16: Re: Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests

#51

Dustin, is change 315828 ( Ia1f9d768004871d743d2c7b979de1439667efe52 ) a security fix or does it fix a regression caused by one of the fix part of this upcoming advisory ? ftr, the current list of patch for the ossa are:

* Ice1c9dd349864da28806c5053e38ef86f43b7771 (icmpv6)
* Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5 (dhcp)
* I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78 (arp)

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-05-16:

#52

Here is the final impact description:

Title: Neutron anti-spoof protection bypass
Reporter: Romain Aviolat (Nagravision) and Dustin Lundquist (Blue Box Group, Inc)
Products: Neutron
Affects: <=7.0.4, >=8.0.0 <=8.1.0

Description:
Romain Aviolat from Nagravision and Dustin Lundquist from Blue Box
Group, Inc independently reported vulnerabilities in Neutron anti-
spoof protection. By forging DHCP discovery messages or non-IP
traffic, such as ARP or ICMPv6, an instance may spoof IP or MAC source
addresses on attached networks resulting in denial of services and/or
traffic interception. Moreover when L2population isn't used, other
tenants attached to a shared network are also vulnerable. Neutron
setups using the IPTables firewall driver are affected.

Revision history for this message

Dustin Lundquist (dlundquist) wrote on 2016-05-17:

#53

Tristan, change 315828 addresses the OVS Firewall which currently has many of these same problems. Specifically table 71 (BASE_EGRESS_TABLE) permits specific ICMPv6 types, DHCP and DHCPv6 before validating source MAC or IP addresses. This allows IPv6 spoofing: neighbor discovery is permitted without any address validation. In addition the DHCP (IPv4) could be used to mask the source address of flood attack or release the DHCP lease of another instance (potentially belonging to another tenant on a shared network). In addition all the of above traffic types could be used to cause an physical switch to learn an incorrect port of another instance or router's MAC address potentially intercepting another tenants traffic on a shared provider network.

I finally have a working OVS Firewall test environment and this is my initial analysis of the OpenFlow rules it produces. I think all of the above vulnerabilities are addressed in the existing bug reports. I know the OVS Firewall is recent addition, so I'm not sure how it falls into the security advisory process.

Revision history for this message

Tristan Cacqueray (tristan-cacqueray) wrote on 2016-05-17:

#54

Hum, well that's the problem with catch-all advisory where similar issues can be found later.
I propose we change impact description title to "Neutron IPTables firewall anti-spoof protection bypass" and move with it.

For the OVS Firewall case, I've added an ossa task to track this issue separately. If you agree, please review the new title and impact description posted in comment #52 so that we can request a CVE and proceed with the advisory.

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-05-26: Fix merged to neutron (master)

#55

Download full text (36.9 KiB)

Reviewed: https://review.openstack.org/314250
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3bf73801df169de40d365e6240e045266392ca63
Submitter: Jenkins
Branch: master

commit a323769143001d67fd1b3b4ba294e59accd09e0e
Author: Ryan Moats <email address hidden>
Date: Tue Oct 20 15:51:37 2015 +0000

Revert "Improve performance of ensure_namespace"

This reverts commit 81823e86328e62850a89aef9f0b609bfc0a6dacd.

    Unneeded optimization: this commit only improves execution
    time on the order of milliseconds, which is less than 1% of
    the total router update execution time at the network node.

This also

Closes-bug: #1574881

Change-Id: Icbcdf4725ba7d2e743bb6761c9799ae436bd953b

commit 7fcf0253246832300f13b0aa4cea397215700572
Author: OpenStack Proposal Bot <email address hidden>
Date: Thu Apr 21 07:05:16 2016 +0000

Imported Translations from Zanata

For more information about this automatic import see:
https://wiki.openstack.org/wiki/Translations/Infrastructure

Change-Id: I9e930750dde85a9beb0b6f85eeea8a0962d3e020

commit 643b4431606421b09d05eb0ccde130adbf88df64
Author: OpenStack Proposal Bot <email address hidden>
Date: Tue Apr 19 06:52:48 2016 +0000

Imported Translations from Zanata

For more information about this automatic import see:
https://wiki.openstack.org/wiki/Translations/Infrastructure

Change-Id: I52d7460b3265b5460b9089e1cc58624640dc7230

commit 1ffea42ccdc14b7a6162c1895bd8f2aae48d5dae
Author: OpenStack Proposal Bot <email address hidden>
Date: Mon Apr 18 15:03:30 2016 +0000

Updated from global requirements

Change-Id: Icb27945b3f222af1d9ab2b62bf2169d82b6ae26c

commit b970ed5bdac60c0fa227f2fddaa9b842ba4f51a7
Author: Kevin Benton <email address hidden>
Date: Fri Apr 8 17:52:14 2016 -0700

Clear DVR MAC on last agent deletion from host

    Once all agents are deleted from a host, the DVR MAC generated
    for that host should be deleted as well to prevent a buildup of
    pointless flows generated in the OVS agent for hosts that don't
    exist.

    Closes-Bug: #1568206
    Change-Id: I51e736aa0431980a595ecf810f148ca62d990d20
    (cherry picked from commit 92527c2de2afaf4862fddc101143e4d02858924d)

commit eee9e58ed258a48c69effef121f55fdaa5b68bd6
Author: Mike Bayer <email address hidden>
Date: Tue Feb 9 13:10:57 2016 -0500

Add an option for WSGI pool size

    Neutron currently hardcodes the number of
    greenlets used to process requests in a process to 1000.
    As detailed in
    http://lists.openstack.org/pipermail/openstack-dev/2015-December/082717.html

    this can cause requests to wait within one process
    for available database connection while other processes
    remain available.

    By adding a wsgi_default_pool_size option functionally
    identical to that of Nova, we can lower the number of
    greenlets per process to be more in line with a typical
    max database connection pool size.

DocImpact: a previously unused configuration value
wsgi_default_pool_size is now used to a...

Reviewed:  https://review.openstack.org/314250
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=3bf73801df169de40d365e6240e045266392ca63
Submitter: Jenkins
Branch:    master

commit a323769143001d67fd1b3b4ba294e59accd09e0e
Author: Ryan Moats <rmoats@us.ibm.com>
Date:   Tue Oct 20 15:51:37 2015 +0000

Revert "Improve performance of ensure_namespace"
    
    This reverts commit 81823e86328e62850a89aef9f0b609bfc0a6dacd.
    
    Unneeded optimization: this commit only improves execution
    time on the order of milliseconds, which is less than 1% of
    the total router update execution time at the network node.
    
    This also
    
    Closes-bug: #1574881
    
    Change-Id: Icbcdf4725ba7d2e743bb6761c9799ae436bd953b

commit 7fcf0253246832300f13b0aa4cea397215700572
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Thu Apr 21 07:05:16 2016 +0000

Imported Translations from Zanata
    
    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure
    
    Change-Id: I9e930750dde85a9beb0b6f85eeea8a0962d3e020

commit 643b4431606421b09d05eb0ccde130adbf88df64
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Tue Apr 19 06:52:48 2016 +0000

Imported Translations from Zanata
    
    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure
    
    Change-Id: I52d7460b3265b5460b9089e1cc58624640dc7230

commit 1ffea42ccdc14b7a6162c1895bd8f2aae48d5dae
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Apr 18 15:03:30 2016 +0000

Updated from global requirements
    
    Change-Id: Icb27945b3f222af1d9ab2b62bf2169d82b6ae26c

commit b970ed5bdac60c0fa227f2fddaa9b842ba4f51a7
Author: Kevin Benton <kevin@benton.pub>
Date:   Fri Apr 8 17:52:14 2016 -0700

Clear DVR MAC on last agent deletion from host
    
    Once all agents are deleted from a host, the DVR MAC generated
    for that host should be deleted as well to prevent a buildup of
    pointless flows generated in the OVS agent for hosts that don't
    exist.
    
    Closes-Bug: #1568206
    Change-Id: I51e736aa0431980a595ecf810f148ca62d990d20
    (cherry picked from commit 92527c2de2afaf4862fddc101143e4d02858924d)

commit eee9e58ed258a48c69effef121f55fdaa5b68bd6
Author: Mike Bayer <mike_mp@zzzcomputing.com>
Date:   Tue Feb 9 13:10:57 2016 -0500

Add an option for WSGI pool size
    
    Neutron currently hardcodes the number of
    greenlets used to process requests in a process to 1000.
    As detailed in
    http://lists.openstack.org/pipermail/openstack-dev/2015-December/082717.html
    
    this can cause requests to wait within one process
    for available database connection while other processes
    remain available.
    
    By adding a wsgi_default_pool_size option functionally
    identical to that of Nova, we can lower the number of
    greenlets per process to be more in line with a typical
    max database connection pool size.
    
    DocImpact: a previously unused configuration value
               wsgi_default_pool_size is now used to affect
               the number of greenlets used by the server. The
               default number of greenlets also changes from 1000
               to 100.
    Change-Id: I94cd2f9262e0f330cf006b40bb3c0071086e5d71
    (cherry picked from commit 9d573387f1e33ce85269d3ed9be501717eed4807)

commit bf66cc6f74133cfe6c1ab75287d39814ac44b068
Author: Clayton O'Neill <clayton.oneill@twcable.com>
Date:   Thu Mar 24 15:28:21 2016 +0000

Don't disconnect br-int from phys br if connected
    
    When starting up, we don't want to delete the patch port between br-int
    and the physical bridges. In liberty the br-int bridge was changed to
    not tear down flows on startup, and  change
    I9801b76829021c9a0e6358982e1136637634a521 will change the physical
    bridges to not tear down flows also.
    
    Without this patch the patch port is torn down and not reinstalled until
    after the initial flows are set back up.
    
    Partial-Bug: #1514056
    Change-Id: I05bf5105a6f3acf6a313ce6799648a095cf8ec96
    (cherry picked from commit a549f30fad93508bf9dfdcfb20cd522f7add27b0)

commit 93795a4bda47605d5616476b2a456772308aa3c3
Author: Kevin Benton <kevin@benton.pub>
Date:   Mon Mar 28 14:14:15 2016 -0700

Fix deprecation warning for external_network_bridge
    
    We only want this to warn when a deployer has set anything other
    than a blank string. The olso cfg would warn whenever it was set
    so it was incorrectly warning on the value we want operators to
    set it to.
    
    This changes the cfg option to not use deprecated for removal and
    the L3 agent config validation to emit a warning if its not set
    to the value we are suggesting.
    
    Change-Id: If533cf7c4c379be78f5a15073accaff7f65973ab
    Closes-Bug: #1563070
    (cherry picked from 8382ac3717cf646145379456af94ce75000349a9)

commit 36305c0c4f4ebf498020f5956e103832da75f8a9
Author: Kevin Benton <kevin@benton.pub>
Date:   Thu Feb 18 03:48:29 2016 -0800

Add ALLOCATING state to routers
    
    This patch adds a new ALLOCATING status to routers
    to indicate that the routers are still being built on the
    Neutron server. Any routers in this state are excluded in
    router retrievals by the L3 agent since they are not yet
    ready to be wired up.
    
    This is necessary when a router is made up of several
    distinct Neutron resources that cannot all be put
    into a single transaction. This patch applies this new
    state to HA routers while their internal HA ports and
    networks are being created/deleted so the L3 HA agent
    will never retrieve a partially formed HA router. It's
    important to note that the ALLOCATING status carries over
    until after the scheduling is done, which ensures that
    routers that weren't fully scheduled will not be sent to
    the agents.
    
    An HA router is placed in this state only when it is being
    created or converted to/from the HA state since this is
    disruptive to the dataplane.
    
    This patch also reverts the changes introduced in
    Iadb5a69d4cbc2515fb112867c525676cadea002b since they will
    be handled by the ALLOCATING logic instead.
    
    Co-Authored-By: Ann Kamyshnikova <akamyshnikova@mirantis.com>
    Co-Authored-By: John Schwarz <jschwarz@redhat.com>
    
    APIImpact
    Closes-Bug: #1550886
    Related-bug: #1499647
    Change-Id: I22ff5a5a74527366da8f82982232d4e70e455570
    (cherry picked from commit 9c3c19f07ce52e139d431aec54341c38a183f0b7)

commit 07401352a964b92ef4bc09a09800554e4a84cc87
Author: Hynek Mlnarik <hmlnarik@redhat.com>
Date:   Thu Feb 25 11:34:15 2016 +0100

Cleanup stale OVS flows for physical bridges
    
    Perform deletion of the stale flows in physical bridges consistently with
    br-int and br-tun, respecting drop_flows_on_start configuration option.
    Added tests for auxiliary bridge and functional tests for the physical
    bridge using VLAN/flat external network. Fixes part of the bug 1514056;
    together with [1] and [2], the bug should be considered fixed.
    
    The commit also fixes inconsistency between netmask of allocated IP
    addresses assigned in _create_test_port_dict and ip_len in _plug_ports
    of base.py.
    
    [1] https://review.openstack.org/#/c/297211/
    [2] https://review.openstack.org/#/c/297818/
    
    Co-Authored-By: Jian Wen <wenjianhn@gmail.com>
    Partial-Bug: 1514056
    Change-Id: I9801b76829021c9a0e6358982e1136637634a521
    (cherry picked from commit cacde308eef6f1d7005e555b4521332da95d3cf4)

commit 05a4a34b7e46c2e13a9bd874674804a94f342d0c
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Thu Apr 7 16:45:52 2016 +0300

Notify resource_versions from agents only when needed
    
    resource_versions were included into agent state reports recently to
    support rolling upgrades (commit 97a272a892fcf488949eeec4959156618caccae8)
    The downside is that it brought additional processing when handling state
    reports on server side: update of local resources versions cache and
    more seriously rpc casts to all other servers to do the same.
    All this led to a visible performance degradation at scale with hundreds
    of agents constantly sending reports. Under load (rally test) agents
    may start "blinking" which makes cluster very unstable.
    
    In fact there is no need to send and update resource_versions in each state
    report. I see two cases when it should be done:
     1) agent was restarted (after it was upgraded);
     2) agent revived - which means that server was not receiving or being able
        to process state reports for some time (agent_down_time). During that
        time agent might be upgraded and restarted.
    
    So this patch makes agents include resource_versions info only on startup.
    After agent revival server itself will update version_manager with
    resource_versions taken from agent DB record - this is to avoid
    version_manager being outdated.
    
    Closes-Bug: #1567497
    Change-Id: I47a9869801f4e8f8af2a656749166b6fb49bcd3b
    (cherry picked from commit e532ee3fccd0820f9ab0efc417ee787fb8c870e9)

commit 07fa3725c5a7fc68a41ed8af53ca2d3aad4c35b9
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Tue Apr 5 16:18:03 2016 +0300

ADDRESS_SCOPE_MARK_IDS should not be global for L3 agent
    
    Otherwise agent becomes unable to handle more than 1024 routers
    (including deleted routers) and starts failing.
    
    It should be enough to distinguish address scopes inside router namespace,
    so this patch moves ADDRESS_SCOPE_MARK_IDS set to the RouterInfo class.
    
    Closes-Bug: #1566291
    Change-Id: I1e43bb3e68db4db93cc1dfc1383af0311bfb0f2d
    (cherry picked from commit 1cb43734808eded87210d2957d56b70c514d55c3)

commit 9c58ae6a70125497a39612f71c53c60a8b35968e
Author: Eugene Nikanorov <enikanorov@mirantis.com>
Date:   Wed Mar 30 08:36:58 2016 -0700

Wrap all update/delete l3_rpc handlers with retries
    
    This is needed for mysql galera multimaster backends.
    
    Closes-Bug: #1564144
    Change-Id: Ia5a14d5ee91c6672d61904f669e9e845a7f262c9
    (cherry picked from commit d8f0ee5ecd67ee6ec956c7fdadce3c2a8e8301bf)

commit fff909e899eb06ca2ba1b9219df8525db0980fdd
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Thu Apr 7 19:27:38 2016 +0300

Values for [ml2]/physical_network_mtus should not be unique
    
    Obviously there could be physical networks with same MTU.
    The patch sets unique_values to False when parsing physical_network_mtus
    Unit test added.
    
    Closes-Bug: #1567502
    Change-Id: I46e5b5d3f7033a974fca40342af6dff7c71a9a4a
    (cherry picked from commit 5cdd7ae574312a7499a8768c1752d9bc27ff7d20)

commit ece192b056c36568238abaf763b0ea9f99877c4c
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Fri Apr 1 19:40:20 2016 +0300

Use new DB context when checking if agent is online during rescheduling
    
    Commit 9ec466cd42de94c2fad091edfd7583a5f47eb87a was not enough
    since it checked l3 agents in the same transaction that was used
    to fetch down bindings - so agents always were down even if actually
    they went back online.
    This commit adds context creation on each iteration to make sure
    we use new transaction and fetch up-to-date info for the agent.
    
    Closes-Bug: #1522436
    Change-Id: I12a4e4f4e0c2042f0c0bf7eead42baca7b87a22b
    (cherry picked from commit 70068992e37c80e9aa8e70f017aa35132d7e5aee)

commit 2e2d75cbc2be356e962793db42905cecf28730d8
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Thu Apr 7 10:09:13 2016 +0000

ovsfw: Load vlan tag from other_config
    
    OVS agent stores vlan tag only to other_config before
    setup_port_filter() is called [1], leaving 'tag' column empty. This
    patch loads tag from correct place and modifies functional tests
    accordingly.
    
    Closes-Bug: 1566934
    [1] https://github.com/openstack/neutron/blob/1efed3a5321a259d27ec4a6e80352d35fc423c11/neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py#L821
    
    Change-Id: Iaae46ce7362fedfc53af958600d6d712eb382e9f
    (cherry picked from commit dabd969090d35ec218d348f170edbef58163a79d)

commit 681441137b8590620c6a1f35ab5931edb22d7a31
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Mon Apr 11 06:27:57 2016 +0000

Imported Translations from Zanata
    
    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure
    
    Change-Id: Ia032d91e89bd78e16412b9bc7f60f466c61a16e5

commit a2d1c46fe7952abc392d91ef3d00d203e0f38a4c
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Thu Mar 24 16:16:17 2016 +0100

firewall: don't warn about a driver that does not accept bridge
    
    Drivers that do not need the bridge parameter are safe to ignore it.
    Actually, the base abstract interface for those drivers does not allow
    to pass the new parameter.
    
    Ideally, the base class __init__ signature would change to accept the
    argument, but we can't do it without breaking API.
    
    So instead, just handle both types of drivers - those that accept the
    additional argument, and those that don't. And don't assume the latter
    are somehow wrong.
    
    Change-Id: Iceee46f63669b28e3a34d207216d864f1bfa5cf8
    Closes-Bug: #1561243
    (cherry picked from commit 193aa35325b897b960de88b510181b377e4c345c)

commit fa5eb530bb71c1b1fe1020802a63b05907695011
Author: Kevin Benton <kevin@benton.pub>
Date:   Wed Mar 16 01:35:26 2016 -0700

Add uselist=True to subnet rbac_entries relationship
    
    Because the join conditions for Subnet rbac entries
    are manually specified, SQLAlchemy is not
    automatically detecting that this relationship is a list.
    This adds the uselist=True kwarg to the relationship to
    ensure that it's always handled as a list.
    
    Change-Id: Ia4ae57ddd932260691584ae74c0305a79b2e60a9
    Closes-Bug: #1557959
    (cherry picked from commit 691f8f5ea54c04bfdfb76e25bda14665b05ed859)

commit 5853af9cba6733725d6c9ac0db644f426713f0cf
Author: Dustin Lundquist <dustin@null-ptr.net>
Date:   Thu Mar 31 12:04:31 2016 -0700

Iptables firewall prevent IP spoofed DHCP requests
    
    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.
    
    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)

commit c178bd9565ae699a79a8f13e89d1f8717a765cc1
Author: Armando Migliaccio <armamig@gmail.com>
Date:   Wed Mar 30 14:24:58 2016 -0700

Fix race conditions in IP availability API tests
    
    DHCP port creation is asynchronous with subnet creation.
    Therefore there is a time window where, depending on how fast
    the DHCP agent honors the request, the DHCP port IP allocation
    may or may not be accounted for in the total number of used IP
    for the network. To kill the race, do not run dhcp on the
    created subnets at all.
    
    Closes-bug: 1563883
    
    Change-Id: Idda25e65d04852d68a3c160cc9deefdb4ee82dcd
    (cherry picked from commit 27634bb2ba2637d694c7d0aa5758173d12ef579a)

commit ee32ea5e2bf2b01104c5bde6b6a5018dd0e15f57
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Thu Apr 7 19:15:01 2016 +0200

Switched from fixtures to mock to mock out starting RPC consumers
    
    fixtures 2.0.0 broke us wildly, so instead of trying to make it work
    with new fixtures, I better just switch the mock to... mock.
    
    Change-Id: I58d7a750e263e4af54589ace07ac00bec34b553a
    Closes-Bug: #1567295
    (cherry picked from commit 2af86b8f6f749bf7b42a2c04b48c9a2dc28a46c9)

commit 77696d8529c7310e343722d809ab2e63bd8946f9
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Fri Apr 8 06:36:58 2016 +0000

Imported Translations from Zanata
    
    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure
    
    Change-Id: I2f2ef73e04e007e9b450d51a72ee60e1ec788518

commit 3190494c0dfc9762d874399276327f096ce4bd92
Author: Armando Migliaccio <armamig@gmail.com>
Date:   Fri Apr 1 13:38:06 2016 -0700

Fix zuul_cloner errors during tox job setup
    
    Since [1], Tempest is a pip installable package, and that prevents zuul_cloner
    to work correctly. This change moves away from the existing logic in tox_install,
    and adds tempest as an explicit requirement for the api job. This is in fact
    the only tox target that needs Tempest to work.
    
    tox_install.sh has become less important now, but cleanup is left as follow
    up, to speed up gate salvation.
    
    [1] I25eac915c977ebaedced66ac896c5dd77259d193
    
    Change-Id: I00d882dde77a687ecb57ec200a34fd96256ad87a
    (cherry picked from commit 8a6913c534e39e93640ed99c67e66763a9d1da3c)

commit 9679285f547b301a511e02ebc763b5406fb03ffc
Author: Jamie Lennox <jamielennox@gmail.com>
Date:   Tue Mar 15 10:05:29 2016 +1100

Return oslo_config Opts to config generator
    
    We shouldn't be returning keystoneauth Opts to the oslo_config
    generator. Whilst it mostly works these objects are not interchangable
    and it can result in problems. You can see this by entries such as:
    
      # Warning: Failed to format sample for tenant_name
      # isinstance() arg 2 must be a class, type, or tuple of classes
        and types
    
    in the currently generated config files.
    
    Keystoneauth provides a function that returns oslo_config options so
    fetch, process and return those instead.
    
    Change-Id: Ie3fad2381467b19189cbb332c41cea8b6cf6e264
    Closes-Bug: #1548433
    (cherry picked from commit c3db0707eff70f381913643891ba4e148977407d)

commit 04fb1476de3b9d81ad579586c7010b5cdd2248a2
Author: Hynek Mlnarik <hmlnarik@redhat.com>
Date:   Wed Mar 30 10:44:09 2016 +0200

Refactor and fix dummy process fixture
    
    Extracting the test fixture that creates a new process and leaves it
    running for a given amount of time into helpers where other fixtures for
    functional tests live. This both keeps the fixtures at one place and
    increases visibility of the fixture so that it can be reused in other
    tests. At the same time, the fixture is fixed as the original code
    omitted starting the process.
    
    Change-Id: I97aeb8d1d5773ef3d59e8f908aea34ccceb38378
    Related-Bug: 1561046
    (cherry picked from commit 2690eed19a749fb1b50bb38f3d01fce0f1497f39)

commit 844cae4960cb2e3aedad750ceb91aa675f8e1142
Author: Dmitry Sutyagin <dsutyagin@mirantis.com>
Date:   Fri Feb 12 12:18:14 2016 +0300

Switches metering agent to stateless iptables
    
    If state_less parameter is not specified then
    neutron-postrouting-bottom rule goes up in POSTROUTING
    chain, which causes premature NATing of traffic,
    for ex. traffic between internal networks becomes NATed.
    
    Closes-Bug: 1544508
    Co-Authored-By: Sergey Belous <sbelous@mirantis.com>
    Change-Id: I2e0011237d50a59d417cfee01dcd5f9d0da2e7f5
    (cherry picked from commit 5d2d1120fcdcd5977d3c760ac1520a841048d456)

commit 19ea6ba92379168e1bfff7a7235119cfbbc0172c
Author: Hynek Mlnarik <hmlnarik@redhat.com>
Date:   Wed Mar 23 14:51:59 2016 +0100

Remove obsolete keepalived PID files before start
    
    keepalived refuses to start and claims "daemon already started"
    when there is already a process with the same PID as found in
    either the VRRP or the main process PID file. This happens even
    in case when the new process is not keepalived. The situation
    can happen when the neutron node is reset and the obsolete PID
    files are not cleaned before neutron is started.
    
    This commit adds PID file cleanup before keepalived start.
    
    Closes-Bug: 1561046
    Change-Id: Ib6b6f2fe76fe82253f195c9eab6b243d9eb76fa2
    (cherry picked from commit e98fabb5836b12bc40a2b64a2668893ea73c2320)

commit aafa702d2f389c0a4f3679df65be07940095ec29
Author: Kevin Benton <kevin@benton.pub>
Date:   Sun Mar 13 20:52:09 2016 -0700

Add IPAllocation object to session info to stop GC
    
    This adds the IPAllocation object created in the _store_ip_allocation
    method to the session info dictionary to prevent it from being
    immediately garbage collected. This is necessary because otherwise a
    new persistent object will be created when the fixed_ips relationship
    is referenced during the rest of the port create/update opertions.
    This persistent object will then interfere with a retry operation
    that uses the same session if it tries to create a conflicting record.
    
    By preventing the object from being garbage collected, the reference
    to fixed IPs will re-use the newly created sqlalchemy object instead
    which will properly be cleaned up on a rollback.
    
    This also removes the 'passive_delete' option from the fixed_ips
    relationship on ports because IPAllocation objects would now be
    left in the session after port deletes. At first glance, this might
    look like a performance penalty because fixed_ips would be looked
    up before port deletes; however, we already do that in the IPAM
    code as well as the ML2 code so this relationship is already being
    loaded on the delete_port operation.
    
    Closes-Bug: #1556178
    Change-Id: Ieee1343bb90cf111c55e00b9cabc27943b46c350
    (cherry picked from commit 7d9169967fca3d81076cf60eb772f4506735a218)

commit 005d49d2f092039660a44896217a5c245dcc4685
Author: Vincent Untz <vuntz@suse.com>
Date:   Tue Nov 17 17:47:56 2015 +0100

Ensure metadata agent doesn't use SSL for UNIX socket
    
    The communication between the ns metadata proxy and the metadata agent
    is pure HTTP, and should not switch to HTTPS when neutron is using SSL.
    
    We're therefore telling wsgi.Server to forcefully disable SSL in that
    case.
    
    Change-Id: I2cb9fa231193bcd5c721c4d5cf0eb9c16e842349
    Closes-Bug: #1514424
    (cherry picked from commit 7a306e2918775ebb94d9e1408aaa2b7c3ed26fc6)

commit 905fd05f966e0c7d3851f59665e58746c50bad1e
Author: Swaminathan Vasudevan <swaminathan.vasudevan@hpe.com>
Date:   Fri Mar 25 12:38:13 2016 -0700

DVR: Increase the link-local address pair range
    
    The current dvr_fip_ns.py file has FIP_LL_SUBNET configured
    with a subnet prefixlen of /23 which only allows 255 pairs of
    link-local addresses to be generated. If the number of routers
    per-node increases beyond the 255 limit it raises an assertion.
    
    This patch increases the link-local address cidr to be a /18
    to allow for 8K routers. The new range was chosen to not
    overlap with the original, allowing for in-place upgrades
    without affecting existing routers.
    
    Closes-Bug: #1562110
    Change-Id: I6e11622ea9cc74b1d2428757f16aa0de504ac31a
    (cherry picked from commit 7b1b8c2de57457c2ec1ed784165a3e10e24151cf)

commit 93d719a554d9b179636afccd25e1018b6e5d1cc3
Author: Sreekumar S <sreesiv@gmail.com>
Date:   Fri Jan 22 19:09:49 2016 +0530

SG protocol validation to allow numbers or names
    
    SG rule protocol provided is validated against the DB rules'
    protocols for both number and name. The filter provided to DB
    is modified so that it is queried for records with both the
    protocol name and number, instead of exactly the type provided
    with the input. The returned DB rule record's protocol field is
    validated against the supplied SG protocol field for both name
    or number.
    This way, user is still allowed to enter protocol name or number
    to create a rule, and API compatibility is maintained.
    
    Closes-Bug: #1215181
    (cherry picked from commit 913a64cc1175b3bd7efc7abe34895c32bf39a696)
    
    Also squashed the following regression fix:
    
    ===
    
    Don't drop 'protocol' from client supplied security_group_rule dict
    
    If protocol was present in the dict, but was None, then it was never
    re-instantiated after being popped out of the dict. This later resulted
    in KeyError when trying to access the key on the dict.
    
    Change-Id: I4985e7b54117bee3241d7365cb438197a09b9b86
    Closes-Bug: #1566327
    (cherry picked from commit 5a41caa47a080fdbc1801e2771163734b9790c57)
    
    ===
    
    Change-Id: If4ad684e961433b8d9d3ec8fe2810585d3f6a093

commit 33d3b8ce76d942950e2f999a6040787483adf729
Author: Kevin Benton <kevin@benton.pub>
Date:   Fri Apr 1 02:42:54 2016 -0700

L3 agent: match format used by iptables
    
    This fixes the iptables rules generated by the L3 agent
    (SNAT, DNAT, set-mark and metadata), and the DHCP agent
    (checksum-fill) to match the format that will be returned
    by iptables-save to prevent excessive extra replacement
    work done by the iptables manager.
    
    It also fixes the iptables test that was not passing the
    expected arguments (-p PROTO -m PROTO) for block rules.
    
    A simple test was added to the L3 agent to ensure that the
    rules have converged during the normal lifecycle tests.
    
    Closes-Bug: #1566007
    Change-Id: I5e8e27cdbf0d0448011881614671efe53bb1b6a1
    (cherry picked from commit b8d520ffe2afbffe26b554bff55165531e36e758)

commit 7b2fcaa1734bc1f26a1c4c2f0ace6fedbaa171e2
Author: Armando Migliaccio <armamig@gmail.com>
Date:   Fri Apr 1 18:02:47 2016 -0700

Use right class method in IP availability tests
    
    This should have been skip_checks. Spotted when dealing with
    fix for bug 1563883, argh.
    
    Change-Id: If609c285c2363967aba91a8ae1560d99391654d9
    Related-bug: 1563883
    (cherry picked from commit 2b0ce0ba8bf6abeb62654a00c12cfaad89f86e7c)

commit 93cdf8eb559cf78895200b3ec6775afe60b6c638
Author: Kevin Benton <kevin@benton.pub>
Date:   Sun Feb 21 21:31:59 2016 -0800

Make L3 HA interface creation concurrency safe
    
    This patch creates a function to handle the creation of the
    L3HA interfaces for a router in a manner that handles the
    HA network not existing or an existing one being  deleted
    by another worker before the interfaces could be created.
    
    Closes-Bug: #1548285
    Change-Id: Ibac0c366362aa76615e448fbe11d6d6b031732fe
    (cherry-picked from commit 7512d8aa26a945a695e889e0a97c6414cec6ac10)

commit d93466923f3b5627c55510f9bc7229a7b584b430
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Fri Apr 1 14:53:03 2016 +0000

ovsfw: Remove vlan tag before injecting packets to port
    
    Open vSwitch takes care of vlan tagging in case normal switching is
    used. When ingress traffic packets are accepted, the
    actions=output:<port_number> is used but we need to explicitly take care
    of stripping out the vlan tags.
    
    Closes-Bug: 1564947
    Change-Id: If3fc44c9fd1ac0f7bc9dfe9dc48e76352e981f8e
    (cherry picked from commit 0f9ec7b72a8ca173b760f20323f90bffefa91681)

commit 33c01f4d49a4561bac56831483ac22c4a4b3f47d
Author: OpenStack Proposal Bot <openstack-infra@lists.openstack.org>
Date:   Tue Apr 5 06:48:18 2016 +0000

Imported Translations from Zanata
    
    For more information about this automatic import see:
    https://wiki.openstack.org/wiki/Translations/Infrastructure
    
    Change-Id: Ief6281fde6ab1f72b26bfb11528fc64c71b407b9

commit 05ac0125fe861fbfb09d48eec97a29539b51b4e2
Author: YAMAMOTO Takashi <yamamoto@midokura.com>
Date:   Fri Mar 25 15:22:46 2016 +0900

test_network_ip_availability: Skip IPv6 tests when configured so
    
    Use a class attribute known by the base class so that IPv6 tests
    are skipped appropriately when CONF.network_feature_enabled.ipv6
    is False.
    
    Closes-Bug: #1561857
    Change-Id: I93f76b7f7cd94ff484d2e4507500af97578ac71a
    (cherry picked from commit 61a5bcb52e23fa39839c30cb4f13f8a26e115516)

commit 38894cc7603f90ed8a5938e37fcc773c926fbfe4
Author: Eugene Nikanorov <enikanorov@mirantis.com>
Date:   Mon Mar 21 20:05:47 2016 -0700

Retry updating agents table in case of deadlock
    
    Updating agents table is contantious operation which
    can fail often if mysql backend is in multimaster mode.
    This could lead to agents flapping and various issues
    such as sporadic reschedluing, port binding failures, etc.
    
    Change-Id: Ief392f9a09d86c185dc086055d2cbc1891ff1d7f
    Closes-Bug: #1560724
    (cherry picked from commit d5e4013556c7144d347ece267c4bd3c8dc87b24f)

commit aac460b0a7fec68fbb173ac8899274809e254a7a
Author: Vladimir Eremin <veremin@mirantis.com>
Date:   Thu Mar 17 19:32:29 2016 +0300

Allow to use several nics for physnet with SR-IOV
    
    Accordind specs and docs, SRIOV_NIC.physical_device_mappings is not
    limited to be a 1-1 mapping between physnets and NICs. However,
    implementation requires this. This bugfix unlocks 1-M mappings, so one
    physnet could be managed by many NICs.
    
    * introduced unique_keys in neutron.utils.parse_mappings
    * SRIOV_NIC.physical_device_mappings is parsed as dict with lists as
      values with parse_mappings(..., unique_keys=False)
    
    DocImpact
    Change-Id: I07b8682fdfe8389a35893cc662b87c94a00bd4a5
    Closes-Bug: #1558626
    (cherry picked from commit 46ddaf4288a1cac44d8afc0525b4ecb3ae2186a3)

commit 90b9cd334b1b33df933bf1b61b38c6e087c431af
Author: Ihar Hrachyshka <ihrachys@redhat.com>
Date:   Thu Mar 17 16:20:52 2016 +0100

port security: gracefully handle resources with no bindings
    
    Resources could be created before the extension was enabled in the
    setup. In that case, no bindings are created for them. In that case, we
    should gracefully return default (True) value when extracting the value
    using the mixin; and we should also create binding model on update
    request, if there is no existing binding model for the resource.
    
    While at it, introduced a constant to store the default value for port
    security (True) and changed several tests to use the constant instead of
    extracting it from extension resource map.
    
    Change-Id: I8607cdecdc16c5f94635c94e2f02700c732806eb
    Closes-Bug: #1509312
    (cherry picked from commit b0519cf0ada3b3d9b76f84948f9ad3c142fc50be)

commit 7174bc4c2a0a31e9036ec130cb65f91d1e5009a4
Author: venkata anil <anil.venkata@enovance.com>
Date:   Wed Mar 23 15:24:01 2016 +0000

Ignore exception when deleting linux bridge if doesn't exist
    
    Linux bridge is not handling RuntimeError exception when it is trying
    to delete network's bridge, which is deleted in parallel by nova.
    Fullstack test has similar scenario, it creates network's bridge for
    agent and deletes the bridge after the test, like nova.
    
    Linux bridge agent has to ignore RuntimeError exception if the bridge
    doesn't exist.
    
    Closes-bug: #1561040
    Change-Id: I428384fd42181ff6bc33f29369a7ff5ec163b532
    (cherry picked from commit 16b2ffdfd85eece8fb57a98d10bf35ad617d235a)

commit 93d29d131c0234075ac547906f77900ce47cceec
Author: Clayton O'Neill <clayton.oneill@twcable.com>
Date:   Thu Mar 24 14:59:41 2016 +0000

Don't delete br-int to br-tun patch on startup
    
    When starting up, we don't want to delete the patch port between br-int
    and br-tun unless we're also dropping the flows..  In liberty both of
    these bridges were switched to not dump flows on startup and to put the
    bridges in secure mode so that default flood flows are not installed
    when the bridge is created.
    
    Without this patch the patch port is torn down and not reinstalled until
    br-tun is setup again.
    
    Partial-Bug: #1514056
    Change-Id: Ia518a99a2de5d1bda467fde57892c43970f88bcd
    (cherry picked from commit 8dce6a5c873c2c18e5a9c6165bf3974aead02588)

commit 211e0a65a0cf637ab58a20c91791b7eb6b8c8519
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Mon Feb 29 16:20:05 2016 +0100

functional: Update ref used from ovs branch-2.5.
    
    OVS 2.5.0 has been released, but we need a later commit on branch-2.5 that
    fixes compilation with the latest kernel on ubuntu that backported some
    changes that broke compilation of 2.5.0.
    
    Change-Id: Id70db79a8450d4f0125dd500f7f6ab8d103d98c3
    (cherry picked from commit 59b36ecca8f60996a60cd52f816573ace9b39309)

commit e2676ae8d188286b76f802d605f363e21011841a
Author: Kevin Benton <kevin@benton.pub>
Date:   Fri Mar 25 12:37:12 2016 -0700

DVR: rebind port if ofport changes
    
    When binding is called in DVR, check to see if the port was
    previously wired under a different ofport. If it was, first
    unbind the old port and then bind the new one.
    
    Change-Id: I372158c4a6986295e396d849a2c9c5372b271e08
    Closes-Bug: #1562467
    (cherry picked from commit 4731dbbef1f615b9ce6d18315e8ca9810e8a772d)

commit c6ef57a6d5f0397b1abf865815bd71d40292f482
Author: Jakub Libosvar <libosvar@redhat.com>
Date:   Wed Feb 24 16:34:07 2016 +0000

ovs-fw: Mark conntrack entries invalid if no rule is matched
    
    This patch makes sure that existing connection breaks once security
    group rule that allowed such connection is removed. Due to correctly
    track connections on the same hypervisor, zones were changed from
    per-port to per-network (based on port's vlan tag). This information is
    now stored in register 6. Also there was added a test for RELATED
    connections to avoid marking such connection as invalid by REPLY rules.
    
    Closes-Bug: 1549370
    Change-Id: Ibb5942a980ddd8f2dd7ac328e9559a80c05789bb
    (cherry picked from commit 4f6aa3ffde2fd68b85bc5dfdaf6c2684931f3f61)

commit ef6ea62d5d1fc767a23e3caf2716e76f90d63f03
Author: Andreas Scheuring <andreas.scheuring@de.ibm.com>
Date:   Wed Mar 9 13:56:22 2016 +0100

l3: Send notify on router_create when ext gw is specified
    
    A router that got created with an external gateway specified now
    triggers a notfiy_router_updated event. This triggers scheduling
    of the router and creation of the network namespace on the target
    node.
    
    Change-Id: I7f6ff5edf6a9c5ffa6d8978c1f3de0e106b6a8bb
    Closes-Bug: #1535707
    (cherry picked from commit da00d1a186c55c91887c9546e893f6d075a2c2ad)

commit eb8ddb95bbb56bbdc658e15feebbf7f91d5ddf13
Author: Oleg Bondarev <obondarev@mirantis.com>
Date:   Tue Feb 16 18:03:52 2016 +0300

Move db query to fetch down bindings under try/except
    
    In case of intermittent DB failures router and network auto-rescheduling
    tasks may fail due to error on fetching down bindings from db.
    Need to put this queries under try/except to prevent unexpected exit.
    
    Closes-Bug: #1546110
    Change-Id: Id48e899a5b3d906c6d1da4d03923bdda2681cd92
    (cherry picked from commit b6ec40cbf754de9d189f843cbddfca67d4103ee3)

commit da1eee31057fb44ff758d99ac99eeb47b7caec6e
Author: Alex Oughton <alex.oughton@rackspace.com>
Date:   Fri Mar 18 11:12:10 2016 -0500

Close XenAPI sessions in neutron-rootwrap-xen-dom0
    
    Neutron with XenServer properly doesn't close XenAPI sessions.
    If it creates these sessions so rapidly, the XenServer host eventually
    exceeds its maximum allowed number of connections.
    This patch adds a close process for session.
    
    Closes-Bug: 1558721
    Change-Id: Ida90a970c649745c492c28c41c4a151e4d940aa6
    (cherry picked from commit 9d21b5ad7edbf9ac1fd9254e97f56966f25de8e6)

commit 1d51172babab64176716e723ae84f20e751a2ac3
Author: Kevin Benton <kevin@benton.pub>
Date:   Thu Mar 17 05:19:19 2016 -0700

Watch for 'new' events in ovsdb monitor for ofport
    
    This adjusts the event handling logic in the ovs interface
    monitor to watch for 'new' events as well because this is
    when ofports are assigned to the interface. Previously we
    were only watching for 'insert' events, which would never
    include the ofport so this led to every port being skipped
    initially by the OVS agent and then picked up on the next
    polling interval.
    
    Closes-Bug: #1560464
    Change-Id: I46ac508a839c6db779323d5afb083f3425f96e87
    (cherry picked from commit 62e88623d977d28c113a1e29458621f82d48f6e5)

commit bd3e9c3b1e759d4296cdb9a816a63ef773ea5f63
Author: Stephen Eilert <stephen.eilert@hpe.com>
Date:   Tue Mar 15 13:54:23 2016 -0700

Removes host file contents from DHCP agent logs
    
    The change I3ad7864eeb2f959549ed356a1e34fa18804395cc addressed a
    performance impact by removing logging calls from inside the loop that
    creates the hosts file in memory. However, it also introduced the
    dumping of said hosts file to the logs.
    
    On deployments with a very high number of ports(>5K), this increases the
    load of the node substantially. The problem is worse when a high number
    of port updates is received in a short amount of time.
    
    There is also the administrative burden caused by the sheer amount of
    data being logged.
    
    If the content of the host file is required for debugging purposes, it
    can be found at /opt/stack/data/neutron/dhcp/<net-id>/host
    
    This patch is trivial and only removes the logging of the file contents.
    The 'building'/'done building' logging calls may still provide useful
    information.
    
    Change-Id: Ie176ef123c194c22dca0967a6acfb9a48c959e6c
    Closes-Bug: 1557640
    (cherry picked from commit ed7411fa1c4d6a26cea3a8737b3c29ce6ff64363)

Ihar Hrachyshka (ihar-hrachyshka) on 2016-05-27

tags:

added: neutron-proactive-backport-potential

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-06-01: Fix included in openstack/neutron 8.1.1

#56

This issue was fixed in the openstack/neutron 8.1.1 release.

Revision history for this message

Thierry Carrez (ttx) wrote on 2016-06-01: Fix included in openstack/neutron 7.1.0

#57

This issue was fixed in the openstack/neutron 7.1.0 release.

Revision history for this message

Doug Hellmann (doug-hellmann) wrote on 2016-06-03: Fix included in openstack/neutron 9.0.0.0b1

#58

This issue was fixed in the openstack/neutron 9.0.0.0b1 development milestone.

Tristan Cacqueray (tristan-cacqueray) on 2016-06-10

Changed in ossa:
status:	Triaged → In Progress

Tristan Cacqueray (tristan-cacqueray) on 2016-06-13

summary:

Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests
+ (CVE-2016-5362 and CVE-2016-5363)

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-06-14: Related fix merged to ossa (master)

#59

Reviewed: https://review.openstack.org/301977
Committed: https://git.openstack.org/cgit/openstack/ossa/commit/?id=756540a726aa7309fcd7916c5f22ede66badeb1e
Submitter: Jenkins
Branch: master

commit 756540a726aa7309fcd7916c5f22ede66badeb1e
Author: Tristan Cacqueray <email address hidden>
Date: Tue Apr 5 19:41:31 2016 -0400

Adds OSSA 2016-009 (CVE-2016-5362, CVE-2016-5363 and CVE-2015-8914)

    Change-Id: Iad029108209fc631da286c777e8485106cea7f53
    Related-Bug: #1502933
    Related-Bug: #1558658

Tristan Cacqueray (tristan-cacqueray) on 2016-06-14

summary:	- Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests - (CVE-2016-5362 and CVE-2016-5363) + [OSSA-2016-009] Security Groups do not prevent MAC and/or IPv4 spoofing + in DHCP requests (CVE-2016-5362 and CVE-2016-5363)
Changed in ossa:
status:	In Progress → Fix Released

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-07-05: Change abandoned on neutron (master)

#60

Change abandoned by Armando Migliaccio (<email address hidden>) on branch: master
Review: https://review.openstack.org/315828
Reason: This review is > 4 weeks without comment, and failed Jenkins the last time it was checked. We are abandoning this for now. Feel free to reactivate the review by pressing the restore button and leaving a 'recheck' comment to get fresh test results.

Ihar Hrachyshka (ihar-hrachyshka) on 2016-10-07

tags:

removed: neutron-proactive-backport-potential

Revision history for this message

OpenStack Infra (hudson-openstack) wrote on 2016-11-10: Fix included in openstack/neutron 2015.1.4

#61

This issue was fixed in the openstack/neutron 2015.1.4 release.

Slavik Anikeyev (androidsmg8) on 2018-07-23

Changed in ossa:
assignee:	nobody → Vyacheslav Anikeyev (slavik1991)

Jeremy Stanley (fungi) on 2018-07-24

Changed in ossa:
assignee:	Vyacheslav Anikeyev (slavik1991) → nobody

OpenStack Security Advisory

[OSSA-2016-009] Security Groups do not prevent MAC and/or IPv4 spoofing in DHCP requests (CVE-2016-5362 and CVE-2016-5363)

Bug Description

CVE References

Duplicates of this bug

Other bug subscribers

Patches

Remote bug watches

	Status	Importance	Assigned to	Milestone
OpenStack Security Advisory	Fix Released	Undecided	Unassigned
neutron	Fix Released	High	Kevin Benton
Kilo	Fix Released	Undecided	Kevin Benton	neutron 2015.1.4