commit d626eb24a304a0ba53311aa1bb877f60c974da72
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700
Linux Bridge: Add mac spoofing filtering to ebtables
The current mac-spoofing code in iptables has two issues.
First, it occurs after the address discovery allow rules
(e.g. DHCP), so MAC addresses can be spoofed on discovery
protocols. Second, since it is based on iptables, it
doesn't apply to protocols like STP.
This means a VM could generate one of these types of packets
with a spoofed MAC address to trick switches into learning
that the spoofed MAC now belongs to the VM's port. The impact
of this depends on the configuration of the environment
(e.g. use of L2pop: see the bug report for details).
This patch adds MAC spoofing filtering to the ARP protection
code for Linux bridge based on ebtables. Only traffic sourced
from the MAC address on the port or in the allowed address
pair MACs will be allowed.
This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.
Conflicts:
neutron/plugins/linuxbridge/agent/arp_protect.py
neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
(simple conflicts on both due to utils.is_trusted_port logic being gone)
Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
Partial-Bug: #1558658
(cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)
Reviewed: https:/ /review. openstack. org/299027 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=d626eb24a30 4a0ba53311aa1bb 877f60c974da72
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit d626eb24a304a0b a53311aa1bb877f 60c974da72
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700
Linux Bridge: Add mac spoofing filtering to ebtables
The current mac-spoofing code in iptables has two issues.
First, it occurs after the address discovery allow rules
(e.g. DHCP), so MAC addresses can be spoofed on discovery
protocols. Second, since it is based on iptables, it
doesn't apply to protocols like STP.
This means a VM could generate one of these types of packets
with a spoofed MAC address to trick switches into learning
that the spoofed MAC now belongs to the VM's port. The impact
of this depends on the configuration of the environment
(e.g. use of L2pop: see the bug report for details).
This patch adds MAC spoofing filtering to the ARP protection
code for Linux bridge based on ebtables. Only traffic sourced
from the MAC address on the port or in the allowed address
pair MACs will be allowed.
This filtering will not be enabled if the port has port
security disabled or if the device_owner starts with 'network:'.
Conflicts: plugins/ linuxbridge/ agent/arp_ protect. py tests/functiona l/agent/ linux/test_ linuxbridge_ arp_protect. py trusted_ port logic being gone)
neutron/
neutron/
(simple conflicts on both due to utils.is_
Change-Id: I39dc0e23fc118e de19ef2d986b29f c5a8e48ff78 06c7a9361e42755 c9d6790e1e)
Partial-Bug: #1558658
(cherry picked from commit be298f8bc35e6d0