Comment 47 for bug 1558658

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/kilo)

Reviewed: https://review.openstack.org/299027
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=d626eb24a304a0ba53311aa1bb877f60c974da72
Submitter: Jenkins
Branch: stable/kilo

commit d626eb24a304a0ba53311aa1bb877f60c974da72
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

    Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

    This filtering will not be enabled if the port has port
    security disabled or if the device_owner starts with 'network:'.

    Conflicts:
     neutron/plugins/linuxbridge/agent/arp_protect.py
     neutron/tests/functional/agent/linux/test_linuxbridge_arp_protect.py
        (simple conflicts on both due to utils.is_trusted_port logic being gone)

    Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
    Partial-Bug: #1558658
    (cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)