[Openstack-security] [Bug 1274034] Re: Neutron firewall anti-spoofing does not prevent ARP poisoning
OpenStack Infra
1274034 at bugs.launchpad.net
Thu Jul 9 20:03:02 UTC 2015
Reviewed: https://review.openstack.org/200163
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=ec799c458976d5bdc03f36fa4bf56c8ca0160614
Submitter: Jenkins
Branch: feature/pecan
commit a0a022373b90835059b8949a57b097030bcbc37e
Author: John Davidge <jodavidg at cisco.com>
Date: Tue Jul 7 17:00:01 2015 +0100
Fix issues with allocation pool generation for ::/64 cidr
Passing a ::/64 cidr to certain netaddr functions without specifying
the ip_version causes errors. Fix this by specifying ip_version.
Change-Id: I31aaf9f5dabe4dd0845507f245387cd4186c410c
Closes-Bug: 1472304
commit c28b6b0ef8606abea00eeea4fde96a4f646da952
Author: Brian Haley <brian.haley at hp.com>
Date: Tue Jul 7 17:03:04 2015 -0400
Remove lingering traces of q_
The rename from Quantum to Neutron left a few q_ strings
around, let's go ahead and clean them up.
Change-Id: I06e6bdbd0c2f3a25bb90b5fa291009b9ec2d471d
commit 5b6ca5ce898a2e9a810ec49a1712337a41822788
Author: armando-migliaccio <armamig at gmail.com>
Date: Tue Jul 7 11:13:41 2015 -0700
Make sure path_prefix is set during unit tests
Change 18bc67d5 broke *-aas unit tests.
This change ensures that mocking is done correctly, the same way
it is done for the other plugin attributes
Change-Id: I4167f18560e3a3aad652aae1ea9d3c6bc34dc796
Closes-bug: #1472361
commit 13b0f6f8e2fd1e84ff3580cd75bb879e18064da6
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Tue Jul 7 16:41:03 2015 +0000
Add IP_ANY dict to ease choosing between IPv4 and IPv6 "any" address
I'm working on a new patch that will add one more case where we need
to choose between 0.0.0.0/0 and ::/0 based on the ip version. I
thought I'd add a new constant and simplify a couple of existing uses.
Change-Id: I376d60c7de4bafcaf2387685ddcc1d98978ce446
commit a863342caf7da9a1c0430549c1ea1e53408b34af
Author: Cyril Roelandt <cyril at redhat.com>
Date: Tue Jul 7 14:25:06 2015 +0000
Python3: cast the result of zip() to list
The result of get_sorts was a 'zip object' in Python 3, and it was later used
as a list, which fails. Just cast the result to a list to fix this issue.
Change-Id: I12017f79cad92b1da4fe5f9939b38436db7219eb
Blueprint: neutron-python3
commit 8b13609edac2c136e1a0acbc05ad93059bb59fc1
Author: Pavel Bondar <pbondar at infoblox.com>
Date: Thu Jul 2 11:35:18 2015 +0300
Track allocation_pools in SubnetRequest
To keep pluggable and non-pluggable ipam implementation consistent
non-pluggable one has to be switched to track allocation_pools and
gateway_ip using SubnetRequests.
SubnetRequest requires allocation_pools to be list of IPRanges.
Previously allocation_pools were tracked as list of dicts.
So allocation_pools generating and validating was moved before
SubnetRequest is created.
Partially-Implements: blueprint neutron-ipam
Change-Id: I8d2fec3013b302db202121f946b53a0610ae8321
commit 04197bc4bbf2bc611371060db839028c2686f87a
Author: Kevin Benton <blak111 at gmail.com>
Date: Mon Jun 29 21:05:08 2015 -0700
Add ARP spoofing protection for LinuxBridge agent
This patch adds ARP spoofing protection for the Linux Bridge
agent based on ebtables. This code was written to be minimally
invasive with the intent of back-porting to Kilo.
The protection is enabled and disabled with the same
'prevent_arp_spoofing' agent config flag added for the OVS agent
in I7c079b779245a0af6bc793564fa8a560e4226afe.
The protection works by setting up an ebtables chain for each port
and jumping all ARP traffic to that chain. The port-specific chains
have a default DROP policy and then have allow rules installed that
only allow ARP traffic with a source CIDR that matches one of the
port's fixed IPs or an allowed address pair.
Closes-Bug: #1274034
Change-Id: I0b0e3b1272472385dff060897ecbd25e93fd78e7
commit 18bc67d56faef30a0f73429a5ee580e052858cb5
Author: armando-migliaccio <armamig at gmail.com>
Date: Thu Jul 2 12:56:24 2015 -0700
COMMON_PREFIXES cleanup - patch 5/5
Get rid of COMMON_PREFIXES, as now the prefix is a service's declaritive property.
Change-Id: I3d306131df94188f75e69edb13d262721d10bee5
Depends-on: I0450d0b2bf409d470a3a87bfd96518939759a84e
Depends-on: Ia34695967cbbec0a1cf0884dad82e096de8539b8
Depends-on: Ib9517b772fe426eaf0809c439aa3ba0448c7abaa
commit f9e9de9f810f2752d295a379459b9a93aa01ee4d
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Tue Jun 30 20:22:46 2015 +0000
Refactor init_l3 to separate router port use case
Future work will extend init_l3 with more code specific to router
ports. It makes sense to separate these out in to one basic method
with basic L3 and another for router port specific logic.
Change-Id: Iec9a46cd0490c4f48bb306083711ff0c5e70ba87
Partially-Implements: blueprint address-scopes
commit b510dd5c2e4eb6c33be1e047e00991ce51d6aec0
Author: Henry Gessau <gessau at cisco.com>
Date: Mon Jun 1 13:52:18 2015 -0400
Devref for out-of-tree plugin/driver contribution
Change-Id: I6198acce97409e0e87520a31f2749b62d607e9c1
commit d269657089e93e304a33dcbc35b7c4abc6e9900d
Author: Cyril Roelandt <cyril at redhat.com>
Date: Fri Jul 3 15:58:03 2015 +0000
Python3: do not add dict_values objects
In Python 3, dict.values returns a dict_values object instead of a list.
Change-Id: I83bc7718ac9bbb64187fefae57ce835fbe225829
Blueprint: neutron-python3
commit efa1f16706c9d44c654be411e9bf0c1c8f670801
Author: YAMAMOTO Takashi <yamamoto at midokura.com>
Date: Thu Jul 2 17:33:24 2015 +0900
portsecurity_db_common: Access db columns in a consistent way
While db columns and api attribute happen to have same name here,
it's still better to distinguish them.
Change-Id: I6d6e649925a41d89fd74ca5e64290737c9baed9a
commit a76090161fba69329389d4b8e3389f4797293ba9
Author: Cyril Roelandt <cyril at redhat.com>
Date: Wed Jul 1 22:29:12 2015 +0000
Python 3: do not index dict_keys objects
This cannot be done in Python 3, where dict.keys() returns an iterator. We need
to cast the result of dict.keys() to a list first.
Change-Id: I28986aefb720b4513e3eee9ba0909f79d1dc9695
Blueprint: neutron-python3
commit 26f50761efaa5bc362e35a41f0adc458e0224296
Author: Kevin Benton <blak111 at gmail.com>
Date: Fri Jun 26 10:00:42 2015 -0700
Update DVR agent to use get_vifs_by_id
The new get_vifs_by_id function retrieves all of the VIFs
for a port iteration at once to eliminate unnecessary multiple
calls to OVSDB.
Change-Id: If18557faead836121bfa3b4e6efccd0318ce72d3
Related-Bug: #1460233
commit 59ae35ba8fa6f4b79a1370c32faaa1ae4fce3f37
Author: armando-migliaccio <armamig at gmail.com>
Date: Thu Jul 2 12:06:05 2015 -0700
COMMON_PREFIXES cleanup - patch 1/5
This dictionary does not belong to the plugins directory as it captures
API business, but practically speaking it does not even deserve to exist
and can be removed altogether.
This is patch one in a series that aims at addressing this monkey business.
Change-Id: I95cd71dfc35e266f6f3cc5715ab8a0deb10058e7
commit 9aaa2befdece5036fb8a6c3bdee6290d3658745d
Author: armando-migliaccio <armamig at gmail.com>
Date: Wed Jul 1 19:46:16 2015 -0700
Fall back on empty path if prefix is missing
A missing entry causes a KeyError that leads the server to blow up during
startup. We can fallback on an empty path (like some services do), in case
the prefix is not specified.
Furthermore, we can be declarative with this property, the same way we are
with properties like aliases, bulk support, etc.
Change-Id: I58a9b90a39d434f4808264aeb6f9ee5aceff7fbd
commit 7a73c2d0f87bb269d0cced1847edce4d1e76179e
Author: Carl Baldwin <carl.baldwin at hp.com>
Date: Tue Jun 30 20:23:39 2015 +0000
Refactor IpRuleCommand to take more arguments
The iproute2 rule command takes more arguments than the ones supported
by this wrapper. Particularly, for address scopes, we're interested
in iif and fwmark. Instead of adding these piecemeal, this change
makes the wrapper flexible to pass any of them using kwargs.
Callers of add / delete are updated to pass keyword arguments for
table and priority since they are no longer required positional
arguments. This looks better anyway.
Change-Id: Ia93b086b787c34bd560961cb84e4a003cf359e7e
Partially-Implements: blueprint address-scopes
commit d06990b8a548a63df5e50e9e75b59a5bbe0ba5b0
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Thu Jul 2 18:42:07 2015 +0300
Start documenting potential API breakages in devref:neutron_api
Change-Id: I2ceb9e347ea0687e93b766d58601cd86561d1e2b
commit 23b5806932cf0c890a8ba665148abeb5dce53755
Author: Ihar Hrachyshka <ihrachys at redhat.com>
Date: Thu Jul 2 18:32:42 2015 +0300
devref: document API status for neutron.openstack.common.*
Make sure we document the fact that neutron.openstack.common.* contents
are not meant to be used by external repositories (except, temporarily,
*aas repos).
If I could bootstrap the oslo-incubator subtree from scratch, I would
put it under neutron._openstack, to indicate that it's for internal
usage only. But we can't do it now, so instead I update devref.
Change-Id: I42252a7b0a07759c57995b2fc1f8d20ecba7d33b
commit 1e5ef92f6af7b1a7c9d9221110a1e0accf2b4405
Author: Cyril Roelandt <cyril at redhat.com>
Date: Wed Jul 1 19:16:43 2015 +0000
Python3: do not use urllib.urlencode
It has been moved in Python3. Use six.moves to have code that works with both
Python 2 and 3.
Change-Id: I5f286b1f784b3b7bb37852b00169a6c1227eb74b
Blueprint: neutron-python3
commit e173a31e3b04daf6385813539a163ccb73e24efd
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Thu Jul 2 12:18:47 2015 +0300
DVR: remove unused method
Change-Id: I9d13993d899e2947c5f025100c98ee8934cc5c5d
commit 55cb8e4026f025a351896909ba6fa05e3f882003
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Jul 2 00:16:51 2015 -0700
OVS native DBListcommand if_exists support
Add support for the if_exists flag to the OVS native
db list command.
Closes-Bug: #1470742
Closes-Bug: #1470894
Change-Id: Ife48d99c145cfab7f0f5523f4cdfd33492085355
commit 06d6012e3e379f774e190203f4f6f32c20704daa
Author: Pavel Bondar <pbondar at infoblox.com>
Date: Thu Jun 25 16:32:22 2015 +0300
Collapse create_subnet into single method
Previously create_subnet called different methods for subnet allocation
with subnetpool and without it.
_create_subnet_from_implicit_pool and _create_subnet_from_pool
were collapsed into single method _create_subnet.
This is intermediate step for supporting pluggable ipam.
Partially-Implements: blueprint neutron-ipam
Change-Id: Ia6cfc2c15e29f983a623772f5473166c075a20e4
commit 197aa10487d6cf8081099f33aae1ec7efe4f9545
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu Jul 2 01:45:46 2015 -0700
Downgrade log level for gone port on status update
If a port is deleted immediately before a status update arrives
from the L2 agent, the port will be missing from the DB. The current
code was logging this at the warning level, but this occurs during
normal operations so it should only be a debug event.
Change-Id: I22af81e6807bfccb4c906ec0873fcbfca67b72df
commit cbd95318ad6c44e72a3aa163f7a399353c8b4458
Author: vikram.choudhary <vikram.choudhary at huawei.com>
Date: Tue Jun 9 19:55:59 2015 +0530
Support Basic Address Scope CRUD as extensions
This patch adds the support for basic address scope CRUD.
Subsequent patches will be added to use this address scope
on subnet pools.
DocImpact
APIImpact
Co-Authored-By: Ryan Tidwell <rktidwell85 at gmail.com>
Co-Authored-By: Numan Siddique <nusiddiq at redhat.com>
Change-Id: Icabdd22577cfda0e1fbf6042e4b05b8080e54fdb
Partially-implements: blueprint address-scopes
commit 5e11769e498f210b1c84a6addaffecb7db9c5fed
Author: armando-migliaccio <armamig at gmail.com>
Date: Wed Jul 1 18:01:10 2015 -0700
Use EXT_TO_SERVICE_MAPPING instead of ALLOWED_SERVICES
We can derive the services from EXT_TO_SERVICE_MAPPING, therefore
there is no need for duplicating the service labels into ALLOWED_SERVICES.
Change-Id: If92e0ea3dea4480588141a2819ea4036c527c9bc
commit f1771131a85a2fe633126f354364205554ef71d1
Author: Kevin Benton <blak111 at gmail.com>
Date: Wed Jul 1 13:06:38 2015 -0700
Change the half of the bridge name used for ports
The code to generate the names of the patch ports
was based on a chunk of the bridge name starting from
the beginning. With the long suffix, this ended up
excluding all of the random characters in the name.
(e.g. br-int374623235 would create an interface br-in-patch-tun).
This meant that if two tests using patch interfaces ran together,
they would have a name collision and one would fail.
This patch updates the patch port name generation to use the
randomized back portion of the name.
Change-Id: I172e0b2c0b53e8c7151bd92f0915773ea62c0c6a
Closes-Bug: #1470637
commit 49569327c20d8a10ba3d426833ff28d68b1b7a27
Author: armando-migliaccio <armamig at gmail.com>
Date: Wed Jul 1 12:00:14 2015 -0700
Fix log traces induced by retry decorator
Patch 4e77442d5 added a retry decorator to the API layer
to catch DB deadlock errors. However, when they occur, the
retried operation ends up being ineffective because the original
body has been altered, which leads the notification and validation
layers to barf exceptions due to unrecognized/unserializable elements.
This ultimately results to an error reported to the user.
To address this, let's make a deep copy of the request body, before
we pass it down to the lower layers. This allows the decorator to
work on a pristine copy of the body on every attempt. The performance
impact for this should be negligible.
Closes-bug: #1470615
Change-Id: I82a2a002612d28fa8f97b0afbd4f7ba1e8830377
commit abb7124a518823616c22afbd6bb5fe412b395bcd
Author: Assaf Muller <amuller at redhat.com>
Date: Mon Jun 29 14:02:29 2015 -0400
Remove unused linux bridge agent configuration options
This is cruft left from the Linux bridge monolithic plugin,
or from pre-Havana versions of the code.
Change-Id: Id7bb7d7860859283b53f588a940ca21c94fd0e6a
commit fc472397016c6958e7e02808ac3bc43216e21a62
Author: Pavel Bondar <pbondar at infoblox.com>
Date: Wed Jun 24 12:25:22 2015 +0300
Fixing indentation and typo in comments
- Fix strange indentation
- Fix typo in comment
Change-Id: I70893bc751c16265a8c3b3214524ab2553f4f30f
commit cf8c9e40c8720036bd0c06bd8370f88a472e3e6f
Author: Fawad Khaliq <fawad at plumgrid.com>
Date: Tue Jun 30 02:17:19 2015 -0700
Update PLUMgrid plugin information
README was quite oudated and created confusion
among users.
Updated the information after decomposition.
Change-Id: I78bf8dec20ba2ceb644d4565035d29bbf53cb3b5
commit 7344e3ab8e3d4fd8af5b6f85184a0c093d88b6a4
Author: Robert Collins <rbtcollins at hp.com>
Date: Tue Jun 30 09:40:17 2015 +1200
Improve fixture usage.
There were two broad issues with fixtures.
Firstly, the 'SafeFixture' workaround for resource leaks in fixtures
<1.3 is not needed if we depend on fixtures>=1.3.1. While testtools
may raise a TypeError when trying to query a fixture that failed to
setup, this is only ever a cascading failure - it will not cause
tests to fail, cause leaks, or cause tests to incorrectly pass. That
will be fixed in testtools soon to stop it happening (but as it cannot
affect whether a test passes or fails or leaks happen there is no
reason to wait for that). Leaks are seen with fixtures 1.3.0 still
because eventlet raises a BaseException subclass rather than an
Exception subclass, and fixtures 1.3.0 didn't handle that - 1.3.1 does.
Secondly, some of the fixtures had race conditions where things were
started and then cleanups scheduled. Where possible I've fixed those,
but some of them require more significant work to fully address.
Change-Id: I3290712f7274970defda19263f4955e3c78e5ed6
Depends-On: I8c01506894ec0a92b53bc0e4ad14767f2dd6a6b3
Closes-bug: #1453888
commit 3da491cf5fe629559281507f65f12a0e34eaedf7
Author: Assaf Muller <amuller at redhat.com>
Date: Tue Jun 30 13:22:17 2015 -0400
Disable pylint job
Disabling pylint until it gets unbroken. Pylint 1.4.1 is using
logilab-common, which had a release on the 30th, breaking pylint.
Pylint developers are planning a logilab-common release tomorrow
which should unbreak pylint once again, at which point I'll
re-enable pylint.
Change-Id: I5d8aaab8192168946c2a0b74abc1a56848ca51a2
Related-Bug: #1470186
commit 8dd8a7d93564168b98fa2350eedf56acede42b0f
Author: Sean M. Collins <sean at coreitpro.com>
Date: Tue Jun 30 12:06:07 2015 -0400
Remove bridge cleanup call
Remove the bridge cleanup call to delete bridges, since we are seeing
race conditions where bridges are deleted, then new interfaces are
created and are attempting to plug into the bridge before it is
recreated.
Change-Id: I4ccc96566a5770384eacbbdc492bf09a514f5b31
Related-Bug: #1328546
commit 2bbfe6f8253659ebf6951b6426ffc446baacd420
Author: Russell Bryant <rbryant at redhat.com>
Date: Tue May 26 17:07:37 2015 -0400
Move windows requirements to requirements.txt
Commit 276028cca26af573c14938255e40c58358eabd4a added these
requirements to setup.py from a custom build hook. These requirements
can now be expressed in requirements.txt. We need to move them there
so that the global requirements sync job can continue to keep setup.py
in sync with the global version.
Depends-on: I2369971d306c10dc39a1b89698cec95cf7551d07
Change-Id: I3c07c279d33f6aed46c3a97dd9ba81251e51429a
commit 21ff82d9d33313bb88e5970c7b1829a65f195d33
Author: Rossella Sblendido <rsblendido at suse.com>
Date: Fri Dec 5 17:34:23 2014 +0100
Adds base in-tree functional testing of the ovs_neutron_agent
Base setup and utility methods for functional testing of the
OVS L2 agent.
Partially-Implements: blueprint restructure-l2-agent
Co-Authored-By: Rossella Sblendido <rsblendido at suse.com>
Change-Id: I5b3149b2b8502b9b9a36d3e20d909872cc17f8e8
commit 1ac7581c6b7d343d2ee22e6c562871c0465d9735
Author: Livnat Peer <lpeer at redhat.com>
Date: Tue Jun 30 16:25:57 2015 +0300
fix spelling mistakes
Change-Id: If063f111fa42a6644a1dadc7f0c0b9bbfb359294
commit 9b23617111706ef6a89e8ba45457238acaea26e2
Author: Kevin Benton <blak111 at gmail.com>
Date: Mon Jun 29 22:24:22 2015 -0700
Increase ping count on ARP spoof test
The other IPv4 tests all have a count of 2 to tolerate
ping failures due to slow ARP response/interface setup/etc.
This patch increases test_arp_spoof_allowed_address_pairs_0cidr
to 2 to match.
Closes-Bug: #1470234
Change-Id: I82bd8397672194f6162eef5392d4f19d57450552
commit 4dc68ea88bf4f07b13253bf9eeedffe22b1f8013
Author: Kevin Benton <blak111 at gmail.com>
Date: Thu May 28 23:13:19 2015 -0700
Read vif port information in bulk
During startup, the agent was making many calls per port
to read information about the current VLAN, external ID, etc.
This resulted in hundreds of calls just to read information about
a relatively small number of ports.
This patch addresses that by converting a few key functions to
lookup information for all of the ports at once.
Performance improvement on dev laptop for 250 ports from agent
start to port ACTIVE status:
before: 1m21s
after: 1m06s
Closes-Bug: #1460233
Change-Id: Ic80c85a07fee3e5651dc19819c6cebdc2048dda7
commit 6e693fc91dd79cfbf181e3b015a1816d985ad02c
Author: Elena Ezhova <eezhova at mirantis.com>
Date: Thu Jun 18 10:42:57 2015 +0300
Switch to oslo.service
oslo.service has graduated, so neutron should consume it.
Closes-Bug: #1466851
Depends-On: Ie0fd63f969f954029c3c3cf31337fbe38f59331a
Depends-On: I2093b37d411df9a26958fa50ff523c258bbe06ec
Depends-On: I4823d344878fc97e66ddd8fdae25c13a34dede40
Change-Id: I0155b3d8b72f6d031bf6f855488f80acebfc25d4
commit b21a88603e369a113c8b73c3aebc05fedf8da9d3
Author: Eugene Nikanorov <enikanorov at mirantis.com>
Date: Mon Jun 29 05:45:24 2015 +0400
Don't access mock's attribute directly especially when it's not needed
Change-Id: I0df2f7110301c096762396fb23e49a081d051f3b
commit 6d35f5fa91faf24694cf22bf9290f4743175b051
Author: Tomoaki Sato <tomoaki.sato at gmail.com>
Date: Mon Jun 29 10:02:20 2015 +0900
Fix subnet updating failure on valid allocation pools
Currently subnet updating with both allocation-pool and
gateway_ip options is failing because of wrong parameter check.
The check always checks gateway_ip against allocation pools in
db, even when the allocation_pool parameter is given.The fix
checks if given parameter of gateway_ip option doesn't conflict
with given parameters of allocation-pool.
Change-Id: Ia568aa1645b3160ab90a6010efd9a2b9b0d31ac8
Closes-Bug: #1469573
commit 604101ec58d8dd6e6af4aa61c0b2f0d382f89931
Author: Meenakshi Kaushik <meenakshi.kaushik at gmail.com>
Date: Sun May 24 23:30:17 2015 -0700
Add documentation for Linux Bridge (previously missing)
Change-Id: I092b609f43b37ed85d08bc80d1d048b945abe222
Closes-Bug: #1455979
commit e50e1a236983e0a59b9667bc546c92555c3d0e34
Author: Eugene Nikanorov <enikanorov at mirantis.com>
Date: Tue May 5 18:18:28 2015 +0400
Add logging of agent heartbeats
When troubleshooting problems with cluster it would be
very convenient to have information about agent heartbeats
logged with some searchable identifier which could create
1-to-1 mapping between events in agent's logs and server's logs.
Currently agent's heartbeats are not logged at all on server side.
Since on a large cluster that could create too much logging
(even for troubleshooting cases), it might make sense to make
this configurable both on neutron-server side and on agent-side.
DocImpact
Change-Id: I0a127ef274a84bba5de47395d47b62f48bd4be16
Closes-Bug: #1452582
commit 67658607cf69ad2274d8f32680042ca210c7db86
Author: Assaf Muller <amuller at redhat.com>
Date: Fri Jun 26 17:17:14 2015 -0400
Revert "Fix 'router_gateway' port status can't be updated"
This patch breaks multinode fullstack tests and in my opinion
is generally speaking wrong. I've added a comment to explain
in the patch that's being reverted.
This reverts commit with change ID:
If428eadadfd36a9b19ea75920120e48ac49659f2
Change-Id: I73b7825ccc26847ef03d60d6154d544a9145f7e5
commit b9656509c178041f729cbaa6a1ca974f4b3c6f5d
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Thu Jun 18 16:00:56 2015 +0000
RootHelperProcess: kill can consume signal number
The kill() method now accepts a signal parameter.
Change-Id: I2eb756a73565d93c979e62eaab358a3a519aa8dd
commit b9e9cfb08bf0609dcfea46403c510607e858926a
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Wed Jun 17 13:10:13 2015 +0000
Move NetcatTester to common/net_helpers
The NetcatTester is a testing tool that can be used also in fullstack
tests so I think it should go there to avoid imports in fullstack tests
from functional.
Tests for original helpers module was removed.
Change-Id: I7229eba1dbc2ca3d524a1a021256b6202f4aecee
commit b622e6538ae5a606c1bc9830a2afe816a92a2ca5
Author: Jakub Libosvar <libosvar at redhat.com>
Date: Tue Jun 16 15:29:17 2015 +0000
ip_lib: Add flush() command to IpNeigh to clean arp cache
Change-Id: I938974e3d67373cd18d8a9c6538f1f8b2d09e965
commit e2a99fa3c456a57e6e74e53ab04ad4899d1a9cf2
Author: Darragh O'Reilly <darragh.oreilly at hp.com>
Date: Tue Dec 2 18:28:38 2014 +0000
lb-agent: handle security group updates in main loop
Patch I1574544734865506ff5383404516cc9349c16ec4 introduced deferring
firewall refreshes to the main loop of the ovs-agent to improve
performance. This patch enables the same on the linuxbridge agent.
Change-Id: Ia8fe229910d2be718da52cb341be163b86ace571
Closes-Bug: #1368281
commit 481d9a4f356d325e60e4c208c93693d755097bcd
Author: venkata anil <anil.venkata at enovance.com>
Date: Wed Jun 24 07:33:09 2015 +0000
dhcp fails if extra_dhcp_opts for stateless subnet enabled
vm on a network having IPv4 and IPv6 dhcpv6 stateless subnets,
fails to get IPv4 address, when vm uses a port with extra_dhcp_opts.
neutron creates entries in dhcp host file for each subnet of a port.
Each of these entries will have same mac address as first field,
and may have client_id, fqdn, ipv4/ipv6 address for dhcp/dhcpv6 stateful,
or tag as other fields.
For dhcpv6 stateless subnet with extra_dhcp_opts,
host file will have only mac address and tag.
If the last entry in host file for the port with extra_dhcp_opts,
is for dhcpv6 stateless subnet, then dnsmasq tries to use this entry,
(as dnsmasq reads the hosts file from EOF) to resolve
dhcp request even for IPv4, treats as 'no address found'
and fails to send DHCPOFFER.
So we sort the fixed_ips, so that ipv6 subnets for the port are added
first in host file, to avoid this issue.
Change-Id: I3bea58d86a3508e49cbac1d03c6b640836b4a7a2
Closes-bug: #1466144
commit 0eb44ca1f23ee4d031ddf2e03a1ebc6a16428d3f
Author: Gary Kotton <gkotton at vmware.com>
Date: Thu May 28 02:17:52 2015 -0700
NSXv: update ini file to support dhcp_lease_time
Add the variable to enable the admin to set the DHCP lease time.
This was added in commit 7681e4c50afda18fd75fe7207352d1a26ee0755b
DocImpact
Change-Id: Ic37932c09d3b4c88363a7f1f38a687cd6e090c1f
commit aaa070868e8fb891e6ab5f8355bb03ee3e837c9e
Author: Pavel Bondar <pbondar at infoblox.com>
Date: Thu Jun 11 15:04:48 2015 +0300
Use sets to calculate added/original/removed ips
Original algorithm to calculate added/removed ips had O(n^2) complexity.
Using sets achieves O(n) for average case.
After refactoring input is no longer affected,
updated tests to reflect that.
However, dataset is too small to get any significant performance
improvement.
Using sets requires additional preparation and post operations:
- converting 'original_ips' and 'new_ips' to sets from ip_addresses
- building map(dict) for storing reference from ip_address to 'ips'
element
- converting calculated add/orignal/remove sets back to list of dicts
using map (dict of references).
Partially-Implements: blueprint neutron-ipam
Change-Id: Iecddc406f7b91cfdfb976882504113734e19b565
commit 9efa1fdeed86d249b2d3dde987a1fb98290140f0
Author: Oleg Bondarev <obondarev at mirantis.com>
Date: Thu Jun 11 15:40:33 2015 +0300
l3 agent: do router cleanup for unknown routers
The patch adds cleanup on router delete for routers which
are unknown to agent. This should cover the case when router is
deleted during resync on agent init.
Functional tests were updated and now handle 3 cases for l3 sync:
- no routers were deleted during agent downtime,
- some routers were deleted during agent downtime
- some routers were deleted during agent resync
Closes-Bug: #1464238
Change-Id: Id98111849fa88d6807f757864187b059c491aaac
commit a391178c218f08b0c5e7580b5a4b79513ebffcc2
Author: Salvatore Orlando <salv.orlando at gmail.com>
Date: Wed Jun 17 04:36:02 2015 -0700
Add policy files specific to NSX plugins
This patch simply adds a 'policy' directory with a few json
files into ./etc/neutron/plugins/vmware to provide default
policies specific to the VMware NSX plugin family.
These policy files can be loaded leveraging the policy_dirs
configuration option.
Change-Id: Icce41a6ee63715bc145694f27a2166a7fa884dba
** Tags added: in-feature-pecan
--
You received this bug notification because you are a member of OpenStack
Security, which is subscribed to OpenStack.
https://bugs.launchpad.net/bugs/1274034
Title:
Neutron firewall anti-spoofing does not prevent ARP poisoning
Status in OpenStack Neutron (virtual network service):
Fix Committed
Status in OpenStack Security Advisories:
Invalid
Status in OpenStack Security Notes:
Fix Released
Bug description:
The neutron firewall driver 'iptabes_firawall' does not prevent ARP cache poisoning.
When anti-spoofing rules are handled by Nova, a list of rules was added through the libvirt network filter feature:
- no-mac-spoofing
- no-ip-spoofing
- no-arp-spoofing
- nova-no-nd-reflection
- allow-dhcp-server
Actually, the neutron firewall driver 'iptabes_firawall' handles only
MAC and IP anti-spoofing rules.
This is a security vulnerability, especially on shared networks.
Reproduce an ARP cache poisoning and man in the middle:
- Create a private network/subnet 10.0.0.0/24
- Start 2 VM attached to that private network (VM1: IP 10.0.0.3, VM2: 10.0.0.4)
- Log on VM1 and install ettercap [1]
- Launch command: 'ettercap -T -w dump -M ARP /10.0.0.4/ // output:'
- Log on too on VM2 (with VNC/spice console) and ping google.fr => ping is ok
- Go back on VM1, and see the VM2's ping to google.fr going to the VM1 instead to be send directly to the network gateway and forwarded by the VM1 to the gw. The ICMP capture looks something like that [2]
- Go back to VM2 and check the ARP table => the MAC address associated to the GW is the MAC address of VM1
[1] http://ettercap.github.io/ettercap/
[2] http://paste.openstack.org/show/62112/
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1274034/+subscriptions
More information about the Openstack-security
mailing list