- 在linux bridge 实现中, setup_arp_spoofing_protection 的实现和安全组的配置是静态绑定的
参考: https://opendev.org/openstack/neutron/commit/fa0040f3bee0b00d7dc7d8502d8ebe1166f5cbdf
neutron\plugins\ml2\drivers\linuxbridge\agent\arp_protect.py
def setup_arp_spoofing_protection(vif, port_details):
if not port_details.get('port_security_enabled', True):
# clear any previous entries related to this port
delete_arp_spoofing_protection([vif])
LOG.info("Skipping ARP spoofing rules for port '%s' because "
"it has port security disabled", vif)
return
if net.is_port_trusted(port_details):
# clear any previous entries related to this port
delete_arp_spoofing_protection([vif])
LOG.debug("Skipping ARP spoofing rules for network owned port "
"'%s'.", vif)
return
# _setup_arp_spoofing_protection(vif, port_details)
所以若想使用安全组 且 放开该限制,就需要改这部分逻辑,但是即使修改了该部分的逻辑,arp可以通,但是其他icmp仍然受安全组限制。
- 在ovs的描述中, arp_spoofing_protection 和 安全组是同一个pipelines中的两个部分
A new table is added in Dragonflow pipeline for mac spoofing protection.
This table will have MAC-IP validation rules which blocks any traffic that has different MAC-IP src address than the MAC-IP address configured for the VM. This table can also be used for egress security validations (make sure to dispatch traffic to a certain VM only if it has the correct configured MAC and IP)
image.png
参考: https://docs.openstack.org/developer/dragonflow/specs/mac_spoofing.html
网友评论