neutron arp_spoofing_protection

1. 在linux bridge 实现中， setup_arp_spoofing_protection 的实现和安全组的配置是静态绑定的

参考: https://opendev.org/openstack/neutron/commit/fa0040f3bee0b00d7dc7d8502d8ebe1166f5cbdf

neutron\plugins\ml2\drivers\linuxbridge\agent\arp_protect.py


def setup_arp_spoofing_protection(vif, port_details):
    if not port_details.get('port_security_enabled', True):
        # clear any previous entries related to this port
        delete_arp_spoofing_protection([vif])
        LOG.info("Skipping ARP spoofing rules for port '%s' because "
                 "it has port security disabled", vif)
        return
    if net.is_port_trusted(port_details):
        # clear any previous entries related to this port
        delete_arp_spoofing_protection([vif])
        LOG.debug("Skipping ARP spoofing rules for network owned port "
                  "'%s'.", vif)
        return
  #  _setup_arp_spoofing_protection(vif, port_details)

所以若想使用安全组 且 放开该限制，就需要改这部分逻辑，但是即使修改了该部分的逻辑，arp可以通，但是其他icmp仍然受安全组限制。

2. 在ovs的描述中， arp_spoofing_protection 和 安全组是同一个pipelines中的两个部分

A new table is added in Dragonflow pipeline for mac spoofing protection.

This table will have MAC-IP validation rules which blocks any traffic that has different MAC-IP src address than the MAC-IP address configured for the VM. This table can also be used for egress security validations (make sure to dispatch traffic to a certain VM only if it has the correct configured MAC and IP)

参考: https://docs.openstack.org/developer/dragonflow/specs/mac_spoofing.html