Remove deprecated prevent_arp_spoofing option

This was deprecated over a year ago in [1] so let's
get rid of it to clean up some code.

1. Ib63ba8ae7050465a0786ea3d50c65f413f4ebe38

Change-Id: I6039fb7e743c5d9a1a313e3c174ada36c9874c70

neutron/cmd/sanity_check.py

@@ -345,6 +345,8 @@ def enable_tests_from_config():
     """
 
     cfg.CONF.set_default('vf_management', True)
+    cfg.CONF.set_default('arp_header_match', True)
+    cfg.CONF.set_default('icmpv6_header_match', True)
     if 'vxlan' in cfg.CONF.AGENT.tunnel_types:
         cfg.CONF.set_default('ovs_vxlan', True)
     if 'geneve' in cfg.CONF.AGENT.tunnel_types:
@@ -361,9 +363,6 @@ def enable_tests_from_config():
         cfg.CONF.set_default('nova_notify', True)
     if cfg.CONF.AGENT.arp_responder:
         cfg.CONF.set_default('arp_responder', True)
-    if cfg.CONF.AGENT.prevent_arp_spoofing:
-        cfg.CONF.set_default('arp_header_match', True)
-        cfg.CONF.set_default('icmpv6_header_match', True)
     if not cfg.CONF.AGENT.use_helper_for_ns_read:
         cfg.CONF.set_default('read_netns', True)
     if cfg.CONF.OVS.ovsdb_interface == 'native':

neutron/conf/plugins/ml2/drivers/agent.py

@@ -26,25 +26,6 @@ agent_opts = [
                help=_("Set new timeout in seconds for new rpc calls after "
                       "agent receives SIGTERM. If value is set to 0, rpc "
                       "timeout won't be changed")),
-    # TODO(kevinbenton): The following opt is duplicated between the OVS agent
-    # and the Linuxbridge agent to make it easy to back-port. These shared opts
-    # should be moved into a common agent config options location as part of
-    # the deduplication work.
-    cfg.BoolOpt('prevent_arp_spoofing', default=True,
-                deprecated_for_removal=True,
-                help=_("Enable suppression of ARP responses that don't match "
-                       "an IP address that belongs to the port from which "
-                       "they originate. Note: This prevents the VMs attached "
-                       "to this agent from spoofing, it doesn't protect them "
-                       "from other devices which have the capability to spoof "
-                       "(e.g. bare metal or VMs attached to agents without "
-                       "this flag set to True). Spoofing rules will not be "
-                       "added to any ports that have port security disabled. "
-                       "For LinuxBridge, this requires ebtables. For OVS, it "
-                       "requires a version that supports matching ARP "
-                       "headers. This option will be removed in Ocata so "
-                       "the only way to disable protection will be via the "
-                       "port security extension."))
 ]
 
 

neutron/conf/plugins/ml2/drivers/ovs_conf.py

@@ -124,21 +124,6 @@ agent_opts = [
                        "Allows the switch (when supporting an overlay) "
                        "to respond to an ARP request locally without "
                        "performing a costly ARP broadcast into the overlay.")),
-    cfg.BoolOpt('prevent_arp_spoofing', default=True,
-                deprecated_for_removal=True,
-                help=_("Enable suppression of ARP responses that don't match "
-                       "an IP address that belongs to the port from which "
-                       "they originate. Note: This prevents the VMs attached "
-                       "to this agent from spoofing, it doesn't protect them "
-                       "from other devices which have the capability to spoof "
-                       "(e.g. bare metal or VMs attached to agents without "
-                       "this flag set to True). Spoofing rules will not be "
-                       "added to any ports that have port security disabled. "
-                       "For LinuxBridge, this requires ebtables. For OVS, it "
-                       "requires a version that supports matching ARP "
-                       "headers. This option will be removed in Ocata so "
-                       "the only way to disable protection will be via the "
-                       "port security extension.")),
     cfg.BoolOpt('dont_fragment', default=True,
                 help=_("Set or un-set the don't fragment (DF) bit on "
                        "outgoing IP packet carrying GRE/VXLAN tunnel.")),

neutron/plugins/ml2/drivers/agent/_common_agent.py

@@ -78,8 +78,6 @@ class CommonAgentLoop(service.Service):
             sys.exit(1)
 
     def start(self):
-        self.prevent_arp_spoofing = cfg.CONF.AGENT.prevent_arp_spoofing
-
         # stores all configured ports on agent
         self.network_ports = collections.defaultdict(list)
         # flag to do a sync after revival
@@ -238,9 +236,8 @@ class CommonAgentLoop(service.Service):
             if 'port_id' in device_details:
                 LOG.info(_LI("Port %(device)s updated. Details: %(details)s"),
                          {'device': device, 'details': device_details})
-                if self.prevent_arp_spoofing:
+                self.mgr.setup_arp_spoofing_protection(device,
-                    self.mgr.setup_arp_spoofing_protection(device,
+                                                       device_details)
-                                                           device_details)
 
                 segment = amb.NetworkSegment(
                     device_details.get('network_type'),
@@ -358,8 +355,7 @@ class CommonAgentLoop(service.Service):
             registry.notify(local_resources.PORT_DEVICE, events.AFTER_DELETE,
                             self, context=self.context, device=device,
                             port_id=port_id)
-        if self.prevent_arp_spoofing:
+        self.mgr.delete_arp_spoofing_protection(devices)
-            self.mgr.delete_arp_spoofing_protection(devices)
         return resync
 
     @staticmethod
@@ -390,8 +386,7 @@ class CommonAgentLoop(service.Service):
                         'timestamps': {}}
             # clear any orphaned ARP spoofing rules (e.g. interface was
             # manually deleted)
-            if self.prevent_arp_spoofing:
+            self.mgr.delete_unreferenced_arp_protection(current_devices)
-                self.mgr.delete_unreferenced_arp_protection(current_devices)
 
         # check to see if any devices were locally modified based on their
         # timestamps changing since the previous iteration. If a timestamp

neutron/plugins/ml2/drivers/openvswitch/agent/ovs_neutron_agent.py

@@ -244,7 +244,6 @@ class OVSNeutronAgent(sg_rpc.SecurityGroupAgentRpcCallbackMixin,
         hybrid_plug = getattr(self.sg_agent.firewall,
                               'OVS_HYBRID_PLUG_REQUIRED', False)
         self.prevent_arp_spoofing = (
-            agent_conf.prevent_arp_spoofing and
             not self.sg_agent.firewall.provides_arp_spoofing_protection)
 
         #TODO(mangelajo): optimize resource_versions to only report

neutron/tests/functional/agent/l2/base.py

@@ -106,7 +106,6 @@ class OVSAgentTestFramework(base.BaseOVSLinuxTestCase):
         bridge_mappings = ['physnet:%s' % self.br_phys]
         self.config.set_override('tunnel_types', tunnel_types, "AGENT")
         self.config.set_override('polling_interval', 1, "AGENT")
-        self.config.set_override('prevent_arp_spoofing', False, "AGENT")
         self.config.set_override('local_ip', local_ip, "OVS")
         self.config.set_override('bridge_mappings', bridge_mappings, "OVS")
         # Physical bridges should be created prior to running

neutron/tests/unit/plugins/ml2/drivers/agent/test__common_agent.py

@@ -50,7 +50,6 @@ class TestCommonAgentLoop(base.BaseTestCase):
         super(TestCommonAgentLoop, self).setUp()
         # disable setting up periodic state reporting
         cfg.CONF.set_override('report_interval', 0, 'AGENT')
-        cfg.CONF.set_override('prevent_arp_spoofing', False, 'AGENT')
         cfg.CONF.set_default('firewall_driver',
                              'neutron.agent.firewall.NoopFirewallDriver',
                              group='SECURITYGROUP')
@@ -180,9 +179,8 @@ class TestCommonAgentLoop(base.BaseTestCase):
             self.assertTrue(ext_mgr_delete_port.called)
             self.assertNotIn(PORT_DATA, agent.network_ports[NETWORK_ID])
 
-    def test_treat_devices_removed_with_prevent_arp_spoofing_true(self):
+    def test_treat_devices_removed_delete_arp_spoofing(self):
         agent = self.agent
-        agent.prevent_arp_spoofing = True
         agent._ensure_port_admin_state = mock.Mock()
         devices = [DEVICE_1]
         with mock.patch.object(agent.plugin_rpc,
@@ -379,8 +377,7 @@ class TestCommonAgentLoop(base.BaseTestCase):
         self._test_scan_devices(previous, updated, fake_current, expected,
                                 sync=True)
 
-    def test_scan_devices_with_prevent_arp_spoofing_true(self):
+    def test_scan_devices_with_delete_arp_protection(self):
-        self.agent.prevent_arp_spoofing = True
         previous = None
         fake_current = set([1, 2])
         updated = set()
@@ -474,9 +471,8 @@ class TestCommonAgentLoop(base.BaseTestCase):
                 mock_details['network_id']]
                           )
 
-    def test_treat_devices_added_updated_prevent_arp_spoofing_true(self):
+    def test_treat_devices_added_updated_setup_arp_protection(self):
         agent = self.agent
-        agent.prevent_arp_spoofing = True
         mock_details = {'device': 'dev123',
                         'port_id': 'port123',
                         'network_id': 'net123',

neutron/tests/unit/plugins/ml2/drivers/openvswitch/agent/test_ovs_neutron_agent.py

@@ -114,7 +114,6 @@ class TestOvsNeutronAgent(object):
                              'neutron.agent.firewall.NoopFirewallDriver',
                              group='SECURITYGROUP')
         cfg.CONF.set_default('quitting_rpc_timeout', 10, 'AGENT')
-        cfg.CONF.set_default('prevent_arp_spoofing', False, 'AGENT')
         cfg.CONF.set_default('local_ip', '127.0.0.1', 'OVS')
         mock.patch(
             'neutron.agent.ovsdb.native.helpers.enable_connection_uri').start()
@@ -718,9 +717,11 @@ class TestOvsNeutronAgent(object):
         port_details = [
             {'network_id': 'net1', 'vif_port': vif_port1,
              'device': devices_up[0],
+             'device_owner': 'network:dhcp',
              'admin_state_up': True},
             {'network_id': 'net1', 'vif_port': vif_port2,
              'device': devices_down[0],
+             'device_owner': 'network:dhcp',
              'admin_state_up': False}]
         with mock.patch.object(
             self.agent.plugin_rpc, 'update_device_list',

releasenotes/notes/removed_prevent_arp_spoofing-b49e91a92a93e3e1.yaml

@@ -0,0 +1,6 @@
+---
+upgrade:
+  - |
+    The deprecated ``prevent_arp_spoofing`` option has been removed and the
+    default behavior is to always prevent ARP spoofing unless port security
+    is disabled on the port (or network).