neutron

  1. Bug #1489111
  2. Comment #2

Comment 2 for bug 1489111

Revision history for this message
Kevin Benton (kevinbenton) wrote : Re: IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner

The core issue here is that the L2 agent trusts any devices whose owner field starts with 'network:'. This is necessary because the DHCP port and the router ports can't have DHCP spoofing and IP spoofing rules (respectively).

Here is the logic that skips 'network:' owned ports for security groups.

https://github.com/openstack/neutron/blob/d66f0e27919a29682d7c65e4f9ce1f9c7b278542/neutron/api/rpc/handlers/securitygroups_rpc.py#L83