neutron port security rule

port security enable 시 ovs에 rule로 설정됨

*참고:  https://docs.openstack.org/neutron/latest/contributor/internals/openvswitch_firewall.html

Following rules implement ARP spoofing protection

 

[port security enable rule]

(overcloudrc) $ openstack port set --enable-port-security c118606c-499e-4149-82c1-deb4cde0338e

[compute node]# ovs-ofctl dump-flows br-int -OOpenflow13 | grep arp_spa 
cookie=0x6bb0881e9c62ee1, duration=17101.788s, table=24, n_packets=50, n_bytes=2100, priority=2,arp,in_port=8,
arp_spa=100.100.105.13 actions=goto_table:25

 

[port security disable rule]

(overcloudrc) $ openstack port set --no-security-group --disable-port-security c118606c-499e-4149-82c1-deb4cde0338e
[compute node]# ovs-ofctl dump-flows br-int -OOpenflow13| grep arp_spa
없음