-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refine the default flow in ARPSpoofGuardTable #5378
Conversation
The current default flow in ARPSpoofGuardTable forwards packets to ARPResponderTable, which is ineffective in preventing ARP spoofing. To rectify this, the proposed solution is to modify the action of the default flow within ARPSpoofGuardTable to drop the packets. Signed-off-by: Hongliang Liu <lhongliang@vmware.com>
@gran-vmv Could you help verify that if this change will affect AntreaIPAM? |
I think current flows can handle AntreaIPAM ARP request, but you should run e2e to check. |
/test-all |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Question: what kind of traffic is expected to go into ARPResponderTable
? If the default behavior in ARPSpoofGuardTable
is drop, I didn't find a flow explicitly resubmit packets to ARPResponderTable, does it mean flows in responder table are not consumed?
For example:
The packets matched by flows 1-3 will be consumed in ARPResponderTable. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM
/test-conformance |
Why jenkins-flexible-ipam-e2e is not in CI pipelines? |
/test-flexible-ipam-e2e |
Please check if the failure in jenkins-flexible-ipam-e2e is related |
/test-flexible-ipam-e2e |
4 similar comments
/test-flexible-ipam-e2e |
/test-flexible-ipam-e2e |
/test-flexible-ipam-e2e |
/test-flexible-ipam-e2e |
Flexible IPAM e2e also gets the same failure test cases without any code change. These cases are:
|
@tnqn @gran-vmv I think the failure of these two cases is not lated to the current patch. Could we merge this first? |
/test-flexible-ipam-e2e |
It seems some recent changes broke these e2e cases. |
The current default flow in ARPSpoofGuardTable forwards packets to ARPResponderTable, which is ineffective in preventing ARP spoofing. To rectify this, the proposed solution is to modify the action of the default flow within ARPSpoofGuardTable to drop the packets.