From b69373010280be634d19c817dadb223e713d0c51 Mon Sep 17 00:00:00 2001
From: Stephen Finucane <sfinucan@redhat.com>
Date: Wed, 8 Feb 2017 12:12:11 +0000
Subject: [PATCH] libvirt: Ignore 'allow_same_net_traffic' for port filters

As described in Idcfdaf3b163ba852c9a2c45d5e0c6c35e643c7f5, the libvirt
driver provides port filtering capability.

At present, setting the 'allow_same_net_traffic' config option to True
allows for same network traffic when using these port filters. This is
the default case and is the only case currently tested. While there may
be reasons to prevent same net traffic, it is a minority use case that
can be achieved in other ways, such as through use of neutron's native
port filtering [1] or security groups.

Remove this functionality, referring users to the alternatives. This
simplifies the relevant code and ensures 'allow_same_net_traffic' is
once again a nova-network only option and therefore deprecable.

[1] https://blueprints.launchpad.net/neutron/+spec/ml2-ovs-portsecurity

Change-Id: I67556f1fc0b62b3db64af6fc09c945af313d8ddb
Implements: blueprint centralize-config-options-pike
---
 nova/tests/unit/virt/libvirt/test_vif.py      |  3 +--
 nova/virt/libvirt/firewall.py                 | 21 +++++++--------
 ...low_same_net_traffic-fd88bb2801b81561.yaml | 26 +++++++++++++++++++
 3 files changed, 36 insertions(+), 14 deletions(-)
 create mode 100644 releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml

diff --git a/nova/tests/unit/virt/libvirt/test_vif.py b/nova/tests/unit/virt/libvirt/test_vif.py
index f8a84627b9d1..5412ddaf4a6e 100644
--- a/nova/tests/unit/virt/libvirt/test_vif.py
+++ b/nova/tests/unit/virt/libvirt/test_vif.py
@@ -406,8 +406,7 @@ class LibvirtVifTestCase(test.NoDBTestCase):
     def setUp(self):
         super(LibvirtVifTestCase, self).setUp()
         self.useFixture(fakelibvirt.FakeLibvirtFixture(stub_os_vif=False))
-        self.flags(allow_same_net_traffic=True,
-                   firewall_driver=None)
+        self.flags(firewall_driver=None)
         # os_vif.initialize is typically done in nova-compute startup
         os_vif.initialize()
         self.setup_os_vif_objects()
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index dcc6f4a25b00..3c234a315cbc 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -156,24 +156,21 @@ class NWFilterFirewall(base_firewall.FirewallDriver):
             if dhcp_server:
                 parameters.append(format_parameter('DHCPSERVER', dhcp_server))
 
+            ipv4_cidr = subnet['cidr']
+            net, mask = netutils.get_net_and_mask(ipv4_cidr)
+            parameters.append(format_parameter('PROJNET', net))
+            parameters.append(format_parameter('PROJMASK', mask))
+
         for subnet in v6_subnets:
             gateway = subnet.get('gateway')
             if gateway:
                 ra_server = gateway['address'] + "/128"
                 parameters.append(format_parameter('RASERVER', ra_server))
 
-        if CONF.allow_same_net_traffic:
-            for subnet in v4_subnets:
-                ipv4_cidr = subnet['cidr']
-                net, mask = netutils.get_net_and_mask(ipv4_cidr)
-                parameters.append(format_parameter('PROJNET', net))
-                parameters.append(format_parameter('PROJMASK', mask))
-
-            for subnet in v6_subnets:
-                ipv6_cidr = subnet['cidr']
-                net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
-                parameters.append(format_parameter('PROJNET6', net))
-                parameters.append(format_parameter('PROJMASK6', prefix))
+            ipv6_cidr = subnet['cidr']
+            net, prefix = netutils.get_net_and_prefixlen(ipv6_cidr)
+            parameters.append(format_parameter('PROJNET6', net))
+            parameters.append(format_parameter('PROJMASK6', prefix))
 
         return parameters
 
diff --git a/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml b/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml
new file mode 100644
index 000000000000..7c1e3a15b27b
--- /dev/null
+++ b/releasenotes/notes/libvirt-ignore-allow_same_net_traffic-fd88bb2801b81561.yaml
@@ -0,0 +1,26 @@
+---
+upgrade:
+  - |
+    The libvirt driver provides port filtering capability. This capability is
+    enabled when the following is true:
+
+    - The `nova.virt.libvirt.firewall.IptablesFirewallDriver` firewall driver
+      is enabled
+    - Security groups are disabled
+    - Neutron port filtering is disabled
+    - An IPTables-compatible interface is used, e.g. hybrid mode, where the
+        VIF is a tap device
+
+    When enabled, libvirt applies IPTables rules that provide MAC, IP, and
+    ARP spoofing protection.
+
+    Previously, setting the `allow_same_net_traffic` config option to `True`
+    allowed for same network traffic when using these port filters. This was
+    the default case and was the only case tested. Setting this to `False`
+    disabled same network traffic *when using the libvirt driver port filtering
+    functionality only*, however, this was neither tested nor documented.
+
+    Given that there are other better documented and better tested ways to
+    approach this, such as through use of neutron's native port filtering or
+    security groups, this functionality has been removed.  Users should instead
+    rely on one of these alternatives.