Commit 18516f8
committed
controller: Add option to make port security compliant with RFC 9568.
The RFC defines a Virtual Router Redundancy Protocol [0], in order
for that protocol to work the workload might "spoof" MAC address
within ARP or ND request/response. This wasn't allowed as the port
security is specifically designed against spoofing and checks if
the port security MAC address is the same for source of ARP/ND
and the inner source/target address. To make the port security
compliant add a special literal which when specified will allow
user to add any/all MAC addresses defined by VRRPv3. The traffic
from and to those additional MAC addresses will be allowed as
well as permutations of ARP/ND inner MACs combined with the
physical MAC as a source.
[0] https://datatracker.ietf.org/doc/html/rfc9568
Reported-at: https://issues.redhat.com/browse/FDP-2979
Acked-by: Ilya Maximets <i.maximets@ovn.org>
Acked-by: Dumitru Ceara <dceara@redhat.com>
Signed-off-by: Ales Musil <amusil@redhat.com>
(cherry picked from commit d9e2393)1 parent 8b70e8b commit 18516f8
4 files changed
Lines changed: 1521 additions & 324 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
1 | 1 | | |
2 | 2 | | |
| 3 | + | |
| 4 | + | |
| 5 | + | |
3 | 6 | | |
4 | 7 | | |
5 | 8 | | |
| |||
0 commit comments