[
https://issues.apache.org/jira/browse/CLOUDSTACK-3963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13724670#comment-13724670
]
ASF subversion and git services commented on CLOUDSTACK-3963:
-------------------------------------------------------------
Commit 2d87e643710d63c2a6dad90bf4f596e86b4eaf56 in branch refs/heads/4.2 from
[~anthonyxu]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2d87e64 ]
CLOUDSTACK-3963:
in security group, CS put a rule in ebtables filter table FORWARD chain to
prevent user from changing VM mac address
util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac, '-j',
'DROP'])
if user changes the VM mac address, all egress packet from the VM will be
dropped, but the egress packet still contaminate the bridge cache with fake MAC,
This patch moves the rule to ebtables nat table PREROUTING chain, then the
egress packet with modified MAC will not contaminate the bridge cache.
> security group, if user changes mac, the modified mac contaminate bridge
> cache.
> -------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3963
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3963
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: Network Controller
> Affects Versions: 4.1.0
> Reporter: Anthony Xu
> Priority: Critical
> Fix For: 4.2.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
