Wido den Hollander created CLOUDSTACK-8559:
----------------------------------------------
Summary: Source address spoofing prevention in Basic Networking
only done for DNS
Key: CLOUDSTACK-8559
URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
Project: CloudStack
Issue Type: Bug
Security Level: Public (Anyone can view this level - this is the default.)
Components: KVM
Reporter: Wido den Hollander
Assignee: Wido den Hollander
Looking at the security group rules being programmed for Instances it seems
that we only drop spoofed traffic when it's for DNS:
if vm_ip is not None:
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53
-j RETURN ")
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged
--physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " +
vmchain_egress)
I think that we can drop ALL packets which do not match any of the IPs in the
list. I don't see a valid reason why we only do this for DNS/UDP 53.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
