[
https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14585909#comment-14585909
]
ASF subversion and git services commented on CLOUDSTACK-8559:
-------------------------------------------------------------
Commit 3e3c11ffcaf6ab736800dfdc777cb0681f58ddf1 in cloudstack's branch
refs/heads/master from [~widodh]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3e3c11f ]
CLOUDSTACK-8559: IP Source spoofing should not be allowed
We did not verify if the packets leaving an Instance had the correct
source address.
Any IP packet not matching the Instance IP(s) will be dropped
> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8559
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM
> Reporter: Wido den Hollander
> Assignee: Wido den Hollander
>
> Looking at the security group rules being programmed for Instances it seems
> that we only drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -p udp --dport 53 -j RETURN ")
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the
> list. I don't see a valid reason why we only do this for DNS/UDP 53.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
