[
https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14586488#comment-14586488
]
ASF subversion and git services commented on CLOUDSTACK-8559:
-------------------------------------------------------------
Commit 9ff3fe371e3b5db77fc1eb6e7c60280d674fd949 in cloudstack's branch
refs/heads/4.5 from [~widodh]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=9ff3fe3 ]
CLOUDSTACK-8559: IP Source spoofing should not be allowed
We did not verify if the packets leaving an Instance had the correct
source address.
Any IP packet not matching the Instance IP(s) will be dropped
(cherry picked from commit 3e3c11ffcaf6ab736800dfdc777cb0681f58ddf1)
Signed-off-by: Rohit Yadav <[email protected]>
> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8559
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM
> Reporter: Wido den Hollander
> Assignee: Wido den Hollander
> Fix For: 4.6.0, 4.5.2
>
>
> Looking at the security group rules being programmed for Instances it seems
> that we only drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -p udp --dport 53 -j RETURN ")
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the
> list. I don't see a valid reason why we only do this for DNS/UDP 53.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
