[
https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14597671#comment-14597671
]
Wido den Hollander commented on CLOUDSTACK-8559:
------------------------------------------------
I already backported this to our production cloud and it works fine there.
> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8559
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the
> default.)
> Components: KVM
> Reporter: Wido den Hollander
> Assignee: Wido den Hollander
> Fix For: 4.6.0, 4.5.2
>
>
> Looking at the security group rules being programmed for Instances it seems
> that we only drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -p udp --dport 53 -j RETURN ")
> execute("iptables -A " + vmchain_default + " -m physdev
> --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName +
> " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the
> list. I don't see a valid reason why we only do this for DNS/UDP 53.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
