cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wido den Hollander (JIRA)" <j...@apache.org>
Subject [jira] [Created] (CLOUDSTACK-8559) Source address spoofing prevention in Basic Networking only done for DNS
Date Mon, 15 Jun 2015 11:21:00 GMT
Wido den Hollander created CLOUDSTACK-8559:
----------------------------------------------

             Summary: Source address spoofing prevention in Basic Networking only done for
DNS
                 Key: CLOUDSTACK-8559
                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
             Project: CloudStack
          Issue Type: Bug
      Security Level: Public (Anyone can view this level - this is the default.)
          Components: KVM
            Reporter: Wido den Hollander
            Assignee: Wido den Hollander


Looking at the security group rules being programmed for Instances it seems that we only drop
spoofed traffic when it's for DNS:


if vm_ip is not None:
  execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
  execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)

I think that we can drop ALL packets which do not match any of the IPs in the list. I don't
see a valid reason why we only do this for DNS/UDP 53.




--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message