cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8559) Source address spoofing prevention in Basic Networking only done for DNS
Date Mon, 15 Jun 2015 13:17:01 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14585904#comment-14585904
] 

ASF subversion and git services commented on CLOUDSTACK-8559:
-------------------------------------------------------------

Commit 3e3c11ffcaf6ab736800dfdc777cb0681f58ddf1 in cloudstack's branch refs/heads/CLOUDSTACK-8559
from [~widodh]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=3e3c11f ]

CLOUDSTACK-8559: IP Source spoofing should not be allowed

We did not verify if the packets leaving an Instance had the correct
source address.

Any IP packet not matching the Instance IP(s) will be dropped


> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8559
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: KVM
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>
> Looking at the security group rules being programmed for Instances it seems that we only
drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the list. I
don't see a valid reason why we only do this for DNS/UDP 53.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message