cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "ASF subversion and git services (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8559) Source address spoofing prevention in Basic Networking only done for DNS
Date Mon, 15 Jun 2015 18:54:01 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14586488#comment-14586488
] 

ASF subversion and git services commented on CLOUDSTACK-8559:
-------------------------------------------------------------

Commit 9ff3fe371e3b5db77fc1eb6e7c60280d674fd949 in cloudstack's branch refs/heads/4.5 from
[~widodh]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=9ff3fe3 ]

CLOUDSTACK-8559: IP Source spoofing should not be allowed

We did not verify if the packets leaving an Instance had the correct
source address.

Any IP packet not matching the Instance IP(s) will be dropped

(cherry picked from commit 3e3c11ffcaf6ab736800dfdc777cb0681f58ddf1)
Signed-off-by: Rohit Yadav <rohit.yadav@shapeblue.com>


> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8559
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: KVM
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>             Fix For: 4.6.0, 4.5.2
>
>
> Looking at the security group rules being programmed for Instances it seems that we only
drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the list. I
don't see a valid reason why we only do this for DNS/UDP 53.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message