cloudstack-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Rohit Yadav (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (CLOUDSTACK-8559) Source address spoofing prevention in Basic Networking only done for DNS
Date Mon, 15 Jun 2015 18:56:01 GMT

    [ https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14586491#comment-14586491
] 

Rohit Yadav commented on CLOUDSTACK-8559:
-----------------------------------------

Backported to 4.5, [~kishan] [~jayapal] - anyone of you want to review this?

> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
>                 Key: CLOUDSTACK-8559
>                 URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
>             Project: CloudStack
>          Issue Type: Bug
>      Security Level: Public(Anyone can view this level - this is the default.) 
>          Components: KVM
>            Reporter: Wido den Hollander
>            Assignee: Wido den Hollander
>             Fix For: 4.6.0, 4.5.2
>
>
> Looking at the security group rules being programmed for Instances it seems that we only
drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53  -j RETURN ")
>   execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in
" + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the list. I
don't see a valid reason why we only do this for DNS/UDP 53.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message