You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "Wido den Hollander (JIRA)" <ji...@apache.org> on 2015/07/10 12:09:06 UTC
[jira] [Resolved] (CLOUDSTACK-8559) Source address spoofing
prevention in Basic Networking only done for DNS
[ https://issues.apache.org/jira/browse/CLOUDSTACK-8559?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wido den Hollander resolved CLOUDSTACK-8559.
--------------------------------------------
Resolution: Fixed
This is in master and also backported to 4.5.2
I confirmed that it works fine. Running it in production.
> Source address spoofing prevention in Basic Networking only done for DNS
> ------------------------------------------------------------------------
>
> Key: CLOUDSTACK-8559
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-8559
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: KVM
> Reporter: Wido den Hollander
> Assignee: Wido den Hollander
> Fix For: 4.6.0, 4.5.2
>
>
> Looking at the security group rules being programmed for Instances it seems that we only drop spoofed traffic when it's for DNS:
> if vm_ip is not None:
> execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53 -j RETURN ")
> execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
> I think that we can drop ALL packets which do not match any of the IPs in the list. I don't see a valid reason why we only do this for DNS/UDP 53.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)