You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@cloudstack.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2013/07/31 02:35:48 UTC
[jira] [Commented] (CLOUDSTACK-3963) security group, if user
changes mac, the modified mac contaminate bridge cache.
[ https://issues.apache.org/jira/browse/CLOUDSTACK-3963?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13724670#comment-13724670 ]
ASF subversion and git services commented on CLOUDSTACK-3963:
-------------------------------------------------------------
Commit 2d87e643710d63c2a6dad90bf4f596e86b4eaf56 in branch refs/heads/4.2 from [~anthonyxu]
[ https://git-wip-us.apache.org/repos/asf?p=cloudstack.git;h=2d87e64 ]
CLOUDSTACK-3963:
in security group, CS put a rule in ebtables filter table FORWARD chain to prevent user from changing VM mac address
util.pread2(['ebtables', '-A', vm_chain, '-i', vif, '-s', '!', vm_mac, '-j', 'DROP'])
if user changes the VM mac address, all egress packet from the VM will be dropped, but the egress packet still contaminate the bridge cache with fake MAC,
This patch moves the rule to ebtables nat table PREROUTING chain, then the egress packet with modified MAC will not contaminate the bridge cache.
> security group, if user changes mac, the modified mac contaminate bridge cache.
> -------------------------------------------------------------------------------
>
> Key: CLOUDSTACK-3963
> URL: https://issues.apache.org/jira/browse/CLOUDSTACK-3963
> Project: CloudStack
> Issue Type: Bug
> Security Level: Public(Anyone can view this level - this is the default.)
> Components: Network Controller
> Affects Versions: 4.1.0
> Reporter: Anthony Xu
> Priority: Critical
> Fix For: 4.2.0
>
>
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira