network: prevent IP spoofing on upstream (eth0) interface
Currently there is just one anti-spoofing firewall rule ensuring packets coming through vif+ interfaces have the right source address. Add another rule ensuring that addresses that belongs to VMs behind those vif+ interface do not appear on other interfaces (specifically eth0, but also physical ones). Normally it wouldn't be an issue because of rp_filter (doing the same based on route table), default DROP in FORWARD chain and also conntrack (the need to guess exact port numbers and sequence numbers). But it appears all three mechanisms are ineffective in some cases: - rp_filter in many distributions (including Fedora and Debian) was switched to Loose Mode, which doesn't verify exact interface - there is a rule in FORWARD table allowing established connections and conntrack does not keep track of input/output interfaces - CVE-2019-14899 allows to guess all the data needed to inject packets Reported-by: Demi M. Obenour <demiobenour@gmail.com>
This commit is contained in:
parent
68b61c2c6d
commit
74f5fb5ac7
@ -129,7 +129,10 @@ if [ "${ip}" ]; then
|
||||
else
|
||||
ipt=iptables-restore
|
||||
fi
|
||||
echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
|
||||
printf '%s\n' "*raw" \
|
||||
"$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
|
||||
"$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
|
||||
"COMMIT" | \
|
||||
${cmdprefix} $ipt --noflush $ipt_arg
|
||||
done
|
||||
# if no IPv6 is assigned, block all IPv6 traffic on that interface
|
||||
|
Loading…
Reference in New Issue
Block a user