network: prevent IP spoofing on upstream (eth0) interface

Currently there is just one anti-spoofing firewall rule ensuring packets
coming through vif+ interfaces have the right source address. Add
another rule ensuring that addresses that belongs to VMs behind those
vif+ interface do not appear on other interfaces (specifically eth0, but
also physical ones).

Normally it wouldn't be an issue because of rp_filter (doing the same
based on route table), default DROP in FORWARD chain and also conntrack
(the need to guess exact port numbers and sequence numbers). But it
appears all three mechanisms are ineffective in some cases:
 - rp_filter in many distributions (including Fedora and Debian) was
 switched to Loose Mode, which doesn't verify exact interface
 - there is a rule in FORWARD table allowing established connections and
 conntrack does not keep track of input/output interfaces
 - CVE-2019-14899 allows to guess all the data needed to inject packets

Reported-by: Demi M. Obenour <demiobenour@gmail.com>
This commit is contained in:
Marek Marczykowski-Górecki 2019-12-18 05:57:45 +01:00 committed by Demi Marie Obenour
parent 68b61c2c6d
commit 74f5fb5ac7
No known key found for this signature in database
GPG Key ID: 28A45C93B0B5B6E0

View File

@ -129,7 +129,10 @@ if [ "${ip}" ]; then
else
ipt=iptables-restore
fi
echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
printf '%s\n' "*raw" \
"$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
"$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
"COMMIT" | \
${cmdprefix} $ipt --noflush $ipt_arg
done
# if no IPv6 is assigned, block all IPv6 traffic on that interface