Bug #4337

IP spoofing filters DHCP communication

Added by Vlastimil Holer over 5 years ago. Updated over 5 years ago.

Status:ClosedStart date:02/16/2016
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Drivers - Network
Target version:Release 5.0
Resolution:fixed Pull request:
Affected Versions:OpenNebula 4.14

Description

When FILTER_IP_SPOOFING enabled, host filters out all the traffic with different source IP address than what was assigned to the interface by ON. If interface is configured via DHCP, it also filters this communication leaving interface unconfigured. It must allow at least source IP 0.0.0.0 with UDP source/dest port 68/67. Please see:

  1. nwfilter-dumpxml allow-dhcp
    <filter name='allow-dhcp' chain='ipv4' priority='-700'>
    <uuid>d5692ca0-2024-4d9f-9f14-cba56d746652</uuid>
    <rule action='accept' direction='out' priority='100'>
    <ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
    </rule>
    <rule action='accept' direction='in' priority='100'>
    <ip protocol='udp' srcportstart='67' dstportstart='68'/>
    </rule>
    </filter>

Associated revisions

Revision 030b0472
Added by Vlastimil Holer over 5 years ago

Bug #4337: IP spoofing filters DHCP communication

Don't filter UDP DHCP traffic from 0.0.0.0/32 port 68 to
255.255.255.255/32 port 67.

History

#1 Updated by Ruben S. Montero over 5 years ago

  • Target version set to Release 5.0

Totally, we need probably to consider ND for IPv6 and :: address. Scheduling this for next release. Thanks!

#2 Updated by Ruben S. Montero over 5 years ago

  • Status changed from Pending to New

#4 Updated by Ruben S. Montero over 5 years ago

  • Status changed from New to Closed
  • Resolution set to fixed

Also available in: Atom PDF