Bug #4337
IP spoofing filters DHCP communication
| Status: | Closed | Start date: | 02/16/2016 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assignee: | - | % Done: | 0% | |
| Category: | Drivers - Network | |||
| Target version: | Release 5.0 | |||
| Resolution: | fixed | Pull request: | ||
| Affected Versions: | OpenNebula 4.14 |
Description
When FILTER_IP_SPOOFING enabled, host filters out all the traffic with different source IP address than what was assigned to the interface by ON. If interface is configured via DHCP, it also filters this communication leaving interface unconfigured. It must allow at least source IP 0.0.0.0 with UDP source/dest port 68/67. Please see:
- nwfilter-dumpxml allow-dhcp
<filter name='allow-dhcp' chain='ipv4' priority='-700'>
<uuid>d5692ca0-2024-4d9f-9f14-cba56d746652</uuid>
<rule action='accept' direction='out' priority='100'>
<ip srcipaddr='0.0.0.0' dstipaddr='255.255.255.255' protocol='udp' srcportstart='68' dstportstart='67'/>
</rule>
<rule action='accept' direction='in' priority='100'>
<ip protocol='udp' srcportstart='67' dstportstart='68'/>
</rule>
</filter>
Associated revisions
Bug #4337: IP spoofing filters DHCP communication
Don't filter UDP DHCP traffic from 0.0.0.0/32 port 68 to
255.255.255.255/32 port 67.
History
#1
Updated by Ruben S. Montero over 5 years ago
- Target version set to Release 5.0
Totally, we need probably to consider ND for IPv6 and :: address. Scheduling this for next release. Thanks!
#2
Updated by Ruben S. Montero over 5 years ago
- Status changed from Pending to New
#3
Updated by Vlastimil Holer over 5 years ago
#4
Updated by Ruben S. Montero over 5 years ago
- Status changed from New to Closed
- Resolution set to fixed