Comment 10 for bug 1274034

Kevin Bringard (kbringard) wrote :

As another potential intermediate triage to this, we have added another spoofing rule to the spoof chains and call the spoof chain in the ingress rules. Effectively, if the DST IP address isn't the address we assigned to the VM, then drop it.

In this scenario, the malicious VM can can still poison the ARP cache and effectively DoS the victim, but it shouldn't be able to see any of the victim's traffic as the packets headed to the malicious VM will get dropped at the hypervisor.

I've attached a patch to the iptables_firewall.py from stable/havana which implements this. If folks don't disagree with this approach I'll submit the patch to be reviewed as well as look into getting it into icehouse (or maybe Juno, depending on if it's considered a new feature or bug fix).