neutron

Bug #1489111
Comment #0

Comment 0 for bug 1489111

Revision history for this message

Kevin Benton (kevinbenton) wrote on 2015-08-26: IP, MAC, and DHCP spoofing rules can by bypassed by changing device_owner

The anti-IP spoofing rules, anti-MAC spoofing rules, and anti-DHCP spoofing rules can be bypassed by changing the device_owner field of a compute node's port to something that starts with 'network:'.

Steps to reproduce:

Create a port on the target network:

neutron port-create some_network

Start a repeated update of the device_owner field to immediately change it back after nova sets it to 'compute:<whatever>' on VM attachment. (This has to be done quickly because the owner has to be set to 'network:something' before the L2 agent wires up the security group rules.)

watch neutron port-update <port-uuid-from-above> --device-owner network:hello

Then boot the VM with the port UUID:

nova boot test --nic port-id=<port-uuid-from-above> --flavor m1.tiny --image cirros-0.3.4-x86_64-uec

This VM will now have no iptables rules applied because it will be treated as a network owned port (e.g. router interface, DHCP interface, etc).