commit 08108c41992a13c6959b717cccfe2b929e55d2eb
Author: Brian Haley <email address hidden>
Date: Wed Nov 15 19:24:22 2017 -0500
Move Linuxbridge ARP spoofing to nat table PREROUTING chain
It was found that adding ebtables rules to the filter table
FORWARD chain could be vulnerable to a DoS attack. Moving
to the nat table PREROUTING chain should mitigate this as
it is consulted prior to allowing the frame in.
In order to make this work with upgrades, had to make the code
detect and remove any old rules that might still exist in
the filter table. That can be removed after a cycle.
Added some unit tests in addition to the existing functional
tests.
Reviewed: https:/ /review. openstack. org/520249 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=08108c41992 a13c6959b717ccc fe2b929e55d2eb
Committed: https:/
Submitter: Zuul
Branch: master
commit 08108c41992a13c 6959b717cccfe2b 929e55d2eb
Author: Brian Haley <email address hidden>
Date: Wed Nov 15 19:24:22 2017 -0500
Move Linuxbridge ARP spoofing to nat table PREROUTING chain
It was found that adding ebtables rules to the filter table
FORWARD chain could be vulnerable to a DoS attack. Moving
to the nat table PREROUTING chain should mitigate this as
it is consulted prior to allowing the frame in.
In order to make this work with upgrades, had to make the code
detect and remove any old rules that might still exist in
the filter table. That can be removed after a cycle.
Added some unit tests in addition to the existing functional
tests.
Change-Id: I87852b21db4404 c58c83789cc2678 12030ac7d5f
Closes-bug: #1732294