Comment 0 for bug 1938670
Revision history for this message
| Jake Yip (waipengyip) wrote linuxbridge: ebtables-nft allows ARP spoofing | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
1b1ed1a
(Get the code!)
We are running an OpenStack cloud with linux bridge. We have found that, in certain conditions, ARP spoofing protection is not working as intended. This allows a user do bad things like spoof gratuitous ARP to DoS another user's virtual machine. More details below.
In an environment using linux bridge, neutron-
:neutronMAC-
:neutronARP-
-A PREROUTING -i tapdb545a8c-8f -j neutronMAC-
-A PREROUTING -p ARP -i tapdb545a8c-8f -j neutronARP-
-A neutronMAC-
-A neutronARP-
The neutronARP-xxx chain, however, has a problem during the creation of it. The source for that [1] looks like this:
ebtables(['-N', vif_chain, '-P', 'DROP'])
ebtables(['-F', vif_chain])
This creates a chain with default policy of DROP, and FLUSHes any existing rules.
However, we have found that in certain OS, the FLUSH reverts the default policy back to RETURN. E.g.
root@jake-focal:~# eatables -t nat -N newchain -P DROP
root@jake-focal:~# ebtables-save | grep newchain
:newchain DROP
root@jake-focal:~# ebtables -t nat -F newchain
root@jake-focal:~# ebtables-save | grep newchain
:newchain RETURN
root@jake-focal:~# ebtables --version
ebtables 1.8.4 (nf_tables)
The OSes that exhibit this issue seems to be OSes that uses ebtables-nft - Ubuntu Focal, CentOS Stream.
Ubuntu Bionic is fine. E.g.
root@jake-
root@jake-
:newchain DROP
root@jake-
root@jake-
:newchain DROP
root@jake-
ebtables v2.0.10-4 (December 2011)
I have a patch for this, but as this is a security issue I am refraining from posting it up to OpenStack's Gerrit. Also, this might have been fixed in master, but it still affects Ussuri and Victoria. Please advise on what I should do next?
[1] https:/