Iptables firewall prevent IP spoofed DHCP requests
The DHCP rules in the fixed iptables firewall rules were too permissive.
They permitted any UDP traffic with a source port of 68 and destination
port of 67. Care must be taken since these rules return before the IP
spoofing prevention rules. This patch splits the fixed DHCP rules into
two, one for the discovery and request messages which take place before
the instance has bound an IP address and a second to permit DHCP
renewals.
Reviewed: https:/ /review. openstack. org/303617 /git.openstack. org/cgit/ openstack/ neutron/ commit/ ?id=b0f6984de39 85b80c728dd282f e6148b28f01fe4
Committed: https:/
Submitter: Jenkins
Branch: stable/kilo
commit b0f6984de3985b8 0c728dd282fe614 8b28f01fe4
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700
Iptables firewall prevent IP spoofed DHCP requests
The DHCP rules in the fixed iptables firewall rules were too permissive.
They permitted any UDP traffic with a source port of 68 and destination
port of 67. Care must be taken since these rules return before the IP
spoofing prevention rules. This patch splits the fixed DHCP rules into
two, one for the discovery and request messages which take place before
the instance has bound an IP address and a second to permit DHCP
renewals.
Conflicts: agent/linux/ iptables_ firewall. py tests/functiona l/agent/ test_firewall. py tests/unit/ agent/linux/ test_iptables_ firewall. py tests/unit/ agent/test_ securitygroups_ rpc.py
neutron/
neutron/
neutron/
neutron/
Change-Id: Ibc2b0fa80baf2e a8b01fa568cd1fe 7a7e092e7a5 255e3475a24f1af c11d8bf80f)
Partial-Bug: #1558658
(cherry picked from commit 6a93ee8ac1a901c