Comment 10 for bug 591943

> If you trust someone to have root on a VM, but not on the host, you are in
> trouble. virt is not a security feature. One compromised virt machine can have
> drastic results for all the others.

Trusting guest admins with root on their guests is not unreasonable, if you've configured your host OS networking to protect against bad stuff they can do (IP spoofing, MAC address spoofing, etc, etc). This protection can be applied using the libvirt guest NIC filtering capabilities, or manually setup by the admin using iptables. Of course if you're doing that, you can block access to the NFS servers in question that way. So this NAT source port mapping question becomes moot.

> In order for this to be a security flaw, you need the condition of a tightly
> controlled network that allows untrusted users to have root access on a NAT'd
> guest, who also have access to port controlled resources.

I guess the decision here comes down to whether you consider the libvirt NAT based networking capability to be a security feature, as well as a connectivity feature. It wasn't designed as a security feature, rather as a quick way to give access to guests on a laptop using Wifi NICs where bridging is impossible. Any security benefit is at best a convenient side-effect from the NAT-ing of IP packets. We have separate dedicated capabilities for doing network filtering on guest traffic.

Personally, I consider the flaw to be in NFS for expecting source port restrictions to offer any kind of meaningful security, but that's a different topic :-)