OpenStack Security Advisory

  1. Bug #1558658
  2. Comment #38

Comment 38 for bug 1558658

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/liberty)

Reviewed: https://review.openstack.org/303572
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=fd5fd259a02156babdfcb12f66cde6ec9e7274ae
Submitter: Jenkins
Branch: stable/liberty

commit fd5fd259a02156babdfcb12f66cde6ec9e7274ae
Author: Dustin Lundquist <email address hidden>
Date: Thu Mar 31 12:04:31 2016 -0700

    Iptables firewall prevent IP spoofed DHCP requests

    The DHCP rules in the fixed iptables firewall rules were too permissive.
    They permitted any UDP traffic with a source port of 68 and destination
    port of 67. Care must be taken since these rules return before the IP
    spoofing prevention rules. This patch splits the fixed DHCP rules into
    two, one for the discovery and request messages which take place before
    the instance has bound an IP address and a second to permit DHCP
    renewals.

    Conflicts:
     neutron/tests/functional/agent/test_firewall.py

    Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5
    Partial-Bug: #1558658
    (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f)