OpenStack Security Advisory

  1. Bug #1558658
  2. Comment #45

Comment 45 for bug 1558658

Revision history for this message
OpenStack Infra (hudson-openstack) wrote : Fix merged to neutron (stable/mitaka)

Reviewed: https://review.openstack.org/299023
Committed: https://git.openstack.org/cgit/openstack/neutron/commit/?id=cc275e4975450947fa9d9e55ef42475a25bf611d
Submitter: Jenkins
Branch: stable/mitaka

commit cc275e4975450947fa9d9e55ef42475a25bf611d
Author: Kevin Benton <email address hidden>
Date: Fri Mar 25 02:45:11 2016 -0700

    Linux Bridge: Add mac spoofing filtering to ebtables

    The current mac-spoofing code in iptables has two issues.
    First, it occurs after the address discovery allow rules
    (e.g. DHCP), so MAC addresses can be spoofed on discovery
    protocols. Second, since it is based on iptables, it
    doesn't apply to protocols like STP.

    This means a VM could generate one of these types of packets
    with a spoofed MAC address to trick switches into learning
    that the spoofed MAC now belongs to the VM's port. The impact
    of this depends on the configuration of the environment
    (e.g. use of L2pop: see the bug report for details).

    This patch adds MAC spoofing filtering to the ARP protection
    code for Linux bridge based on ebtables. Only traffic sourced
    from the MAC address on the port or in the allowed address
    pair MACs will be allowed.

    This filtering will not be enabled if the port has port
    security disabled or if the device_owner starts with 'network:'.

    Change-Id: I39dc0e23fc118ede19ef2d986b29fc5a8e48ff78
    Partial-Bug: #1558658
    (cherry picked from commit be298f8bc35e6d006c7a9361e42755c9d6790e1e)