Public bug reported:
Host local IP addresses shouldn't be in source_ip for incoming packets.
No exceptions.
Current implementation of security groups, when user allow a wide range
of IP addresses to pass, allow to pass 127.0.0.0/8.
Steps to reproduce:
1. Create rule in security groups which allows from 0.0.0.0/0
2. send spoofed traffic with source 127.0.0.1 to instance (hping3 -a 127.0.0.1
target_ip)
Expected behavior: no malformed traffic on instance interface.
Actual behavior: Traffic with source=127.0.0.1 on instance interface.
** Affects: neutron
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699495
Title:
security groups allows localhost (127.0.0.0/8) to pass
Status in neutron:
New
Bug description:
Host local IP addresses shouldn't be in source_ip for incoming
packets. No exceptions.
Current implementation of security groups, when user allow a wide
range of IP addresses to pass, allow to pass 127.0.0.0/8.
Steps to reproduce:
1. Create rule in security groups which allows from 0.0.0.0/0
2. send spoofed traffic with source 127.0.0.1 to instance (hping3 -a
127.0.0.1 target_ip)
Expected behavior: no malformed traffic on instance interface.
Actual behavior: Traffic with source=127.0.0.1 on instance interface.
To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1699495/+subscriptions
--
Mailing list: https://launchpad.net/~yahoo-eng-team
Post to : yahoo-eng-team@lists.launchpad.net
Unsubscribe : https://launchpad.net/~yahoo-eng-team
More help : https://help.launchpad.net/ListHelp
