yahoo-eng-team team mailing list archive

[George Shuklin <1699495@xxxxxxxxxxxxxxxxxx>]

Public bug reported:

Host local IP addresses shouldn't be in source_ip for incoming packets.
No exceptions.

Current implementation of security groups, when user allow a wide range
of IP addresses to pass, allow to pass 127.0.0.0/8.

Steps to reproduce:
1. Create rule in security groups which allows from 0.0.0.0/0
2. send spoofed traffic with source 127.0.0.1 to instance (hping3 -a 127.0.0.1 target_ip)

Expected behavior: no malformed traffic on instance interface.
Actual behavior: Traffic with source=127.0.0.1 on instance interface.

** Affects: neutron
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Yahoo!
Engineering Team, which is subscribed to neutron.
https://bugs.launchpad.net/bugs/1699495

Title:
  security groups allows localhost (127.0.0.0/8) to pass

Status in neutron:
  New

Bug description:
  Host local IP addresses shouldn't be in source_ip for incoming
  packets. No exceptions.

  Current implementation of security groups, when user allow a wide
  range of IP addresses to pass, allow to pass 127.0.0.0/8.

  Steps to reproduce:
  1. Create rule in security groups which allows from 0.0.0.0/0
  2. send spoofed traffic with source 127.0.0.1 to instance (hping3 -a 127.0.0.1 target_ip)

  Expected behavior: no malformed traffic on instance interface.
  Actual behavior: Traffic with source=127.0.0.1 on instance interface.

To manage notifications about this bug go to:
https://bugs.launchpad.net/neutron/+bug/1699495/+subscriptions