Allow forwarding of all DHCP traffic #3975
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Recently we added iptables rule to prevent forwarding of non-app traffic
(so that attacker cannot use EVE to hop from one network to another).
This rule is based on connection tracking and differentiating
between host and app traffic using marks. However, app-initiated DHCP
requests can match the same conntrack entry as was created for DHCP
requests sent by the DHCP client of EVE.
This is because source/destination IPs are undefined or broadcast:
[72]: udp 17 src=0.0.0.0 dst=255.255.255.255 sport=68 dport=67
src=255.255.255.255 dst=0.0.0.0 sport=67 dport=68 mark=0xa
This means that application DHCP traffic may get mark "in_dhcp"
(as opposed to "app_dhcp") and forwarding will not be allowed.
This is particularly problem for switch NI.
Lets create an exception rule, allowing forwarding of DHCP traffic even
if it has in_dhcp mark, given that the same mark can be accidentally
assigned also to an application DHCP request.
Signed-off-by: Milan Lenco <milan@zededa.com>
milan-zededa
force-pushed
the
allow-all-dhcp
branch
from
6655ad4 to
64c806c
Compare
|
Seems like #3837 was added in 12.0.0 so this presumable should be backported to 12.0-stable. |
|
I ran test_app_switch 18 times or so and it passed every time (as opposed to failing every time without this fix). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Recently we added iptables rule to prevent forwarding of non-app traffic (so that attacker cannot use EVE to hop from one network to another). This rule is based on connection tracking and differentiating between host and app traffic using marks. However, app-initiated DHCP requests can match the same conntrack entry as was created for DHCP requests sent by the DHCP client of EVE.
This is because source/destination IPs are undefined or broadcast:
This means that application DHCP traffic may get mark
in_dhcp(as opposed toapp_dhcp) and forwarding will not be allowed. This is particularly problem for switch NI.Lets create an exception rule, allowing forwarding of DHCP traffic even if it has
in_dhcpmark, given that the same mark can be accidentally assigned also to an application DHCP request.