On Mon, Jul 12, 2010 at 09:19:33AM -0400, Daniel P. Berrange wrote:
> For
> 
>   https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2010-2242
> 
> IPtables will seek to preserve the source port unchanged when
> doing masquerading, if possible. NFS has a pseudo-security
> option where it checks for the source port <= 1023 before
> allowing a mount request. If an admin has used this to make the
> host OS trusted for mounts, the default iptables behaviour will
> potentially allow NAT'd guests access too. This needs to be
> stopped.
> 
> With this change, the iptables -t nat -L -n -v rules for the
> default network will be
> 
> Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
>  pkts bytes target     prot opt in     out     source               
> destination
>    14   840 MASQUERADE  tcp  --  *      *       192.168.122.0/24    
> !192.168.122.0/24    masq ports: 1024-65535
>    75  5752 MASQUERADE  udp  --  *      *       192.168.122.0/24    
> !192.168.122.0/24    masq ports: 1024-65535
>     0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    
> !192.168.122.0/24
> 
> * src/network/bridge_driver.c: Add masquerade rules for TCP
>   and UDP protocols
> * src/util/iptables.c, src/util/iptables.c: Add source port
>   mappings for TCP & UDP protocols when masquerading.

  Looks fine, ACK,

Daniel

-- 
Daniel Veillard      | libxml Gnome XML XSLT toolkit  http://xmlsoft.org/
dan...@veillard.com  | Rpmfind RPM search engine http://rpmfind.net/
http://veillard.com/ | virtualization library  http://libvirt.org/

--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Reply via email to