No ARP spoof guard for packets from host gateway #200

wenyingd · 2019-12-06T08:55:18Z

Describe the bug
Antrea only has ARP spoofing guard flows for packets from local Pod, but not have check for ARP packets from host gateway. It might introduce security risk if a Pod running in host-network mode on the Node with CAP_NET_RAW and trying to do ARP spoofing.

To Reproduce
Deploy Antrea

Expected
cookie=0x1a, table=10, priority=200,arp,in_port=gw0,arp_spa=$gw_ip,arp_sha=$gw_mac actions=resubmit(,20)

Actual behavior
cookie=0x1a, table=10, priority=200,arp,in_port=gw0 actions=resubmit(,20)

Versions:

Antrea: 0.1/0.2

antoninbas · 2019-12-06T18:33:43Z

I agree that this is probably a nice thing to add.

wenyingd added the bug label Dec 6, 2019

wenyingd self-assigned this Dec 6, 2019

wenyingd mentioned this issue Dec 9, 2019

Add ARP spoofing guard for host gateway port #210

Merged

wenyingd closed this as completed in #210 Dec 12, 2019

salv-orlando mentioned this issue Dec 19, 2019

Release 0.2.0 #252

Merged

McCodeman added the kind/bug Categorizes issue or PR as related to a bug. label Jan 29, 2020

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No ARP spoof guard for packets from host gateway #200

No ARP spoof guard for packets from host gateway #200

wenyingd commented Dec 6, 2019 •

edited

Loading

antoninbas commented Dec 6, 2019

No ARP spoof guard for packets from host gateway #200

No ARP spoof guard for packets from host gateway #200

Comments

wenyingd commented Dec 6, 2019 • edited Loading

antoninbas commented Dec 6, 2019

wenyingd commented Dec 6, 2019 •

edited

Loading