network: prevent IP spoofing on upstream (eth0) interface

Currently there is just one anti-spoofing firewall rule ensuring packets coming through vif+ interfaces have the right source address. Add another rule ensuring that addresses that belongs to VMs behind those vif+ interface do not appear on other interfaces (specifically eth0, but also physical ones). Normally it wouldn't be an issue because of rp_filter (doing the same based on route table), default DROP in FORWARD chain and also conntrack (the need to guess exact port numbers and sequence numbers). But it appears all three mechanisms are ineffective in some cases: - rp_filter in many distributions (including Fedora and Debian) was switched to Loose Mode, which doesn't verify exact interface - there is a rule in FORWARD table allowing established connections and conntrack does not keep track of input/output interfaces - CVE-2019-14899 allows to guess all the data needed to inject packets Reported-by: Demi M. Obenour <demiobenour@gmail.com>
QubesOS · on Nov 10, 2020 · 74f5fb5ac7160f145e8383d39d7c41c240f1f0ce · 74f5fb5
1 parent 68b61c2
commit 74f5fb5ac7160f145e8383d39d7c41c240f1f0ce
Unified Split

Showing with 4 additions and 1 deletion.

+4 −1 network/vif-route-qubes
diff --git a/network/vif-route-qubes b/network/vif-route-qubes
@@ -129,7 +129,10 @@ if [ "${ip}" ]; then
         else
             ipt=iptables-restore
         fi
-        echo -e "*raw\\n$iptables_cmd -i ${vif} ! -s ${addr} -j DROP\\nCOMMIT" | \
+        printf '%s\n' "*raw" \
+            "$iptables_cmd -i ${vif} ! -s ${addr} -j DROP" \
+            "$iptables_cmd ! -i vif+ -s ${addr} -j DROP" \
+            "COMMIT" | \
             ${cmdprefix} $ipt --noflush $ipt_arg
     done
     # if no IPv6 is assigned, block all IPv6 traffic on that interface