libvirt/src/util
Daniel P. Berrange c567853089 CVE-2010-2242 Apply a source port mapping to virtual network masquerading
IPtables will seek to preserve the source port unchanged when
doing masquerading, if possible. NFS has a pseudo-security
option where it checks for the source port <= 1023 before
allowing a mount request. If an admin has used this to make the
host OS trusted for mounts, the default iptables behaviour will
potentially allow NAT'd guests access too. This needs to be
stopped.

With this change, the iptables -t nat -L -n -v rules for the
default network will be

Chain POSTROUTING (policy ACCEPT 95 packets, 9163 bytes)
 pkts bytes target     prot opt in     out     source               destination
   14   840 MASQUERADE  tcp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
   75  5752 MASQUERADE  udp  --  *      *       192.168.122.0/24    !192.168.122.0/24    masq ports: 1024-65535
    0     0 MASQUERADE  all  --  *      *       192.168.122.0/24    !192.168.122.0/24

* src/network/bridge_driver.c: Add masquerade rules for TCP
  and UDP protocols
* src/util/iptables.c, src/util/iptables.c: Add source port
  mappings for TCP & UDP protocols when masquerading.
2010-07-19 15:50:27 +01:00
..
authhelper.c esx: Move username and password helper functions to authhelper.c 2010-03-16 20:15:32 +01:00
authhelper.h esx: Move username and password helper functions to authhelper.c 2010-03-16 20:15:32 +01:00
bitmap.c Add ACK'd v2 changes for previous commit 2010-06-18 11:56:04 -04:00
bitmap.h build: fix cppi warnings 2010-05-21 16:02:18 -06:00
bridge.c build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
bridge.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
buf.c virBufferVSprintf: do not omit va_end(argptr) call 2010-02-19 18:32:23 +01:00
buf.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
cgroup.c cgroup: Fix compilation broken on MinGW due to dirent->d_type 2010-06-30 08:32:23 -06:00
cgroup.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
conf.c maint: add more free-like functions to the list and deal with fallout 2010-05-18 07:53:42 +02:00
conf.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
dnsmasq.c dnsmasqReload: avoid mingw link failure 2010-05-03 14:21:07 -06:00
dnsmasq.h Add dnsmasq module files 2010-04-26 17:20:02 +02:00
ebtables.c ebtablesAddRemoveRule, iptablesAddRemoveRule: don't skip va_end 2010-05-18 19:23:33 +02:00
ebtables.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
event.c Move all shared utility files to src/util/ 2009-09-21 14:41:47 +01:00
event.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
hash.c Fix up a comment in virHashUpdateEntry 2010-02-01 09:39:54 -05:00
hash.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
hooks.c hooks: fix typo 2010-05-28 06:54:28 -06:00
hooks.h Add hook utilities 2010-03-29 18:21:04 +02:00
hostusb.c hostusb: Properly handle 'usbX' sysfs files 2010-06-02 09:57:55 -04:00
hostusb.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
interface.c add 802.1Qbh and 802.1Qbg handling 2010-06-02 21:35:22 -04:00
interface.h add 802.1Qbh and 802.1Qbg handling 2010-06-02 21:35:22 -04:00
iptables.c CVE-2010-2242 Apply a source port mapping to virtual network masquerading 2010-07-19 15:50:27 +01:00
iptables.h CVE-2010-2242 Apply a source port mapping to virtual network masquerading 2010-07-19 15:50:27 +01:00
json.c build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
json.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
logging.c maint: don't mark VIR_WARN or VIR_WARN0 diagnostics for translation 2010-05-19 12:00:18 +02:00
logging.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
macvtap.c macvtap: work-around for 2.6.32 and older kernels 2010-06-17 07:05:38 -04:00
macvtap.h add 802.1Qbh and 802.1Qbg handling 2010-06-02 21:35:22 -04:00
memory.c Implement variable length structure allocator 2010-04-14 00:46:13 -04:00
memory.h maint: another preprocessor fix 2010-04-15 11:39:10 -06:00
network.c maint: s/initialis/initializ/ 2010-04-07 09:48:07 -06:00
network.h Use libvirt's existing ipv6/ipv4 parser/printer rather than self-written ones 2010-03-30 11:18:04 -04:00
pci.c Check for active PCI devices when doing nodedevice operations. 2010-06-29 10:40:00 -04:00
pci.h Check for active PCI devices when doing nodedevice operations. 2010-06-29 10:40:00 -04:00
processinfo.c build: update gnulib 2010-05-06 14:35:38 -06:00
processinfo.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
qparams.c qparams.c: do not skip va_end, twice 2010-02-19 11:52:04 +01:00
qparams.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
stats_linux.c build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
stats_linux.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
storage_file.c Enhance virStorageFileIsSharedFS 2010-06-28 11:55:45 -04:00
storage_file.h Don't reset user/group/security label on shared filesystems during migrate 2010-05-14 09:21:24 -04:00
threads-pthread.c Add recursive locks 2010-03-26 18:01:15 +00:00
threads-pthread.h Move all shared utility files to src/util/ 2009-09-21 14:41:47 +01:00
threads-win32.c build: avoid pthreads-win32 on mingw 2010-06-10 06:05:31 -06:00
threads-win32.h Move all shared utility files to src/util/ 2009-09-21 14:41:47 +01:00
threads.c build: avoid pthreads-win32 on mingw 2010-06-10 06:05:31 -06:00
threads.h build: avoid pthreads-win32 on mingw 2010-06-10 06:05:31 -06:00
util.c util: virExec: Dispatch all errors raised after fork 2010-07-02 10:29:06 -04:00
util.h Fix failing virGetHostname. 2010-05-26 08:59:31 -04:00
uuid.c Expose a host UUID in the capabilities XML 2010-05-25 17:09:18 +01:00
uuid.h Expose a host UUID in the capabilities XML 2010-05-25 17:09:18 +01:00
virterror_internal.h build: consistently indent preprocessor directives 2010-03-09 19:22:28 +01:00
virterror.c Improve some error messages about unsupported APIs/URIs 2010-06-23 14:07:39 +01:00
xml.c Introduce XML parsing utility functions 2010-03-23 15:40:04 +01:00
xml.h Introduce XML parsing utility functions 2010-03-23 15:40:04 +01:00