Feature #3175: FILTER_IP_SPOOFING and FILTER_MAC_SPOOFING must be set to "YES" (and not just any value) in order to be applied.

2025-03-21 14:50:08 +03:00 · 2014-12-09 16:23:14 +01:00 · 2014-12-09 16:23:14 +01:00 · a5144a0946
commit a5144a0946
parent fa5a584296
1 changed files with 4 additions and 4 deletions
--- a/src/vnm_mad/remotes/SecurityGroups.rb
+++ b/src/vnm_mad/remotes/SecurityGroups.rb
@ -397,12 +397,12 @@ class SecurityGroupIPTables < SecurityGroup
        commands.iptables"-I #{GLOBAL_CHAIN} -m physdev --physdev-in  #{nic[:tap]} --physdev-is-bridged -j #{chain_out}"

        # Mac-spofing
-        if nic[:filter_mac_spoofing]
+        if nic[:filter_mac_spoofing] == "YES"
            commands.iptables"-A #{chain_out} -m mac ! --mac-source #{nic[:mac]} -j DROP"
        end

        # IP-spofing
-        if nic[:filter_ip_spoofing]
+        if nic[:filter_ip_spoofing] == "YES"
            commands.iptables"-A #{chain_out} ! --source #{nic[:ip]} -j DROP"
        end

@ -562,8 +562,8 @@ class OpenNebulaSG < OpenNebulaNetwork
        # Process the rules
        @vm.nics.each do |nic|
            next if nic[:security_groups].nil? \
-                && nic[:filter_mac_spoofing].nil? \
-                && nic[:filter_ip_spoofing].nil?
+                && nic[:filter_mac_spoofing] != "YES" \
+                && nic[:filter_ip_spoofing]  != "YES"


            SECURITY_GROUP_CLASS.nic_pre(@vm, nic)