From fd5fd259a02156babdfcb12f66cde6ec9e7274ae Mon Sep 17 00:00:00 2001 From: Dustin Lundquist Date: Thu, 31 Mar 2016 12:04:31 -0700 Subject: [PATCH] Iptables firewall prevent IP spoofed DHCP requests The DHCP rules in the fixed iptables firewall rules were too permissive. They permitted any UDP traffic with a source port of 68 and destination port of 67. Care must be taken since these rules return before the IP spoofing prevention rules. This patch splits the fixed DHCP rules into two, one for the discovery and request messages which take place before the instance has bound an IP address and a second to permit DHCP renewals. Conflicts: neutron/tests/functional/agent/test_firewall.py Change-Id: Ibc2b0fa80baf2ea8b01fa568cd1fe7a7e092e7a5 Partial-Bug: #1558658 (cherry picked from commit 6a93ee8ac1a901c255e3475a24f1afc11d8bf80f) --- neutron/agent/linux/iptables_firewall.py | 9 +- .../agent/linux/test_iptables_firewall.py | 42 +++- .../unit/agent/test_securitygroups_rpc.py | 187 ++++++++++-------- 3 files changed, 146 insertions(+), 92 deletions(-) diff --git a/neutron/agent/linux/iptables_firewall.py b/neutron/agent/linux/iptables_firewall.py index 5a5a51a7098..d985de8b1c3 100644 --- a/neutron/agent/linux/iptables_firewall.py +++ b/neutron/agent/linux/iptables_firewall.py @@ -386,9 +386,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver): mac_ipv6_pairs.append((mac, ip_address)) def _spoofing_rule(self, port, ipv4_rules, ipv6_rules): - # Allow dhcp client packets - ipv4_rules += [comment_rule('-p udp -m udp --sport 68 ' - '-m udp --dport 67 ' + # Allow dhcp client discovery and request + ipv4_rules += [comment_rule('-s 0.0.0.0/32 -d 255.255.255.255/32 ' + '-p udp -m udp --sport 68 --dport 67 ' '-j RETURN', comment=ic.DHCP_CLIENT)] # Drop Router Advts from the port. ipv6_rules += [comment_rule('-p ipv6-icmp -m icmp6 --icmpv6-type %s ' @@ -420,6 +420,9 @@ class IptablesFirewallDriver(firewall.FirewallDriver): mac_ipv4_pairs, ipv4_rules) self._setup_spoof_filter_chain(port, self.iptables.ipv6['filter'], mac_ipv6_pairs, ipv6_rules) + # Allow dhcp client renewal and rebinding + ipv4_rules += [comment_rule('-p udp -m udp --sport 68 --dport 67 ' + '-j RETURN', comment=ic.DHCP_CLIENT)] def _drop_dhcp_rule(self, ipv4_rules, ipv6_rules): #Note(nati) Drop dhcp packet from VM diff --git a/neutron/tests/unit/agent/linux/test_iptables_firewall.py b/neutron/tests/unit/agent/linux/test_iptables_firewall.py index a7d422b84f9..d413cb6b1db 100644 --- a/neutron/tests/unit/agent/linux/test_iptables_firewall.py +++ b/neutron/tests/unit/agent/linux/test_iptables_firewall.py @@ -158,10 +158,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), + mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None), mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', @@ -940,7 +945,8 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): filter_inst = self.v4filter_inst dhcp_rule = [mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None)] if ethertype == 'IPv6': @@ -1027,6 +1033,10 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): calls.append(mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None)) if ethertype == 'IPv4': + calls.append(mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None)) calls.append(mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', @@ -1195,10 +1205,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), + mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None), mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', @@ -1267,10 +1282,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), + mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None), mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', @@ -1442,10 +1462,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), + mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None), mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', @@ -1516,10 +1541,15 @@ class IptablesFirewallTestCase(BaseIptablesFirewallTestCase): comment=ic.PAIR_DROP), mock.call.add_rule( 'ofake_dev', - '-p udp -m udp --sport 68 -m udp --dport 67 -j RETURN', + '-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp ' + '--sport 68 --dport 67 -j RETURN', comment=None), mock.call.add_rule('ofake_dev', '-j $sfake_dev', comment=None), + mock.call.add_rule( + 'ofake_dev', + '-p udp -m udp --sport 68 --dport 67 -j RETURN', + comment=None), mock.call.add_rule( 'ofake_dev', '-p udp -m udp --sport 67 -m udp --dport 68 -j DROP', diff --git a/neutron/tests/unit/agent/test_securitygroups_rpc.py b/neutron/tests/unit/agent/test_securitygroups_rpc.py index 7609242b223..7b10ac956b9 100644 --- a/neutron/tests/unit/agent/test_securitygroups_rpc.py +++ b/neutron/tests/unit/agent/test_securitygroups_rpc.py @@ -1810,14 +1810,15 @@ IPSET_FILTER_1 = """# Generated by iptables_manager RETURN -I %(bn)s-i_port1 5 -m state --state INVALID -j DROP -I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback --I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \ --j RETURN +-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_port1 2 -j %(bn)s-s_port1 --I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_port1 5 -j RETURN --I %(bn)s-o_port1 6 -m state --state INVALID -j DROP --I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_port1 6 -j RETURN +-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP +-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback -I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN -I %(bn)s-s_port1 2 -j DROP @@ -1864,14 +1865,15 @@ IPTABLES_FILTER_1 = """# Generated by iptables_manager -I %(bn)s-i_port1 3 -p tcp -m tcp --dport 22 -j RETURN -I %(bn)s-i_port1 4 -m state --state INVALID -j DROP -I %(bn)s-i_port1 5 -j %(bn)s-sg-fallback --I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \ --j RETURN +-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_port1 2 -j %(bn)s-s_port1 --I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_port1 5 -j RETURN --I %(bn)s-o_port1 6 -m state --state INVALID -j DROP --I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_port1 6 -j RETURN +-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP +-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback -I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN -I %(bn)s-s_port1 2 -j DROP @@ -1920,14 +1922,15 @@ IPTABLES_FILTER_1_2 = """# Generated by iptables_manager -I %(bn)s-i_port1 4 -s 10.0.0.4/32 -j RETURN -I %(bn)s-i_port1 5 -m state --state INVALID -j DROP -I %(bn)s-i_port1 6 -j %(bn)s-sg-fallback --I %(bn)s-o_port1 1 -p udp -m udp --sport 68 -m udp --dport 67 \ --j RETURN +-I %(bn)s-o_port1 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_port1 2 -j %(bn)s-s_port1 --I %(bn)s-o_port1 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_port1 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_port1 5 -j RETURN --I %(bn)s-o_port1 6 -m state --state INVALID -j DROP --I %(bn)s-o_port1 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_port1 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_port1 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_port1 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_port1 6 -j RETURN +-I %(bn)s-o_port1 7 -m state --state INVALID -j DROP +-I %(bn)s-o_port1 8 -j %(bn)s-sg-fallback -I %(bn)s-s_port1 1 -s 10.0.0.3/32 -m mac --mac-source 12:34:56:78:9A:BC \ -j RETURN -I %(bn)s-s_port1 2 -j DROP @@ -1993,20 +1996,24 @@ IPSET_FILTER_2 = """# Generated by iptables_manager -I %(bn)s-i_%(port2)s 4 -m set --match-set NIPv4security_group1 src -j RETURN -I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP -I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s --I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port1)s 5 -j RETURN --I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s --I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port2)s 5 -j RETURN --I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback -I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN -I %(bn)s-s_%(port1)s 2 -j DROP -I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN @@ -2077,20 +2084,24 @@ IPSET_FILTER_2_3 = """# Generated by iptables_manager -I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN -I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP -I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s --I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port1)s 5 -j RETURN --I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s --I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port2)s 5 -j RETURN --I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback -I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN -I %(bn)s-s_%(port1)s 2 -j DROP -I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN @@ -2159,22 +2170,24 @@ IPTABLES_FILTER_2 = """# Generated by iptables_manager -I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN -I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP -I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \ --j RETURN +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s --I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port1)s 5 -j RETURN --I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 \ --j RETURN +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s --I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port2)s 5 -j RETURN --I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback -I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN -I %(bn)s-s_%(port1)s 2 -j DROP -I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN @@ -2242,20 +2255,24 @@ IPTABLES_FILTER_2_2 = """# Generated by iptables_manager -I %(bn)s-i_%(port2)s 4 -s %(ip1)s -j RETURN -I %(bn)s-i_%(port2)s 5 -m state --state INVALID -j DROP -I %(bn)s-i_%(port2)s 6 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s --I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port1)s 5 -j RETURN --I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s --I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port2)s 5 -j RETURN --I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback -I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN -I %(bn)s-s_%(port1)s 2 -j DROP -I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN @@ -2326,20 +2343,24 @@ IPTABLES_FILTER_2_3 = """# Generated by iptables_manager -I %(bn)s-i_%(port2)s 5 -p icmp -j RETURN -I %(bn)s-i_%(port2)s 6 -m state --state INVALID -j DROP -I %(bn)s-i_%(port2)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port1)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port1)s 2 -j %(bn)s-s_%(port1)s --I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port1)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port1)s 5 -j RETURN --I %(bn)s-o_%(port1)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port1)s 7 -j %(bn)s-sg-fallback --I %(bn)s-o_%(port2)s 1 -p udp -m udp --sport 68 -m udp --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port1)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port1)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port1)s 6 -j RETURN +-I %(bn)s-o_%(port1)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port1)s 8 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 1 -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp \ +--sport 68 --dport 67 -j RETURN -I %(bn)s-o_%(port2)s 2 -j %(bn)s-s_%(port2)s --I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP --I %(bn)s-o_%(port2)s 4 -m state --state RELATED,ESTABLISHED -j RETURN --I %(bn)s-o_%(port2)s 5 -j RETURN --I %(bn)s-o_%(port2)s 6 -m state --state INVALID -j DROP --I %(bn)s-o_%(port2)s 7 -j %(bn)s-sg-fallback +-I %(bn)s-o_%(port2)s 3 -p udp -m udp --sport 68 --dport 67 -j RETURN +-I %(bn)s-o_%(port2)s 4 -p udp -m udp --sport 67 -m udp --dport 68 -j DROP +-I %(bn)s-o_%(port2)s 5 -m state --state RELATED,ESTABLISHED -j RETURN +-I %(bn)s-o_%(port2)s 6 -j RETURN +-I %(bn)s-o_%(port2)s 7 -m state --state INVALID -j DROP +-I %(bn)s-o_%(port2)s 8 -j %(bn)s-sg-fallback -I %(bn)s-s_%(port1)s 1 -s %(ip1)s -m mac --mac-source %(mac1)s -j RETURN -I %(bn)s-s_%(port1)s 2 -j DROP -I %(bn)s-s_%(port2)s 1 -s %(ip2)s -m mac --mac-source %(mac2)s -j RETURN