antoninbas
commented
4 years ago I agree that this is probably a nice thing to add.
Closed wenyingd closed 4 years ago
antoninbas
commented
4 years ago I agree that this is probably a nice thing to add.
Describe the bug Antrea only has ARP spoofing guard flows for packets from local Pod, but not have check for ARP packets from host gateway. It might introduce security risk if a Pod running in host-network mode on the Node with CAP_NET_RAW and trying to do ARP spoofing.
To Reproduce Deploy Antrea
Expected cookie=0x1a, table=10, priority=200,arp,in_port=gw0,arp_spa=$gw_ip,arp_sha=$gw_mac actions=resubmit(,20)
Actual behavior cookie=0x1a, table=10, priority=200,arp,in_port=gw0 actions=resubmit(,20)
Versions: