From 5aba3913bbebe57dce54045badefb1f9a17fbe60 Mon Sep 17 00:00:00 2001
From: Chiradeep Vittal <chiradeep@cloud.com>
Date: Thu, 5 Jan 2012 17:44:46 -0800
Subject: [PATCH] bug 12854: arp requests can also be used to poison arp caches

---
 scripts/vm/hypervisor/xenserver/vmops | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/scripts/vm/hypervisor/xenserver/vmops b/scripts/vm/hypervisor/xenserver/vmops
index 54399b6bb9b..014536d8081 100755
--- a/scripts/vm/hypervisor/xenserver/vmops
+++ b/scripts/vm/hypervisor/xenserver/vmops
@@ -673,7 +673,8 @@ def default_arp_antispoof(vm_chain, vifs, vm_ip, vm_mac):
             #accept arp replies into the bridge as long as the source mac and ips match the vm
             util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--opcode', 'Reply', '--source-mac',  vm_mac, '--source-ip',  vm_ip, '-j', 'ACCEPT'])
             #accept any arp requests from this vm. In the future this can be restricted to deny attacks on hosts
-            util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--opcode', 'Request',  '-j', 'ACCEPT'])
+            #also important to restrict source ip and src mac in these requests as they can be used to update arp tables on destination
+            util.pread2(['arptables',  '-A', vm_chain, '-i', vif, '--opcode', 'Request',  '--source-mac',  vm_mac, '--source-ip',  vm_ip, '-j', 'RETURN'])
             #accept any arp requests to this vm as long as the request is for this vm's ip
             util.pread2(['arptables',  '-A', vm_chain, '-o', vif, '--opcode', 'Request', '--destination-ip', vm_ip, '-j', 'ACCEPT'])   
             #accept any arp replies to this vm as long as the mac and ip matches