In brief: Given internal_client -- <router:service> -- external_client The internal client can create NAT entry on router in a way so that an external client trying to contact router:service is reverse-natted to internal_client:service instead. Long version: https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html First patch extends nft_nat.sh selftest with above scenario plus three ruleset changes that prevent this (sport-filtering, notrack for router:service and sport-based port remapping). I tried to come up with a kernel based solution as well, but those are not really nice either. The first option is attached: kernel queries udp with reversed addresses to see if this maps to a socket. If so, remap. Major pain point: adds entanglement to socket layer and will need extra glue for CONFIG_IPV6=m case. Second option is similar to the attached patch, but instead of sk lookup check the porposed new source port versus the 'ip_local_reserved_ports' sysctl. Would require userspace to set the reserved ports accordingly. I also had a look at the 'socket' match, but it cannot be used. It would have to be extended so that the socket lookup is done on arbirary saddr/daddr/sport/dport combination, or at the very least we'd need a 'invert' flag. Existing 'socket' uses the addresses/ports in the packet, but we'd need the addresses/ports of the hypothetical reply. Things that do not work: Change the sport range to only cover the IANA reserved port range. It sounds tempting but it sabotages dns resolvers using random source ports. Comments welcome. Florian Westphal (2): selftests: nft_nat: add udp hole punch test case netfilter: nf_nat: don't allow source ports that shadow local port net/netfilter/nf_nat_core.c | 41 +++++- tools/testing/selftests/netfilter/nft_nat.sh | 145 +++++++++++++++++++ 2 files changed, 183 insertions(+), 3 deletions(-) -- 2.32.0
