[PATCH nf 0/1.5 RFC] netfilter: nat: source port shadowing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


In brief:

internal_client -- <router:service> -- external_client

The internal client can create NAT entry on router in a way so that
an external client trying to contact router:service is reverse-natted
to internal_client:service instead.

Long version: https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html

First patch extends nft_nat.sh selftest with above scenario plus three
ruleset changes that prevent this (sport-filtering, notrack for
router:service and sport-based port remapping).

I tried to come up with a kernel based solution as well, but those
are not really nice either.

The first option is attached: kernel queries udp with reversed addresses
to see if this maps to a socket.  If so, remap.

Major pain point: adds entanglement to socket layer and will
need extra glue for CONFIG_IPV6=m case.

Second option is similar to the attached patch, but instead of
sk lookup check the porposed new source port versus the
'ip_local_reserved_ports' sysctl.

Would require userspace to set the reserved ports accordingly.

I also had a look at the 'socket' match, but it cannot be used.
It would have to be extended so that the socket lookup is done
on arbirary saddr/daddr/sport/dport combination, or at the very
least we'd need a 'invert' flag.

Existing 'socket' uses the addresses/ports in the packet, but
we'd need the addresses/ports of the hypothetical reply.

Things that do not work:
Change the sport range to only cover the IANA reserved port
range.  It sounds tempting but it sabotages dns resolvers using random
source ports.

Comments welcome.

Florian Westphal (2):
  selftests: nft_nat: add udp hole punch test case
  netfilter: nf_nat: don't allow source ports that shadow local port

 net/netfilter/nf_nat_core.c                  |  41 +++++-
 tools/testing/selftests/netfilter/nft_nat.sh | 145 +++++++++++++++++++
 2 files changed, 183 insertions(+), 3 deletions(-)


[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux