Florian Westphal <fw@xxxxxxxxx> wrote: > PoC, incomplete -- ipv4 udp only. > > Ipv6 support needs help from ipv6 indirection infra. > > Also lacks direction support: the check should only be done > for nf_conn objects created by externally generated packets. Alternate fix idea: 1. store skb->skb_iif in nf_conn. This means locally vs. remote-generated nf_conn can be identified via ct->skb_iff != 0. 2. For "remote" case, force following behaviour: check that sport > dport and sport > 1024. OTOH, this isn't transparent to users and might cause issues with very very old "credential passing" applications that insist on using privileged port range (< 1024) :-/
