Re: [PATCH RFC 2/2] netfilter: nf_nat: don't allow source ports that shadow local port

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


Florian Westphal <fw@xxxxxxxxx> wrote:
> PoC, incomplete -- ipv4 udp only.
> Ipv6 support needs help from ipv6 indirection infra.
> Also lacks direction support: the check should only be done
> for nf_conn objects created by externally generated packets.
Alternate fix idea:

1. store skb->skb_iif in nf_conn.

This means locally vs. remote-generated nf_conn can be identified
via ct->skb_iff != 0.

2. For "remote" case, force following behaviour:
   check that sport > dport and sport > 1024.

OTOH, this isn't transparent to users and might cause issues
with very very old "credential passing" applications that insist
on using privileged port range (< 1024) :-/

[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux