On Fri, Oct 01, 2021 at 03:21:28PM +0200, Florian Westphal wrote: > Florian Westphal <fw@xxxxxxxxx> wrote: > > PoC, incomplete -- ipv4 udp only. > > > > Ipv6 support needs help from ipv6 indirection infra. > > > > Also lacks direction support: the check should only be done > > for nf_conn objects created by externally generated packets. > > Alternate fix idea: > > 1. store skb->skb_iif in nf_conn. > > This means locally vs. remote-generated nf_conn can be identified > via ct->skb_iff != 0. > > 2. For "remote" case, force following behaviour: > check that sport > dport and sport > 1024. > > OTOH, this isn't transparent to users and might cause issues > with very very old "credential passing" applications that insist > on using privileged port range (< 1024) :-/ Can't this be just expressed through ruleset? I mean, conditionally masquerade depending on whether the packet is locally generated or not, for remove for sport > 1024 range.