On Thu, Sep 23, 2021 at 03:12:42PM +0200, Florian Westphal wrote: > Add a test case that demonstrates port shadowing via UDP. > > ns2 sends packet to ns1, from source port used by a udp service on the > router, ns0. Then, ns1 sends packet to ns0:service, but that ends up getting > forwarded to ns2. > > Also add three test cases that demonstrate mitigations: > 1. disable use of $port as source from 'unstrusted' origin > 2. make the service untracked. This prevents masquerade entries > from having any effects. > 3. add forced PAT via 'random' mode to translate the "wrong" sport > into an acceptable range. Applied, thanks
