Re: [PATCH nf 1/2] selftests: nft_nat: add udp hole punch test case

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, Sep 23, 2021 at 03:12:42PM +0200, Florian Westphal wrote:
> Add a test case that demonstrates port shadowing via UDP.
> 
> ns2 sends packet to ns1, from source port used by a udp service on the
> router, ns0.  Then, ns1 sends packet to ns0:service, but that ends up getting
> forwarded to ns2.
> 
> Also add three test cases that demonstrate mitigations:
> 1. disable use of $port as source from 'unstrusted' origin
> 2. make the service untracked.  This prevents masquerade entries
>    from having any effects.
> 3. add forced PAT via 'random' mode to translate the "wrong" sport
>    into an acceptable range.

Applied, thanks



[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux