On Wed, Dec 15, 2021 at 01:20:26PM +0100, Florian Westphal wrote: > If destination port is above 32k and source port below 16k > assume this might cause 'port shadowing' where a 'new' inbound > connection matches an existing one, e.g. > > inbound X:41234 -> Y:53 matches existing conntrack entry > Z:53 -> X:4123, where Z got natted to X. > > In this case, new packet is natted to Z:53 which is likely > unwanted. > > We avoid the rewrite for connections that originate from local host: > port-shadowing is only possible with forwarded connections. > > Also adjust test case. > > Cc: Eric Garver <eric@xxxxxxxxxxx> > Cc: Phil Sutter <phil@xxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > --- > v2: skip remap if local_out is set. > > net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++-- > tools/testing/selftests/netfilter/nft_nat.sh | 5 ++- > 2 files changed, 43 insertions(+), 5 deletions(-) Thanks Florian! Acked-by: Eric Garver <eric@xxxxxxxxxxx>
