On Fri, Dec 17, 2021 at 11:29:57AM +0100, Florian Westphal wrote: > If destination port is above 32k and source port below 16k > assume this might cause 'port shadowing' where a 'new' inbound > connection matches an existing one, e.g. > > inbound X:41234 -> Y:53 matches existing conntrack entry > Z:53 -> X:4123, where Z got natted to X. > > In this case, new packet is natted to Z:53 which is likely > unwanted. > > We avoid the rewrite for connections that originate from local host: > port-shadowing is only possible with forwarded connections. > > Also adjust test case. > > v3: no need to call tuple_force_port_remap if already in random mode (Phil) > > Cc: Eric Garver <eric@xxxxxxxxxxx> > Signed-off-by: Florian Westphal <fw@xxxxxxxxx> > Acked-by: Phil Sutter <phil@xxxxxx> > --- > resent without changes, kept phils ack. > net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++-- > tools/testing/selftests/netfilter/nft_nat.sh | 5 ++- > 2 files changed, 43 insertions(+), 5 deletions(-) Acked-by: Eric Garver <eric@xxxxxxxxxxx>
