Re: [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Fri, Dec 17, 2021 at 11:29:57AM +0100, Florian Westphal wrote:
> If destination port is above 32k and source port below 16k
> assume this might cause 'port shadowing' where a 'new' inbound
> connection matches an existing one, e.g.
> 
> inbound X:41234 -> Y:53 matches existing conntrack entry
>         Z:53 -> X:4123, where Z got natted to X.
> 
> In this case, new packet is natted to Z:53 which is likely
> unwanted.
> 
> We avoid the rewrite for connections that originate from local host:
> port-shadowing is only possible with forwarded connections.
> 
> Also adjust test case.
> 
> v3: no need to call tuple_force_port_remap if already in random mode (Phil)
> 
> Cc: Eric Garver <eric@xxxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
> Acked-by: Phil Sutter <phil@xxxxxx>
> ---
>  resent without changes, kept phils ack.
>  net/netfilter/nf_nat_core.c                  | 43 ++++++++++++++++++--
>  tools/testing/selftests/netfilter/nft_nat.sh |  5 ++-
>  2 files changed, 43 insertions(+), 5 deletions(-)

Acked-by: Eric Garver <eric@xxxxxxxxxxx>




[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux