git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 17 Dec 2021 10:29:57 +0000 (11:29 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 23 Dec 2021 00:07:44 +0000 (01:07 +0100)
commit	083d758350017d472e85fa70c5c06c67e52ea5a1
tree	98e79ee96f3c1a14640d950a633c45cfce6d191f	tree \| snapshot
parent	333c02857a0404e73eed818dde668ac5936f0850	commit \| diff

netfilter: nat: force port remap to prevent shadowing well-known ports

If destination port is above 32k and source port below 16k
assume this might cause 'port shadowing' where a 'new' inbound
connection matches an existing one, e.g.

inbound X:41234 -> Y:53 matches existing conntrack entry
Z:53 -> X:4123, where Z got natted to X.

In this case, new packet is natted to Z:53 which is likely
unwanted.

We avoid the rewrite for connections that originate from local host:
port-shadowing is only possible with forwarded connections.

Also adjust test case.

v3: no need to call tuple_force_port_remap if already in random mode (Phil)

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/netfilter/nf_nat_core.c		diff \| blob \| history
tools/testing/selftests/netfilter/nft_nat.sh		diff \| blob \| history