diff options
author | Florian Westphal <fw@strlen.de> | 2021-12-17 11:29:57 +0100 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2021-12-23 01:07:44 +0100 |
commit | 878aed8db324bec64f3c3f956e64d5ae7375a5de (patch) | |
tree | 98e79ee96f3c1a14640d950a633c45cfce6d191f /net/netfilter/nf_conntrack_acct.c | |
parent | netfilter: conntrack: tag conntracks picked up in local out hook (diff) | |
download | linux-dev-878aed8db324bec64f3c3f956e64d5ae7375a5de.tar.xz linux-dev-878aed8db324bec64f3c3f956e64d5ae7375a5de.zip |
netfilter: nat: force port remap to prevent shadowing well-known ports
If destination port is above 32k and source port below 16k
assume this might cause 'port shadowing' where a 'new' inbound
connection matches an existing one, e.g.
inbound X:41234 -> Y:53 matches existing conntrack entry
Z:53 -> X:4123, where Z got natted to X.
In this case, new packet is natted to Z:53 which is likely
unwanted.
We avoid the rewrite for connections that originate from local host:
port-shadowing is only possible with forwarded connections.
Also adjust test case.
v3: no need to call tuple_force_port_remap if already in random mode (Phil)
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/nf_conntrack_acct.c')
0 files changed, 0 insertions, 0 deletions