* [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports
@ 2021-12-16 15:28 Florian Westphal
2021-12-16 15:30 ` Phil Sutter
2021-12-16 23:48 ` kernel test robot
0 siblings, 2 replies; 4+ messages in thread
From: Florian Westphal @ 2021-12-16 15:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Eric Garver, Phil Sutter
If destination port is above 32k and source port below 16k
assume this might cause 'port shadowing' where a 'new' inbound
connection matches an existing one, e.g.
inbound X:41234 -> Y:53 matches existing conntrack entry
Z:53 -> X:4123, where Z got natted to X.
In this case, new packet is natted to Z:53 which is likely
unwanted.
We avoid the rewrite for connections that originate from local host:
port-shadowing is only possible with forwarded connections.
Also adjust test case.
v3: no need to call tuple_force_port_remap if already in random mode
Cc: Eric Garver <eric@garver.life>
Cc: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++--
tools/testing/selftests/netfilter/nft_nat.sh | 5 ++-
2 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index 4d50d51db796..29d26bc977dc 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
goto another_round;
}
+static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple)
+{
+ u16 sp, dp;
+
+ switch (tuple->dst.protonum) {
+ case IPPROTO_TCP:
+ sp = ntohs(tuple->src.u.tcp.port);
+ dp = ntohs(tuple->dst.u.tcp.port);
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ sp = ntohs(tuple->src.u.udp.port);
+ dp = ntohs(tuple->dst.u.udp.port);
+ break;
+ default:
+ return false;
+ }
+
+ /* IANA: System port range: 1-1023,
+ * user port range: 1024-49151,
+ * private port range: 49152-65535.
+ *
+ * Linux default ephemeral port range is 32768-60999.
+ *
+ * Enforce port remapping if sport is significantly lower
+ * than dport to prevent NAT port shadowing, i.e.
+ * accidental match of 'new' inbound connection vs.
+ * existing outbound one.
+ */
+ return sp < 16384 && dp >= 32768;
+}
+
/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
* we change the source to map into the range. For NF_INET_PRE_ROUTING
* and NF_INET_LOCAL_OUT, we change the destination to map into the
@@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
struct nf_conn *ct,
enum nf_nat_manip_type maniptype)
{
+ bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;
const struct nf_conntrack_zone *zone;
struct net *net = nf_ct_net(ct);
zone = nf_ct_zone(ct);
+ if (maniptype == NF_NAT_MANIP_SRC &&
+ !random_port &&
+ !ct->local_origin)
+ random_port = tuple_force_port_remap(orig_tuple);
+
/* 1) If this srcip/proto/src-proto-part is currently mapped,
* and that same mapping gives a unique tuple within the given
* range, use that.
@@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
* So far, we don't do local source mappings, so multiple
* manips not an issue.
*/
- if (maniptype == NF_NAT_MANIP_SRC &&
- !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
+ if (maniptype == NF_NAT_MANIP_SRC && !random_port) {
/* try the original tuple first */
if (in_range(orig_tuple, range)) {
if (!nf_nat_used_tuple(orig_tuple, ct)) {
@@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
*/
/* Only bother mapping if it's not already in range and unique */
- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
+ if (!random_port) {
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
l4proto_in_range(tuple, maniptype,
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
index d88867d2fed7..349a319a9e51 100755
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -880,8 +880,9 @@ EOF
return $ksft_skip
fi
- # test default behaviour. Packet from ns1 to ns0 is redirected to ns2.
- test_port_shadow "default" "CLIENT"
+ # test default behaviour. Packet from ns1 to ns0 is not redirected
+ # due to automatic port translation.
+ test_port_shadow "default" "ROUTER"
# test packet filter based mitigation: prevent forwarding of
# packets claiming to come from the service port.
--
2.32.0
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports
2021-12-16 15:28 [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
@ 2021-12-16 15:30 ` Phil Sutter
2021-12-16 23:48 ` kernel test robot
1 sibling, 0 replies; 4+ messages in thread
From: Phil Sutter @ 2021-12-16 15:30 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, Eric Garver
On Thu, Dec 16, 2021 at 04:28:16PM +0100, Florian Westphal wrote:
> If destination port is above 32k and source port below 16k
> assume this might cause 'port shadowing' where a 'new' inbound
> connection matches an existing one, e.g.
>
> inbound X:41234 -> Y:53 matches existing conntrack entry
> Z:53 -> X:4123, where Z got natted to X.
>
> In this case, new packet is natted to Z:53 which is likely
> unwanted.
>
> We avoid the rewrite for connections that originate from local host:
> port-shadowing is only possible with forwarded connections.
>
> Also adjust test case.
>
> v3: no need to call tuple_force_port_remap if already in random mode
>
> Cc: Eric Garver <eric@garver.life>
> Cc: Phil Sutter <phil@nwl.cc>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
Thanks for the quick follow-up!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports
2021-12-16 15:28 [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
@ 2021-12-16 23:48 ` kernel test robot
2021-12-16 23:48 ` kernel test robot
1 sibling, 0 replies; 4+ messages in thread
From: kernel test robot @ 2021-12-16 23:48 UTC (permalink / raw)
To: Florian Westphal, netfilter-devel
Cc: llvm, kbuild-all, Florian Westphal, Eric Garver, Phil Sutter
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nat-force-port-remap-to-prevent-shadowing-well-known-ports/20211216-232930
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: arm-randconfig-r005-20211216 (https://download.01.org/0day-ci/archive/20211217/202112170757.knetsZWh-lkp@intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project dd245bab9fbb364faa1581e4f92ba3119a872fba)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/0day-ci/linux/commit/cc216934b951862fcd3ea10c9bef2eecd84d8e6f
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Florian-Westphal/netfilter-nat-force-port-remap-to-prevent-shadowing-well-known-ports/20211216-232930
git checkout cc216934b951862fcd3ea10c9bef2eecd84d8e6f
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash net/netfilter/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
>> net/netfilter/nf_nat_core.c:550:11: error: no member named 'local_origin' in 'struct nf_conn'
!ct->local_origin)
~~ ^
1 error generated.
vim +550 net/netfilter/nf_nat_core.c
528
529 /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
530 * we change the source to map into the range. For NF_INET_PRE_ROUTING
531 * and NF_INET_LOCAL_OUT, we change the destination to map into the
532 * range. It might not be possible to get a unique tuple, but we try.
533 * At worst (or if we race), we will end up with a final duplicate in
534 * __nf_conntrack_confirm and drop the packet. */
535 static void
536 get_unique_tuple(struct nf_conntrack_tuple *tuple,
537 const struct nf_conntrack_tuple *orig_tuple,
538 const struct nf_nat_range2 *range,
539 struct nf_conn *ct,
540 enum nf_nat_manip_type maniptype)
541 {
542 bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;
543 const struct nf_conntrack_zone *zone;
544 struct net *net = nf_ct_net(ct);
545
546 zone = nf_ct_zone(ct);
547
548 if (maniptype == NF_NAT_MANIP_SRC &&
549 !random_port &&
> 550 !ct->local_origin)
551 random_port = tuple_force_port_remap(orig_tuple);
552
553 /* 1) If this srcip/proto/src-proto-part is currently mapped,
554 * and that same mapping gives a unique tuple within the given
555 * range, use that.
556 *
557 * This is only required for source (ie. NAT/masq) mappings.
558 * So far, we don't do local source mappings, so multiple
559 * manips not an issue.
560 */
561 if (maniptype == NF_NAT_MANIP_SRC && !random_port) {
562 /* try the original tuple first */
563 if (in_range(orig_tuple, range)) {
564 if (!nf_nat_used_tuple(orig_tuple, ct)) {
565 *tuple = *orig_tuple;
566 return;
567 }
568 } else if (find_appropriate_src(net, zone,
569 orig_tuple, tuple, range)) {
570 pr_debug("get_unique_tuple: Found current src map\n");
571 if (!nf_nat_used_tuple(tuple, ct))
572 return;
573 }
574 }
575
576 /* 2) Select the least-used IP/proto combination in the given range */
577 *tuple = *orig_tuple;
578 find_best_ips_proto(zone, tuple, range, ct, maniptype);
579
580 /* 3) The per-protocol part of the manip is made to map into
581 * the range to make a unique tuple.
582 */
583
584 /* Only bother mapping if it's not already in range and unique */
585 if (!random_port) {
586 if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
587 if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
588 l4proto_in_range(tuple, maniptype,
589 &range->min_proto,
590 &range->max_proto) &&
591 (range->min_proto.all == range->max_proto.all ||
592 !nf_nat_used_tuple(tuple, ct)))
593 return;
594 } else if (!nf_nat_used_tuple(tuple, ct)) {
595 return;
596 }
597 }
598
599 /* Last chance: get protocol to try to obtain unique tuple. */
600 nf_nat_l4proto_unique_tuple(tuple, range, maniptype, ct);
601 }
602
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports
@ 2021-12-16 23:48 ` kernel test robot
0 siblings, 0 replies; 4+ messages in thread
From: kernel test robot @ 2021-12-16 23:48 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 5026 bytes --]
Hi Florian,
I love your patch! Yet something to improve:
[auto build test ERROR on nf/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-nat-force-port-remap-to-prevent-shadowing-well-known-ports/20211216-232930
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
config: arm-randconfig-r005-20211216 (https://download.01.org/0day-ci/archive/20211217/202112170757.knetsZWh-lkp(a)intel.com/config)
compiler: clang version 14.0.0 (https://github.com/llvm/llvm-project dd245bab9fbb364faa1581e4f92ba3119a872fba)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install arm cross compiling tool for clang build
# apt-get install binutils-arm-linux-gnueabi
# https://github.com/0day-ci/linux/commit/cc216934b951862fcd3ea10c9bef2eecd84d8e6f
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Florian-Westphal/netfilter-nat-force-port-remap-to-prevent-shadowing-well-known-ports/20211216-232930
git checkout cc216934b951862fcd3ea10c9bef2eecd84d8e6f
# save the config file to linux build tree
mkdir build_dir
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross W=1 O=build_dir ARCH=arm SHELL=/bin/bash net/netfilter/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All errors (new ones prefixed by >>):
>> net/netfilter/nf_nat_core.c:550:11: error: no member named 'local_origin' in 'struct nf_conn'
!ct->local_origin)
~~ ^
1 error generated.
vim +550 net/netfilter/nf_nat_core.c
528
529 /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
530 * we change the source to map into the range. For NF_INET_PRE_ROUTING
531 * and NF_INET_LOCAL_OUT, we change the destination to map into the
532 * range. It might not be possible to get a unique tuple, but we try.
533 * At worst (or if we race), we will end up with a final duplicate in
534 * __nf_conntrack_confirm and drop the packet. */
535 static void
536 get_unique_tuple(struct nf_conntrack_tuple *tuple,
537 const struct nf_conntrack_tuple *orig_tuple,
538 const struct nf_nat_range2 *range,
539 struct nf_conn *ct,
540 enum nf_nat_manip_type maniptype)
541 {
542 bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;
543 const struct nf_conntrack_zone *zone;
544 struct net *net = nf_ct_net(ct);
545
546 zone = nf_ct_zone(ct);
547
548 if (maniptype == NF_NAT_MANIP_SRC &&
549 !random_port &&
> 550 !ct->local_origin)
551 random_port = tuple_force_port_remap(orig_tuple);
552
553 /* 1) If this srcip/proto/src-proto-part is currently mapped,
554 * and that same mapping gives a unique tuple within the given
555 * range, use that.
556 *
557 * This is only required for source (ie. NAT/masq) mappings.
558 * So far, we don't do local source mappings, so multiple
559 * manips not an issue.
560 */
561 if (maniptype == NF_NAT_MANIP_SRC && !random_port) {
562 /* try the original tuple first */
563 if (in_range(orig_tuple, range)) {
564 if (!nf_nat_used_tuple(orig_tuple, ct)) {
565 *tuple = *orig_tuple;
566 return;
567 }
568 } else if (find_appropriate_src(net, zone,
569 orig_tuple, tuple, range)) {
570 pr_debug("get_unique_tuple: Found current src map\n");
571 if (!nf_nat_used_tuple(tuple, ct))
572 return;
573 }
574 }
575
576 /* 2) Select the least-used IP/proto combination in the given range */
577 *tuple = *orig_tuple;
578 find_best_ips_proto(zone, tuple, range, ct, maniptype);
579
580 /* 3) The per-protocol part of the manip is made to map into
581 * the range to make a unique tuple.
582 */
583
584 /* Only bother mapping if it's not already in range and unique */
585 if (!random_port) {
586 if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
587 if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
588 l4proto_in_range(tuple, maniptype,
589 &range->min_proto,
590 &range->max_proto) &&
591 (range->min_proto.all == range->max_proto.all ||
592 !nf_nat_used_tuple(tuple, ct)))
593 return;
594 } else if (!nf_nat_used_tuple(tuple, ct)) {
595 return;
596 }
597 }
598
599 /* Last chance: get protocol to try to obtain unique tuple. */
600 nf_nat_l4proto_unique_tuple(tuple, range, maniptype, ct);
601 }
602
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2021-12-16 23:49 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-16 15:28 [PATCH nf v3] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-16 15:30 ` Phil Sutter
2021-12-16 23:48 ` kernel test robot
2021-12-16 23:48 ` kernel test robot
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.