* [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports
@ 2021-12-17 10:29 Florian Westphal
2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Hi,
This is a resend of the port remap change with auto-exception for
locally originating connections.
This is done by adding a bit in nf_conn for LOCAL_OUT tracked entries.
Patch 1/2 is same as in v2.
Patch 2/2 is same as v3.
v3 only contained patch 2/2 by mistake.
Florian Westphal (2):
netfilter: conntrack: tag conntracks picked up in local out hook
netfilter: nat: force port remap to prevent shadowing well-known ports
include/net/netfilter/nf_conntrack.h | 1 +
net/netfilter/nf_conntrack_core.c | 3 ++
net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++--
tools/testing/selftests/netfilter/nft_nat.sh | 5 ++-
4 files changed, 47 insertions(+), 5 deletions(-)
--
2.32.0
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook
2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal
@ 2021-12-17 10:29 ` Florian Westphal
2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This allows to identify flows that originate from local machine
in a followup patch.
It would be possible to make this a ->status bit instead.
For now I did not do that yet because I don't have a use-case for
exposing this info to userspace.
If one comes up the toggle can be replaced with a status bit.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
v4: no changes
include/net/netfilter/nf_conntrack.h | 1 +
net/netfilter/nf_conntrack_core.c | 3 +++
2 files changed, 4 insertions(+)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index d24b0a34c8f0..871489df63c6 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -95,6 +95,7 @@ struct nf_conn {
unsigned long status;
u16 cpu;
+ u16 local_origin:1;
possible_net_t ct_net;
#if IS_ENABLED(CONFIG_NF_NAT)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index d7e313548066..bed0017cadb0 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1747,6 +1747,9 @@ resolve_normal_ct(struct nf_conn *tmpl,
return 0;
if (IS_ERR(h))
return PTR_ERR(h);
+
+ ct = nf_ct_tuplehash_to_ctrack(h);
+ ct->local_origin = state->hook == NF_INET_LOCAL_OUT;
}
ct = nf_ct_tuplehash_to_ctrack(h);
--
2.32.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports
2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal
@ 2021-12-17 10:29 ` Florian Westphal
2021-12-17 13:28 ` Eric Garver
2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal, Eric Garver, Phil Sutter
If destination port is above 32k and source port below 16k
assume this might cause 'port shadowing' where a 'new' inbound
connection matches an existing one, e.g.
inbound X:41234 -> Y:53 matches existing conntrack entry
Z:53 -> X:4123, where Z got natted to X.
In this case, new packet is natted to Z:53 which is likely
unwanted.
We avoid the rewrite for connections that originate from local host:
port-shadowing is only possible with forwarded connections.
Also adjust test case.
v3: no need to call tuple_force_port_remap if already in random mode (Phil)
Cc: Eric Garver <eric@garver.life>
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
---
resent without changes, kept phils ack.
net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++--
tools/testing/selftests/netfilter/nft_nat.sh | 5 ++-
2 files changed, 43 insertions(+), 5 deletions(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index ab9f6c75524d..3dd130487b5b 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
goto another_round;
}
+static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple)
+{
+ u16 sp, dp;
+
+ switch (tuple->dst.protonum) {
+ case IPPROTO_TCP:
+ sp = ntohs(tuple->src.u.tcp.port);
+ dp = ntohs(tuple->dst.u.tcp.port);
+ break;
+ case IPPROTO_UDP:
+ case IPPROTO_UDPLITE:
+ sp = ntohs(tuple->src.u.udp.port);
+ dp = ntohs(tuple->dst.u.udp.port);
+ break;
+ default:
+ return false;
+ }
+
+ /* IANA: System port range: 1-1023,
+ * user port range: 1024-49151,
+ * private port range: 49152-65535.
+ *
+ * Linux default ephemeral port range is 32768-60999.
+ *
+ * Enforce port remapping if sport is significantly lower
+ * than dport to prevent NAT port shadowing, i.e.
+ * accidental match of 'new' inbound connection vs.
+ * existing outbound one.
+ */
+ return sp < 16384 && dp >= 32768;
+}
+
/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,
* we change the source to map into the range. For NF_INET_PRE_ROUTING
* and NF_INET_LOCAL_OUT, we change the destination to map into the
@@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
struct nf_conn *ct,
enum nf_nat_manip_type maniptype)
{
+ bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;
const struct nf_conntrack_zone *zone;
struct net *net = nf_ct_net(ct);
zone = nf_ct_zone(ct);
+ if (maniptype == NF_NAT_MANIP_SRC &&
+ !random_port &&
+ !ct->local_origin)
+ random_port = tuple_force_port_remap(orig_tuple);
+
/* 1) If this srcip/proto/src-proto-part is currently mapped,
* and that same mapping gives a unique tuple within the given
* range, use that.
@@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
* So far, we don't do local source mappings, so multiple
* manips not an issue.
*/
- if (maniptype == NF_NAT_MANIP_SRC &&
- !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
+ if (maniptype == NF_NAT_MANIP_SRC && !random_port) {
/* try the original tuple first */
if (in_range(orig_tuple, range)) {
if (!nf_nat_used_tuple(orig_tuple, ct)) {
@@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
*/
/* Only bother mapping if it's not already in range and unique */
- if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {
+ if (!random_port) {
if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {
if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&
l4proto_in_range(tuple, maniptype,
diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh
index d88867d2fed7..349a319a9e51 100755
--- a/tools/testing/selftests/netfilter/nft_nat.sh
+++ b/tools/testing/selftests/netfilter/nft_nat.sh
@@ -880,8 +880,9 @@ EOF
return $ksft_skip
fi
- # test default behaviour. Packet from ns1 to ns0 is redirected to ns2.
- test_port_shadow "default" "CLIENT"
+ # test default behaviour. Packet from ns1 to ns0 is not redirected
+ # due to automatic port translation.
+ test_port_shadow "default" "ROUTER"
# test packet filter based mitigation: prevent forwarding of
# packets claiming to come from the service port.
--
2.32.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports
2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
@ 2021-12-17 13:28 ` Eric Garver
0 siblings, 0 replies; 5+ messages in thread
From: Eric Garver @ 2021-12-17 13:28 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel, Phil Sutter
On Fri, Dec 17, 2021 at 11:29:57AM +0100, Florian Westphal wrote:
> If destination port is above 32k and source port below 16k
> assume this might cause 'port shadowing' where a 'new' inbound
> connection matches an existing one, e.g.
>
> inbound X:41234 -> Y:53 matches existing conntrack entry
> Z:53 -> X:4123, where Z got natted to X.
>
> In this case, new packet is natted to Z:53 which is likely
> unwanted.
>
> We avoid the rewrite for connections that originate from local host:
> port-shadowing is only possible with forwarded connections.
>
> Also adjust test case.
>
> v3: no need to call tuple_force_port_remap if already in random mode (Phil)
>
> Cc: Eric Garver <eric@garver.life>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Acked-by: Phil Sutter <phil@nwl.cc>
> ---
> resent without changes, kept phils ack.
> net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++--
> tools/testing/selftests/netfilter/nft_nat.sh | 5 ++-
> 2 files changed, 43 insertions(+), 5 deletions(-)
Acked-by: Eric Garver <eric@garver.life>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports
2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal
2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
@ 2021-12-23 0:02 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2021-12-23 0:02 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Fri, Dec 17, 2021 at 11:29:55AM +0100, Florian Westphal wrote:
> Hi,
>
> This is a resend of the port remap change with auto-exception for
> locally originating connections.
>
> This is done by adding a bit in nf_conn for LOCAL_OUT tracked entries.
Series applied, thanks
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-23 0:02 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal
2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal
2021-12-17 13:28 ` Eric Garver
2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.