* [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports @ 2021-12-17 10:29 Florian Westphal 2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal ` (2 more replies) 0 siblings, 3 replies; 5+ messages in thread From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal Hi, This is a resend of the port remap change with auto-exception for locally originating connections. This is done by adding a bit in nf_conn for LOCAL_OUT tracked entries. Patch 1/2 is same as in v2. Patch 2/2 is same as v3. v3 only contained patch 2/2 by mistake. Florian Westphal (2): netfilter: conntrack: tag conntracks picked up in local out hook netfilter: nat: force port remap to prevent shadowing well-known ports include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c | 3 ++ net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++-- tools/testing/selftests/netfilter/nft_nat.sh | 5 ++- 4 files changed, 47 insertions(+), 5 deletions(-) -- 2.32.0 ^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook 2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal @ 2021-12-17 10:29 ` Florian Westphal 2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal 2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso 2 siblings, 0 replies; 5+ messages in thread From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal This allows to identify flows that originate from local machine in a followup patch. It would be possible to make this a ->status bit instead. For now I did not do that yet because I don't have a use-case for exposing this info to userspace. If one comes up the toggle can be replaced with a status bit. Signed-off-by: Florian Westphal <fw@strlen.de> --- v4: no changes include/net/netfilter/nf_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c | 3 +++ 2 files changed, 4 insertions(+) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index d24b0a34c8f0..871489df63c6 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -95,6 +95,7 @@ struct nf_conn { unsigned long status; u16 cpu; + u16 local_origin:1; possible_net_t ct_net; #if IS_ENABLED(CONFIG_NF_NAT) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index d7e313548066..bed0017cadb0 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -1747,6 +1747,9 @@ resolve_normal_ct(struct nf_conn *tmpl, return 0; if (IS_ERR(h)) return PTR_ERR(h); + + ct = nf_ct_tuplehash_to_ctrack(h); + ct->local_origin = state->hook == NF_INET_LOCAL_OUT; } ct = nf_ct_tuplehash_to_ctrack(h); -- 2.32.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports 2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal 2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal @ 2021-12-17 10:29 ` Florian Westphal 2021-12-17 13:28 ` Eric Garver 2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso 2 siblings, 1 reply; 5+ messages in thread From: Florian Westphal @ 2021-12-17 10:29 UTC (permalink / raw) To: netfilter-devel; +Cc: Florian Westphal, Eric Garver, Phil Sutter If destination port is above 32k and source port below 16k assume this might cause 'port shadowing' where a 'new' inbound connection matches an existing one, e.g. inbound X:41234 -> Y:53 matches existing conntrack entry Z:53 -> X:4123, where Z got natted to X. In this case, new packet is natted to Z:53 which is likely unwanted. We avoid the rewrite for connections that originate from local host: port-shadowing is only possible with forwarded connections. Also adjust test case. v3: no need to call tuple_force_port_remap if already in random mode (Phil) Cc: Eric Garver <eric@garver.life> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Phil Sutter <phil@nwl.cc> --- resent without changes, kept phils ack. net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++-- tools/testing/selftests/netfilter/nft_nat.sh | 5 ++- 2 files changed, 43 insertions(+), 5 deletions(-) diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c index ab9f6c75524d..3dd130487b5b 100644 --- a/net/netfilter/nf_nat_core.c +++ b/net/netfilter/nf_nat_core.c @@ -494,6 +494,38 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, goto another_round; } +static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple) +{ + u16 sp, dp; + + switch (tuple->dst.protonum) { + case IPPROTO_TCP: + sp = ntohs(tuple->src.u.tcp.port); + dp = ntohs(tuple->dst.u.tcp.port); + break; + case IPPROTO_UDP: + case IPPROTO_UDPLITE: + sp = ntohs(tuple->src.u.udp.port); + dp = ntohs(tuple->dst.u.udp.port); + break; + default: + return false; + } + + /* IANA: System port range: 1-1023, + * user port range: 1024-49151, + * private port range: 49152-65535. + * + * Linux default ephemeral port range is 32768-60999. + * + * Enforce port remapping if sport is significantly lower + * than dport to prevent NAT port shadowing, i.e. + * accidental match of 'new' inbound connection vs. + * existing outbound one. + */ + return sp < 16384 && dp >= 32768; +} + /* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING, * we change the source to map into the range. For NF_INET_PRE_ROUTING * and NF_INET_LOCAL_OUT, we change the destination to map into the @@ -507,11 +539,17 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, struct nf_conn *ct, enum nf_nat_manip_type maniptype) { + bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL; const struct nf_conntrack_zone *zone; struct net *net = nf_ct_net(ct); zone = nf_ct_zone(ct); + if (maniptype == NF_NAT_MANIP_SRC && + !random_port && + !ct->local_origin) + random_port = tuple_force_port_remap(orig_tuple); + /* 1) If this srcip/proto/src-proto-part is currently mapped, * and that same mapping gives a unique tuple within the given * range, use that. @@ -520,8 +558,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, * So far, we don't do local source mappings, so multiple * manips not an issue. */ - if (maniptype == NF_NAT_MANIP_SRC && - !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { + if (maniptype == NF_NAT_MANIP_SRC && !random_port) { /* try the original tuple first */ if (in_range(orig_tuple, range)) { if (!nf_nat_used_tuple(orig_tuple, ct)) { @@ -545,7 +582,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, */ /* Only bother mapping if it's not already in range and unique */ - if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) { + if (!random_port) { if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) { if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) && l4proto_in_range(tuple, maniptype, diff --git a/tools/testing/selftests/netfilter/nft_nat.sh b/tools/testing/selftests/netfilter/nft_nat.sh index d88867d2fed7..349a319a9e51 100755 --- a/tools/testing/selftests/netfilter/nft_nat.sh +++ b/tools/testing/selftests/netfilter/nft_nat.sh @@ -880,8 +880,9 @@ EOF return $ksft_skip fi - # test default behaviour. Packet from ns1 to ns0 is redirected to ns2. - test_port_shadow "default" "CLIENT" + # test default behaviour. Packet from ns1 to ns0 is not redirected + # due to automatic port translation. + test_port_shadow "default" "ROUTER" # test packet filter based mitigation: prevent forwarding of # packets claiming to come from the service port. -- 2.32.0 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports 2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal @ 2021-12-17 13:28 ` Eric Garver 0 siblings, 0 replies; 5+ messages in thread From: Eric Garver @ 2021-12-17 13:28 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel, Phil Sutter On Fri, Dec 17, 2021 at 11:29:57AM +0100, Florian Westphal wrote: > If destination port is above 32k and source port below 16k > assume this might cause 'port shadowing' where a 'new' inbound > connection matches an existing one, e.g. > > inbound X:41234 -> Y:53 matches existing conntrack entry > Z:53 -> X:4123, where Z got natted to X. > > In this case, new packet is natted to Z:53 which is likely > unwanted. > > We avoid the rewrite for connections that originate from local host: > port-shadowing is only possible with forwarded connections. > > Also adjust test case. > > v3: no need to call tuple_force_port_remap if already in random mode (Phil) > > Cc: Eric Garver <eric@garver.life> > Signed-off-by: Florian Westphal <fw@strlen.de> > Acked-by: Phil Sutter <phil@nwl.cc> > --- > resent without changes, kept phils ack. > net/netfilter/nf_nat_core.c | 43 ++++++++++++++++++-- > tools/testing/selftests/netfilter/nft_nat.sh | 5 ++- > 2 files changed, 43 insertions(+), 5 deletions(-) Acked-by: Eric Garver <eric@garver.life> ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports 2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal 2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal 2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal @ 2021-12-23 0:02 ` Pablo Neira Ayuso 2 siblings, 0 replies; 5+ messages in thread From: Pablo Neira Ayuso @ 2021-12-23 0:02 UTC (permalink / raw) To: Florian Westphal; +Cc: netfilter-devel On Fri, Dec 17, 2021 at 11:29:55AM +0100, Florian Westphal wrote: > Hi, > > This is a resend of the port remap change with auto-exception for > locally originating connections. > > This is done by adding a bit in nf_conn for LOCAL_OUT tracked entries. Series applied, thanks ^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2021-12-23 0:02 UTC | newest] Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2021-12-17 10:29 [PATCH nf-next v4 0/2] nat: force port remap to prevent shadowing well-known ports Florian Westphal 2021-12-17 10:29 ` [PATCH nf-next v4 1/2] netfilter: conntrack: tag conntracks picked up in local out hook Florian Westphal 2021-12-17 10:29 ` [PATCH v4 nf-next 2/2] netfilter: nat: force port remap to prevent shadowing well-known ports Florian Westphal 2021-12-17 13:28 ` Eric Garver 2021-12-23 0:02 ` [PATCH nf-next v4 0/2] " Pablo Neira Ayuso
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.