mirror of
https://github.com/torvalds/linux.git
synced 2024-11-26 14:12:06 +00:00
878aed8db3
If destination port is above 32k and source port below 16k
assume this might cause 'port shadowing' where a 'new' inbound
connection matches an existing one, e.g.
inbound X:41234 -> Y:53 matches existing conntrack entry
Z:53 -> X:4123, where Z got natted to X.
In this case, new packet is natted to Z:53 which is likely
unwanted.
We avoid the rewrite for connections that originate from local host:
port-shadowing is only possible with forwarded connections.
Also adjust test case.
v3: no need to call tuple_force_port_remap if already in random mode (Phil)
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Phil Sutter <phil@nwl.cc>
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
|
||
|---|---|---|
| .. | ||
| accounting | ||
| arch | ||
| bootconfig | ||
| bpf | ||
| build | ||
| cgroup | ||
| counter | ||
| debugging | ||
| edid | ||
| firewire | ||
| firmware | ||
| gpio | ||
| hv | ||
| iio | ||
| include | ||
| io_uring | ||
| kvm/kvm_stat | ||
| laptop | ||
| leds | ||
| lib | ||
| memory-model | ||
| objtool | ||
| pci | ||
| pcmcia | ||
| perf | ||
| power | ||
| rcu | ||
| scripts | ||
| spi | ||
| testing | ||
| thermal/tmon | ||
| time | ||
| tracing | ||
| usb | ||
| virtio | ||
| vm | ||
| wmi | ||
| Makefile | ||