Commit 15d70392 authored by Jakub Kicinski's avatar Jakub Kicinski
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

The following patchset contains Netfilter fixes for net coming late
in the 5.17-rc process:

1) Revert port remap to mitigate shadowing service ports, this is causing
   problems in existing setups and this mitigation can be achieved with
   explicit ruleset, eg.

	... tcp sport < 16386 tcp dport >= 32768 masquerade random

  This patches provided a built-in policy similar to the one described above.

2) Disable register tracking infrastructure in nf_tables. Florian reported
   two issues:

   - Existing expressions with no implemented .reduce interface
     that causes data-store on register should cancel the tracking.
   - Register clobbering might be possible storing data on registers that
     are larger than 32-bits.

   This might lead to generating incorrect ruleset bytecode. These two
   issues are scheduled to be addressed in the next release cycle.

* git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
  netfilter: nf_tables: disable register tracking
  Revert "netfilter: conntrack: tag conntracks picked up in local out hook"
  Revert "netfilter: nat: force port remap to prevent shadowing well-known ports"
====================

Link: https://lore.kernel.org/r/20220312220315.64531-1-pablo@netfilter.org


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parents 837d9e49 ed5f85d4

include/net/netfilter/nf_conntrack.h

+0 −1
Original line number Diff line number Diff line
@@ -97,7 +97,6 @@ struct nf_conn { 
	unsigned long status;



	u16		cpu;

	u16		local_origin:1;

	possible_net_t ct_net;



#if IS_ENABLED(CONFIG_NF_NAT)

net/netfilter/nf_conntrack_core.c

+0 −3
Original line number Diff line number Diff line
@@ -1748,9 +1748,6 @@ resolve_normal_ct(struct nf_conn *tmpl, 
			return 0;

		if (IS_ERR(h))

			return PTR_ERR(h);



		ct = nf_ct_tuplehash_to_ctrack(h);

		ct->local_origin = state->hook == NF_INET_LOCAL_OUT;

	}

	ct = nf_ct_tuplehash_to_ctrack(h);

net/netfilter/nf_nat_core.c

+3 −40
Original line number Diff line number Diff line
@@ -494,38 +494,6 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple, 
	goto another_round;

}



static bool tuple_force_port_remap(const struct nf_conntrack_tuple *tuple)

{

	u16 sp, dp;



	switch (tuple->dst.protonum) {

	case IPPROTO_TCP:

		sp = ntohs(tuple->src.u.tcp.port);

		dp = ntohs(tuple->dst.u.tcp.port);

		break;

	case IPPROTO_UDP:

	case IPPROTO_UDPLITE:

		sp = ntohs(tuple->src.u.udp.port);

		dp = ntohs(tuple->dst.u.udp.port);

		break;

	default:

		return false;

	}



	/* IANA: System port range: 1-1023,

	 *         user port range: 1024-49151,

	 *      private port range: 49152-65535.

	 *

	 * Linux default ephemeral port range is 32768-60999.

	 *

	 * Enforce port remapping if sport is significantly lower

	 * than dport to prevent NAT port shadowing, i.e.

	 * accidental match of 'new' inbound connection vs.

	 * existing outbound one.

	 */

	return sp < 16384 && dp >= 32768;

}



/* Manipulate the tuple into the range given. For NF_INET_POST_ROUTING,

 * we change the source to map into the range. For NF_INET_PRE_ROUTING

 * and NF_INET_LOCAL_OUT, we change the destination to map into the
@@ -539,17 +507,11 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, 
		 struct nf_conn *ct,

		 enum nf_nat_manip_type maniptype)

{

	bool random_port = range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL;

	const struct nf_conntrack_zone *zone;

	struct net *net = nf_ct_net(ct);



	zone = nf_ct_zone(ct);



	if (maniptype == NF_NAT_MANIP_SRC &&

	    !random_port &&

	    !ct->local_origin)

		random_port = tuple_force_port_remap(orig_tuple);



	/* 1) If this srcip/proto/src-proto-part is currently mapped,

	 * and that same mapping gives a unique tuple within the given

	 * range, use that.
@@ -558,7 +520,8 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, 
	 * So far, we don't do local source mappings, so multiple

	 * manips not an issue.

	 */

	if (maniptype == NF_NAT_MANIP_SRC && !random_port) {

	if (maniptype == NF_NAT_MANIP_SRC &&

	    !(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {

		/* try the original tuple first */

		if (in_range(orig_tuple, range)) {

			if (!nf_nat_used_tuple(orig_tuple, ct)) {
@@ -582,7 +545,7 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple, 
	 */



	/* Only bother mapping if it's not already in range and unique */

	if (!random_port) {

	if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) {

		if (range->flags & NF_NAT_RANGE_PROTO_SPECIFIED) {

			if (!(range->flags & NF_NAT_RANGE_PROTO_OFFSET) &&

			    l4proto_in_range(tuple, maniptype,

net/netfilter/nf_tables_api.c

+7 −2
Original line number Diff line number Diff line
@@ -8260,6 +8260,12 @@ void nf_tables_trans_destroy_flush_work(void) 
}

EXPORT_SYMBOL_GPL(nf_tables_trans_destroy_flush_work);



static bool nft_expr_reduce(struct nft_regs_track *track,

			    const struct nft_expr *expr)

{

	return false;

}



static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *chain)

{

	const struct nft_expr *expr, *last;
@@ -8307,8 +8313,7 @@ static int nf_tables_commit_chain_prepare(struct net *net, struct nft_chain *cha 
		nft_rule_for_each_expr(expr, last, rule) {

			track.cur = expr;



			if (expr->ops->reduce &&

			    expr->ops->reduce(&track, expr)) {

			if (nft_expr_reduce(&track, expr)) {

				expr = track.cur;

				continue;

			}

tools/testing/selftests/netfilter/nft_nat.sh

+2 −3
Original line number Diff line number Diff line
@@ -880,9 +880,8 @@ EOF 
		return $ksft_skip

	fi



	# test default behaviour. Packet from ns1 to ns0 is not redirected

	# due to automatic port translation.

	test_port_shadow "default" "ROUTER"

	# test default behaviour. Packet from ns1 to ns0 is redirected to ns2.

	test_port_shadow "default" "CLIENT"



	# test packet filter based mitigation: prevent forwarding of

	# packets claiming to come from the service port.