From: Kyle Swenson <kyle.swenson@est.tech>
To: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Cc: Kyle Swenson <kyle.swenson@est.tech>, "fw@strlen.de" <fw@strlen.de>
Subject: [RFC PATCH v2 1/1] netfilter: nat: restore default DNAT behavior
Date: Mon, 29 Jan 2024 21:12:54 +0000 [thread overview]
Message-ID: <20240129211227.815253-2-kyle.swenson@est.tech> (raw)
In-Reply-To: <20240129211227.815253-1-kyle.swenson@est.tech>
When a DNAT rule is configured via iptables with different port ranges,
iptables -t nat -A PREROUTING -p tcp -d 10.0.0.2 -m tcp --dport 32000:32010
-j DNAT --to-destination 192.168.0.10:21000-21010
we seem to be DNATing to some random port on the LAN side. While this is
expected if --random is passed to the iptables command, it is not
expected without passing --random. The expected behavior (and the
observed behavior in v4.4) is the traffic will be DNAT'd to
192.168.0.10:21000 unless there is a tuple collision with that
destination. In that case, we expect the traffic to be instead DNAT'd
to 192.168.0.10:21001, so on so forth until the end of the range.
This patch is a naive attempt to restore the behavior seen in v4.4. I'm
hopeful folks will point out problems and regressions this could cause
elsewhere, since I've little experience in the net tree.
Signed-off-by: Kyle Swenson <kyle.swenson@est.tech>
---
net/netfilter/nf_nat_core.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index c3d7ecbc777c..016c816d91cb 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -549,12 +549,15 @@ static void nf_nat_l4proto_unique_tuple(struct nf_conntrack_tuple *tuple,
}
find_free_id:
if (range->flags & NF_NAT_RANGE_PROTO_OFFSET)
off = (ntohs(*keyptr) - ntohs(range->base_proto.all));
- else
+ else if ((range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL) ||
+ maniptype != NF_NAT_MANIP_DST)
off = get_random_u16();
+ else
+ off = 0;
attempts = range_size;
if (attempts > NF_NAT_MAX_ATTEMPTS)
attempts = NF_NAT_MAX_ATTEMPTS;
--
2.43.0
next prev parent reply other threads:[~2024-01-29 21:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-01-29 21:12 [RFC PATCH v2 0/1] netfilter: nat: restore default DNAT behavior Kyle Swenson
2024-01-29 21:12 ` Kyle Swenson [this message]
2024-02-07 22:29 ` [RFC PATCH v2 1/1] " Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240129211227.815253-2-kyle.swenson@est.tech \
--to=kyle.swenson@est.tech \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).