From 8d211afc1d463e451080ec3a93ca48d73213e304 Mon Sep 17 00:00:00 2001 From: Phil Sutter Date: Fri, 25 Nov 2022 16:48:10 +0100 Subject: [PATCH] nftables-1.0.4-3.el9 * Fri Nov 25 2022 Phil Sutter [1.0.4-3.el9] - Prevent port-shadow attacks in sample nat config (Phil Sutter) [2061940] Resolves: rhbz#2061940 --- nat.nft | 12 ++++++++++-- nftables.spec | 5 ++++- 2 files changed, 14 insertions(+), 3 deletions(-) diff --git a/nat.nft b/nat.nft index 7079893..905179c 100644 --- a/nat.nft +++ b/nat.nft @@ -18,13 +18,21 @@ table ip nftables_svc { elements = { 192.168.122.0/24 } } + # force port randomization for non-locally originated connections using + # suspicious port values to prevent port-shadow attacks, i.e. + # accidental matching of new inbound connections vs. existing ones + chain do_masquerade { + meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random + masquerade + } + # base-chain to manipulate conntrack in postrouting, # will see packets for new or related traffic only chain POSTROUTING { type nat hook postrouting priority srcnat + 20 policy accept - iifname @masq_interfaces oifname != @masq_interfaces masquerade - ip saddr @masq_ips masquerade + iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade + ip saddr @masq_ips jump do_masquerade } } diff --git a/nftables.spec b/nftables.spec index 7d2de70..7bb0ca2 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,5 +1,5 @@ %define rpmversion 1.0.4 -%define specrelease 2 +%define specrelease 3 Name: nftables Version: %{rpmversion} @@ -131,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \ %{python3_sitelib}/nftables/ %changelog +* Fri Nov 25 2022 Phil Sutter [1.0.4-3.el9] +- Prevent port-shadow attacks in sample nat config (Phil Sutter) [2061940] + * Fri Jun 24 2022 Phil Sutter [1.0.4-2.el9] - intervals: Do not sort cached set elements over and over again (Phil Sutter) [1917398] - intervals: do not empty cache for maps (Phil Sutter) [1917398]