nftables-1.0.4-3.el9

* Fri Nov 25 2022 Phil Sutter <psutter@redhat.com> [1.0.4-3.el9] - Prevent port-shadow attacks in sample nat config (Phil Sutter) [2061940] Resolves: rhbz#2061940
2022-11-25 16:48:10 +01:00 · 2022-11-25 16:48:10 +01:00 · 8d211afc1d
commit 8d211afc1d
parent 9a240b84de
2 changed files with 14 additions and 3 deletions
--- a/nat.nft
+++ b/nat.nft
@ -18,13 +18,21 @@ table ip nftables_svc {
 		elements = { 192.168.122.0/24 }
 	}
 	# force port randomization for non-locally originated connections using
 	# suspicious port values to prevent port-shadow attacks, i.e.
 	# accidental matching of new inbound connections vs. existing ones
 	chain do_masquerade {
 		meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
 		masquerade
 	}
 	# base-chain to manipulate conntrack in postrouting,
 	# will see packets for new or related traffic only
 	chain POSTROUTING {
 		type nat hook postrouting priority srcnat + 20
 		policy accept
-		iifname @masq_interfaces oifname != @masq_interfaces masquerade
+		iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
-		ip saddr @masq_ips masquerade
+		ip saddr @masq_ips jump do_masquerade
 	}
 }
--- a/nftables.spec
+++ b/nftables.spec
@ -1,5 +1,5 @@
 %define rpmversion 1.0.4
-%define specrelease 2
+%define specrelease 3
 Name:           nftables
 Version:        %{rpmversion}
@ -131,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
 %{python3_sitelib}/nftables/
 %changelog
 * Fri Nov 25 2022 Phil Sutter <psutter@redhat.com> [1.0.4-3.el9]
 - Prevent port-shadow attacks in sample nat config (Phil Sutter) [2061940]
 * Fri Jun 24 2022 Phil Sutter <psutter@redhat.com> [1.0.4-2.el9]
 - intervals: Do not sort cached set elements over and over again (Phil Sutter) [1917398]
 - intervals: do not empty cache for maps (Phil Sutter) [1917398]