Bug 2061917

Summary: Prevent port-shadow attacks in sample nat config
Product: [Fedora] Fedora Reporter: Phil Sutter <psutter>
Component: nftablesAssignee: Phil Sutter <psutter>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: kevin, psutter
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nftables-1.0.1-4.fc37 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 2061940 (view as bug list) Environment:
Last Closed: 2022-03-08 18:48:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2061940, 2061942    

Description Phil Sutter 2022-03-08 17:17:55 UTC
The respective kernel commit is about to be reverted as it might break a corner-case:

https://lore.kernel.org/netfilter-devel/20220308125924.6708-1-fw@strlen.de/

Deploy an equivalent mitigation in user space so at least new setups are fine once the revert reaches distribution kernels:

@@ -18,13 +18,21 @@ table ip nftables_svc {
                elements = { 192.168.122.0/24 }
        }
 
+       # force port randomization for non-locally originated connections using
+       # suspicious port values to prevent port-shadow attacks, i.e.
+       # accidental matching of new inbound connections vs. existing ones
+       chain do_masquerade {
+               meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random
+               masquerade
+       }
+
        # base-chain to manipulate conntrack in postrouting,
        # will see packets for new or related traffic only
        chain POSTROUTING {
                type nat hook postrouting priority srcnat + 20
                policy accept
 
-               iifname @masq_interfaces oifname != @masq_interfaces masquerade
-               ip saddr @masq_ips masquerade
+               iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade
+               ip saddr @masq_ips jump do_masquerade
        }
 }

Comment 2 Fedora Update System 2022-03-08 18:46:47 UTC
FEDORA-2022-f6ab2d1470 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f6ab2d1470

Comment 3 Fedora Update System 2022-03-08 18:48:36 UTC
FEDORA-2022-f6ab2d1470 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.