The respective kernel commit is about to be reverted as it might break a corner-case: https://lore.kernel.org/netfilter-devel/20220308125924.6708-1-fw@strlen.de/ Deploy an equivalent mitigation in user space so at least new setups are fine once the revert reaches distribution kernels: @@ -18,13 +18,21 @@ table ip nftables_svc { elements = { 192.168.122.0/24 } } + # force port randomization for non-locally originated connections using + # suspicious port values to prevent port-shadow attacks, i.e. + # accidental matching of new inbound connections vs. existing ones + chain do_masquerade { + meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random + masquerade + } + # base-chain to manipulate conntrack in postrouting, # will see packets for new or related traffic only chain POSTROUTING { type nat hook postrouting priority srcnat + 20 policy accept - iifname @masq_interfaces oifname != @masq_interfaces masquerade - ip saddr @masq_ips masquerade + iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade + ip saddr @masq_ips jump do_masquerade } }
For reference, this is about CVE-2021-3773: https://access.redhat.com/security/cve/CVE-2021-3773 https://www.openwall.com/lists/oss-security/2021/09/08/3 https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html
FEDORA-2022-f6ab2d1470 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-f6ab2d1470
FEDORA-2022-f6ab2d1470 has been pushed to the Fedora 37 stable repository. If problem still persists, please make note of it in this bug report.