git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Tue, 9 Apr 2019 12:45:20 +0000 (14:45 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 16 May 2019 17:40:23 +0000 (19:40 +0200)
commit	ecef50c35a07b396fa8977c2312b1f83702fb01e
tree	a230a28d2a2190e2620ebc8ce44c5f55eddf6544	tree
parent	c2987d193f8b1c0f3d59362684798e37049079a3	commit \| diff

netfilter: nat: fix icmp id randomization

[ Upstream commit 5bdac418f33f60b07a34e01e722889140ee8fac9 ]

Sven Auhagen reported that a 2nd ping request will fail if 'fully-random'
mode is used.

Reason is that if no proto information is given, min/max are both 0,
so we set the icmp id to 0 instead of chosing a random value between
0 and 65535.

Update test case as well to catch this, without fix this yields:
[..]
ERROR: cannot ping ns1 from ns2 with ip masquerade fully-random (attempt 2)
ERROR: cannot ping ns1 from ns2 with ipv6 masquerade fully-random (attempt 2)

... becaus 2nd ping clashes with existing 'id 0' icmp conntrack and gets
dropped.

Fixes: 203f2e78200c27e ("netfilter: nat: remove l4proto->unique_tuple")
Reported-by: Sven Auhagen <sven.auhagen@voleatech.de>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

net/netfilter/nf_nat_core.c		diff \| blob \| blame \| history
tools/testing/selftests/netfilter/nft_nat.sh		diff \| blob \| blame \| history