| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <5790795.VsPgYW4pTa@deepthought.bosswg.de> Date: Mon, 21 Mar 2022 01:42:25 +0100 From: Christoph Grenz <christophg+lkml@...nz-bonn.de> To: netdev@...r.kernel.org Subject: netfilter masquerade source address selection doesn't account for PBR Hello, I noticed that the masquerade target for IPv4 doesn't account for policy based routing when selecting the new source address. E.g. if you have two public IP addresses 203.0.113.1 and 203.0.113.2 configured and masquerade traffic coming from interfaces veth0 and veth1 and you want to select the outgoing public IP address based on the incoming interface, then neither of these commands influence the source address selection: ip route add default via [...] src 203.0.113.2 table 101 ip rule add iif veth1 table 101 priority 101 ip route add default via [...] src 203.0.113.2 table 101 ip rule add from 192.168.1.0/24 table 101 priority 101 As far as I read the code, the source address is selected in nf_nat_masquerade.c using newsrc = inet_select_addr(out, nh, RT_SCOPE_UNIVERSE); and this seems to select an address as it would for a locally generated packet. Policies other than the preferred source address take effect as they are handled elsewhere. The only workaround I found is explicitly using SNAT instead of MASQ. Is this an oversight or expected behavior? Best regards Christoph Grenz
Powered by blists - more mailing lists