[Swan-dev] has iptables SNAT started assigning random ports?
Paul Wouters
paul at nohats.ca
Wed Sep 25 02:02:39 UTC 2019
On Tue, 24 Sep 2019, Andrew Cagney wrote:
> Subject: [Swan-dev] has iptables SNAT started assigning random ports?
>
> see https://testing.libreswan.org/v3.28-839-g49ccf4dde-master/ikev2-32-nat-rw-rekey/OUTPUT/east.console.verbose.txt
> nic# iptables -t nat -A POSTROUTING -s 192.1.3.0/24 -p udp --sport
> 4500 -j SNAT --to-source 192.1.2.254:3500-3700
> I'm guessing that, in the past, the first port - 3500 - was assigned
> but now a random port - in the above 3633 - is being assigned
> PS: I need to tweak a sanitizer so that 3500 isn't sanitized but
> that's not the problem here.
> PPS: I wish we used 3-digit port numbers in these tests, usermode is
> dead and we're running as root
commit ec4eabf7c5a0030d684bbb52abf9cf5d12bc9380
Author: Paul Wouters <pwouters at redhat.com>
Date: Mon Jul 8 23:07:16 2019 -0400
testing: sanitizers: only sanitize 5 digit ephemeral source ports.
We have too many of the same rules to sanitize this :/
So if you make it start at 32768, they should get sanitized as ephemeral
ports.
Paul
More information about the Swan-dev
mailing list