[Swan-dev] has iptables SNAT started assigning random ports?
andrew.cagney at gmail.com
Wed Sep 25 13:16:04 UTC 2019
On Tue, 24 Sep 2019 at 22:02, Paul Wouters <paul at nohats.ca> wrote:
> On Tue, 24 Sep 2019, Andrew Cagney wrote:
> > Subject: [Swan-dev] has iptables SNAT started assigning random ports?
> > see https://testing.libreswan.org/v3.28-839-g49ccf4dde-master/ikev2-32-nat-rw-rekey/OUTPUT/east.console.verbose.txt
> > nic# iptables -t nat -A POSTROUTING -s 220.127.116.11/24 -p udp --sport
> > 4500 -j SNAT --to-source 18.104.22.168:3500-3700
> > I'm guessing that, in the past, the first port - 3500 - was assigned
> > but now a random port - in the above 3633 - is being assigned
> > PS: I need to tweak a sanitizer so that 3500 isn't sanitized but
> > that's not the problem here.
> > PPS: I wish we used 3-digit port numbers in these tests, usermode is
> > dead and we're running as root
> commit ec4eabf7c5a0030d684bbb52abf9cf5d12bc9380
> Author: Paul Wouters <pwouters at redhat.com>
> Date: Mon Jul 8 23:07:16 2019 -0400
> testing: sanitizers: only sanitize 5 digit ephemeral source ports.
> We have too many of the same rules to sanitize this :/
> So if you make it start at 32768, they should get sanitized as ephemeral
We've several problems:
- SNAT seems to be assigning random ports; stopping tests from "passing"
there are several ways to get around it but my preference is to stop
the randomness (iptables has an option to enable randomness not none
to disable it; that wasn't thought of when random was made the
default...; or perhaps iptables is obsolete?)
- kernel assigned port numbers; traditionally it was anything >1024;
sounds like Linux made that 32k?
- we need to come up
More information about the Swan-dev