randomize source ports during masquerading (#107)

metal-stack · May 2, 2024 · fac1b8a · fac1b8a
1 parent f2edbfc
commit fac1b8a
Show file tree

Hide file tree

Showing 8 changed files with 16 additions and 16 deletions.
diff --git a/pkg/netconf/testdata/nftrules b/pkg/netconf/testdata/nftrules
@@ -68,7 +68,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: mpls-nbg-w8101-test)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_accept_forwarding b/pkg/netconf/testdata/nftrules_accept_forwarding
@@ -68,7 +68,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: mpls-nbg-w8101-test)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_dmz b/pkg/netconf/testdata/nftrules_dmz
@@ -83,7 +83,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip saddr 10.0.16.0/22 ip daddr != 185.1.2.3 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104009" ip saddr 10.0.20.0/22 ip daddr != 185.1.2.3 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104009" ip saddr 10.0.16.0/22 ip daddr != 185.1.2.3 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104009" ip saddr 10.0.20.0/22 ip daddr != 185.1.2.3 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_ipv6 b/pkg/netconf/testdata/nftrules_ipv6
@@ -83,7 +83,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip6 saddr 2002::/64 ip6 daddr != 2a02:c00:20::1 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104010" ip6 saddr 2002::/64 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+        oifname "vlan104009" ip6 saddr 2002::/64 ip6 daddr != 2a02:c00:20::1 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip6 saddr 2002::/64 counter masquerade random comment "snat (networkid: mpls-nbg-w8101-test)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_shared b/pkg/netconf/testdata/nftrules_shared
@@ -77,7 +77,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan3982" ip saddr 10.0.18.0/22 counter masquerade comment "snat (networkid: storage-net)"
-        oifname "vlan104009" ip saddr 10.0.18.0/22 ip daddr != 185.1.2.3 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan3982" ip saddr 10.0.18.0/22 counter masquerade random comment "snat (networkid: storage-net)"
+        oifname "vlan104009" ip saddr 10.0.18.0/22 ip daddr != 185.1.2.3 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_vpn b/pkg/netconf/testdata/nftrules_vpn
@@ -68,7 +68,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: mpls-nbg-w8101-test)"
     }
 }
diff --git a/pkg/netconf/testdata/nftrules_with_rules b/pkg/netconf/testdata/nftrules_with_rules
@@ -77,7 +77,7 @@ table inet nat {
     }
     chain postrouting {
         type nat hook postrouting priority 0; policy accept;
-        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: internet-vagrant-lab)"
-        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade comment "snat (networkid: mpls-nbg-w8101-test)"
+        oifname "vlan104009" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: internet-vagrant-lab)"
+        oifname "vlan104010" ip saddr 10.0.16.0/22 counter masquerade random comment "snat (networkid: mpls-nbg-w8101-test)"
     }
 }
diff --git a/pkg/netconf/tpl/nftrules.tpl b/pkg/netconf/tpl/nftrules.tpl
@@ -111,8 +111,8 @@ table inet nat {
         {{- $outspec:=.OutIntSpec }}
         {{- range .SourceSpecs }}
         {{- if and $outspec.Address (eq $outspec.AddressFamily .AddressFamily) }}
-        oifname "{{ $out }}" {{ .AddressFamily }} saddr {{ .Address }} {{ .AddressFamily }} daddr != {{ $outspec.Address }} counter masquerade comment "{{ $cmt }}"{{ else }}
-        oifname "{{ $out }}" {{ .AddressFamily }} saddr {{ .Address }} counter masquerade comment "{{ $cmt }}"
+        oifname "{{ $out }}" {{ .AddressFamily }} saddr {{ .Address }} {{ .AddressFamily }} daddr != {{ $outspec.Address }} counter masquerade random comment "{{ $cmt }}"{{ else }}
+        oifname "{{ $out }}" {{ .AddressFamily }} saddr {{ .Address }} counter masquerade random comment "{{ $cmt }}"
         {{- end }}
         {{- end }}
         {{- end }}