Skip to content

Commit

Permalink
randomize snat source ports for static egress IPs
Browse files Browse the repository at this point in the history
  • Loading branch information
mwennrich committed May 27, 2024
1 parent 3e4b556 commit c1ced7d
Show file tree
Hide file tree
Showing 4 changed files with 7 additions and 7 deletions.
2 changes: 1 addition & 1 deletion pkg/nftables/rendering_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -39,7 +39,7 @@ func TestFirewallRenderingData_renderString(t *testing.T) {
},
InternalPrefixes: "1.2.3.0/24, 2.3.4.0/8",
RateLimitRules: []string{"meta iifname \"eth0\" limit rate over 10 mbytes/second counter name drop_ratelimit drop"},
SnatRules: []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 comment \"snat internet\""},
SnatRules: []string{"ip saddr { 10.0.0.0/8 } oifname \"vlan104009\" counter snat 185.1.2.3 random comment \"snat internet\""},
PrivateVrfID: uint(42),
AdditionalDNSAddrs: []string{"8.9.10.11", "4.5.6.7"},
},
Expand Down
2 changes: 1 addition & 1 deletion pkg/nftables/snat.go
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@ type snatRule struct {
}

func (s *snatRule) String() string {
return fmt.Sprintf(`ip saddr { %s } oifname "%s" counter snat %s comment "%s"`, s.sourceNetworks, s.oifname, s.to, s.comment)
return fmt.Sprintf(`ip saddr { %s } oifname "%s" counter snat %s random comment "%s"`, s.sourceNetworks, s.oifname, s.to, s.comment)
}

// snatRules generates the nftables rules for SNAT based on the firewall spec
Expand Down
8 changes: 4 additions & 4 deletions pkg/nftables/snat_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -75,8 +75,8 @@ func TestSnatRules(t *testing.T) {
},
cwnps: firewallv1.ClusterwideNetworkPolicyList{},
want: nftablesRules{
`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } comment "snat for internet"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 comment "snat for mpls"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } random comment "snat for internet"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 random comment "snat for mpls"`,
},
},
{
Expand Down Expand Up @@ -151,8 +151,8 @@ func TestSnatRules(t *testing.T) {
want: nftablesRules{
`ip saddr { 10.0.1.0/24 } tcp dport { 53 } accept comment "escape snat for dns proxy tcp"`,
`ip saddr { 10.0.1.0/24 } udp dport { 53 } accept comment "escape snat for dns proxy udp"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } comment "snat for internet"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 comment "snat for mpls"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan1" counter snat to jhash ip daddr . tcp sport mod 2 map { 0 : 185.0.0.2, 1 : 185.0.0.3 } random comment "snat for internet"`,
`ip saddr { 10.0.1.0/24 } oifname "vlan2" counter snat 100.0.0.2 random comment "snat for mpls"`,
},
},
{
Expand Down
2 changes: 1 addition & 1 deletion pkg/nftables/test_data/more-rules.nftable.v4
Original file line number Diff line number Diff line change
Expand Up @@ -62,7 +62,7 @@ table inet firewall {

chain postrouting {
type nat hook postrouting priority -1; policy accept;
ip saddr { 10.0.0.0/8 } oifname "vlan104009" counter snat 185.1.2.3 comment "snat internet"
ip saddr { 10.0.0.0/8 } oifname "vlan104009" counter snat 185.1.2.3 random comment "snat internet"
}
}

Expand Down

0 comments on commit c1ced7d

Please sign in to comment.