What is UDP Masquerading behavior when forwarding and listening on the same port to the same remote address?

Liam Kelly

3/18/23, 5:05 PM

Assuming the following:

||netns2|<-kernel routing-> netnsRoot| <-network routing-> |remote server|

netns2

is a network namespace
has a client that connects to the UDP server on UDP/5060

netnsRoot

is the root network namespace (IE: typical linux routing)
has a client that connects to the UDP server on UDP/5060
Has ip_forward enabled and has a Masquerade rule for netns2

Server

Only sees traffic from the netnsRoot external interface

How does Masquerade behave in the netnsRoot? I would expect that it would forward packets from netns2 but the client in netnsRoot would receive all messages first. This is not what I think I am seeing, instead I am seeing netns2 NAT punch and take over the port for a period of time.

Is this behavior documented anywhere?

157

0 + 0

nat

iptables

port-forwarding

dnat

nftables

A.B

3/18/23, 10:48 PM

You should check this: https://breakpointingbad.com/2021/09/08/Port-Shadows-via-Network-Alchemy.html and Netfilter mailing list: https://marc.info/?l=netfilter-devel&m=163240274903944&w=2 (this is a rfc, not sure anything can be done automatically about it yet)

Score:0

Server

Liam Kelly

3/19/23, 4:12 PM

Ok decided to quantify this myself

||netna|<-kernel routing-> |netnsr|<-kernel routing->|netnb||

netnsb has a route to netnsa
netnsr has ip forward enabled

Masquerade and netnsb client

enabling Masquerade in netnsr, and having a netnsb client connect to a netnsa server on 5060 from 5060 shows that 5060 is used exiting netnsr

Masquerade and both client

enabling Masquerade in netnsr, having a netnsb client connect to a netnsa server on 5060 from 5060 and having the same client run in netnsr shows:

netnsr client talking on 5060 externally
netnsb client talking on 29683 externally

this is confirmed by the conntrack entries

udp      17 119 src=10.216.210.2 dst=10.216.100.2 sport=5060 dport=5060 src=10.216.100.2 dst=10.216.100.1 sport=5060 dport=29683 [ASSURED] mark=0 use=1
udp      17 119 src=10.216.100.1 dst=10.216.100.2 sport=5060 dport=5060 src=10.216.100.2 dst=10.216.100.1 sport=5060 dport=5060 [ASSURED] mark=0 use=1

0 + 0

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: What is UDP Masquerading behavior when forwarding and listening on the same port to the same remote address?

TH: พฤติกรรมการปลอมแปลง UDP คืออะไรเมื่อส่งต่อและฟังพอร์ตเดียวกันไปยังที่อยู่ระยะไกลเดียวกัน

RO: Care este comportamentul UDP Masquerading atunci când redirecționați și ascultați pe același port la aceeași adresă de la distanță?

RU: Что такое маскарад UDP при пересылке и прослушивании одного и того же порта на один и тот же удаленный адрес?

VI: Hành vi giả mạo UDP khi chuyển tiếp và nghe trên cùng một cổng đến cùng một địa chỉ từ xa là gì?

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.