aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/linux/netfilter_ipv4/ip_nat.h1
-rw-r--r--include/net/netfilter/nf_nat.h1
-rw-r--r--net/ipv4/netfilter/ip_nat_core.c12
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_tcp.c5
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_udp.c5
-rw-r--r--net/ipv4/netfilter/ip_nat_rule.c4
-rw-r--r--net/ipv4/netfilter/nf_nat_core.c12
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_tcp.c4
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_udp.c4
-rw-r--r--net/ipv4/netfilter/nf_nat_rule.c4
10 files changed, 48 insertions, 4 deletions
diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h
index bdf553620ca1..bbca89aab813 100644
--- a/include/linux/netfilter_ipv4/ip_nat.h
+++ b/include/linux/netfilter_ipv4/ip_nat.h
@@ -16,6 +16,7 @@ enum ip_nat_manip_type
16 16
17#define IP_NAT_RANGE_MAP_IPS 1 17#define IP_NAT_RANGE_MAP_IPS 1
18#define IP_NAT_RANGE_PROTO_SPECIFIED 2 18#define IP_NAT_RANGE_PROTO_SPECIFIED 2
19#define IP_NAT_RANGE_PROTO_RANDOM 4 /* add randomness to "port" selection */
19 20
20/* NAT sequence number modifications */ 21/* NAT sequence number modifications */
21struct ip_nat_seq { 22struct ip_nat_seq {
diff --git a/include/net/netfilter/nf_nat.h b/include/net/netfilter/nf_nat.h
index 61c62068ca6b..bc57dd7b9b5c 100644
--- a/include/net/netfilter/nf_nat.h
+++ b/include/net/netfilter/nf_nat.h
@@ -16,6 +16,7 @@ enum nf_nat_manip_type
16 16
17#define IP_NAT_RANGE_MAP_IPS 1 17#define IP_NAT_RANGE_MAP_IPS 1
18#define IP_NAT_RANGE_PROTO_SPECIFIED 2 18#define IP_NAT_RANGE_PROTO_SPECIFIED 2
19#define IP_NAT_RANGE_PROTO_RANDOM 4
19 20
20/* NAT sequence number modifications */ 21/* NAT sequence number modifications */
21struct nf_nat_seq { 22struct nf_nat_seq {
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index 9d1a5175dcd4..5e08c2bf887d 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -246,8 +246,9 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
246 if (maniptype == IP_NAT_MANIP_SRC) { 246 if (maniptype == IP_NAT_MANIP_SRC) {
247 if (find_appropriate_src(orig_tuple, tuple, range)) { 247 if (find_appropriate_src(orig_tuple, tuple, range)) {
248 DEBUGP("get_unique_tuple: Found current src map\n"); 248 DEBUGP("get_unique_tuple: Found current src map\n");
249 if (!ip_nat_used_tuple(tuple, conntrack)) 249 if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM))
250 return; 250 if (!ip_nat_used_tuple(tuple, conntrack))
251 return;
251 } 252 }
252 } 253 }
253 254
@@ -261,6 +262,13 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
261 262
262 proto = ip_nat_proto_find_get(orig_tuple->dst.protonum); 263 proto = ip_nat_proto_find_get(orig_tuple->dst.protonum);
263 264
265 /* Change protocol info to have some randomization */
266 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
267 proto->unique_tuple(tuple, range, maniptype, conntrack);
268 ip_nat_proto_put(proto);
269 return;
270 }
271
264 /* Only bother mapping if it's not already in range and unique */ 272 /* Only bother mapping if it's not already in range and unique */
265 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) 273 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
266 || proto->in_range(tuple, maniptype, &range->min, &range->max)) 274 || proto->in_range(tuple, maniptype, &range->min, &range->max))
diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c
index b586d18b3fb3..14ff24f53a7a 100644
--- a/net/ipv4/netfilter/ip_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c
@@ -8,6 +8,7 @@
8 8
9#include <linux/types.h> 9#include <linux/types.h>
10#include <linux/init.h> 10#include <linux/init.h>
11#include <linux/random.h>
11#include <linux/netfilter.h> 12#include <linux/netfilter.h>
12#include <linux/ip.h> 13#include <linux/ip.h>
13#include <linux/tcp.h> 14#include <linux/tcp.h>
@@ -75,6 +76,10 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
75 range_size = ntohs(range->max.tcp.port) - min + 1; 76 range_size = ntohs(range->max.tcp.port) - min + 1;
76 } 77 }
77 78
79 /* Start from random port to avoid prediction */
80 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
81 port = net_random();
82
78 for (i = 0; i < range_size; i++, port++) { 83 for (i = 0; i < range_size; i++, port++) {
79 *portptr = htons(min + port % range_size); 84 *portptr = htons(min + port % range_size);
80 if (!ip_nat_used_tuple(tuple, conntrack)) { 85 if (!ip_nat_used_tuple(tuple, conntrack)) {
diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c
index 5ced0877b32f..dfd521672891 100644
--- a/net/ipv4/netfilter/ip_nat_proto_udp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_udp.c
@@ -8,6 +8,7 @@
8 8
9#include <linux/types.h> 9#include <linux/types.h>
10#include <linux/init.h> 10#include <linux/init.h>
11#include <linux/random.h>
11#include <linux/netfilter.h> 12#include <linux/netfilter.h>
12#include <linux/ip.h> 13#include <linux/ip.h>
13#include <linux/udp.h> 14#include <linux/udp.h>
@@ -74,6 +75,10 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple,
74 range_size = ntohs(range->max.udp.port) - min + 1; 75 range_size = ntohs(range->max.udp.port) - min + 1;
75 } 76 }
76 77
78 /* Start from random port to avoid prediction */
79 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
80 port = net_random();
81
77 for (i = 0; i < range_size; i++, port++) { 82 for (i = 0; i < range_size; i++, port++) {
78 *portptr = htons(min + port % range_size); 83 *portptr = htons(min + port % range_size);
79 if (!ip_nat_used_tuple(tuple, conntrack)) 84 if (!ip_nat_used_tuple(tuple, conntrack))
diff --git a/net/ipv4/netfilter/ip_nat_rule.c b/net/ipv4/netfilter/ip_nat_rule.c
index a176aa3031e0..6ebaad36c06d 100644
--- a/net/ipv4/netfilter/ip_nat_rule.c
+++ b/net/ipv4/netfilter/ip_nat_rule.c
@@ -193,6 +193,10 @@ static int ipt_dnat_checkentry(const char *tablename,
193 printk("DNAT: multiple ranges no longer supported\n"); 193 printk("DNAT: multiple ranges no longer supported\n");
194 return 0; 194 return 0;
195 } 195 }
196 if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) {
197 printk("DNAT: port randomization not supported\n");
198 return 0;
199 }
196 return 1; 200 return 1;
197} 201}
198 202
diff --git a/net/ipv4/netfilter/nf_nat_core.c b/net/ipv4/netfilter/nf_nat_core.c
index 86a92272b053..998b2557692c 100644
--- a/net/ipv4/netfilter/nf_nat_core.c
+++ b/net/ipv4/netfilter/nf_nat_core.c
@@ -254,8 +254,9 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
254 if (maniptype == IP_NAT_MANIP_SRC) { 254 if (maniptype == IP_NAT_MANIP_SRC) {
255 if (find_appropriate_src(orig_tuple, tuple, range)) { 255 if (find_appropriate_src(orig_tuple, tuple, range)) {
256 DEBUGP("get_unique_tuple: Found current src map\n"); 256 DEBUGP("get_unique_tuple: Found current src map\n");
257 if (!nf_nat_used_tuple(tuple, ct)) 257 if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM))
258 return; 258 if (!nf_nat_used_tuple(tuple, ct))
259 return;
259 } 260 }
260 } 261 }
261 262
@@ -269,6 +270,13 @@ get_unique_tuple(struct nf_conntrack_tuple *tuple,
269 270
270 proto = nf_nat_proto_find_get(orig_tuple->dst.protonum); 271 proto = nf_nat_proto_find_get(orig_tuple->dst.protonum);
271 272
273 /* Change protocol info to have some randomization */
274 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
275 proto->unique_tuple(tuple, range, maniptype, ct);
276 nf_nat_proto_put(proto);
277 return;
278 }
279
272 /* Only bother mapping if it's not already in range and unique */ 280 /* Only bother mapping if it's not already in range and unique */
273 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) || 281 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) ||
274 proto->in_range(tuple, maniptype, &range->min, &range->max)) && 282 proto->in_range(tuple, maniptype, &range->min, &range->max)) &&
diff --git a/net/ipv4/netfilter/nf_nat_proto_tcp.c b/net/ipv4/netfilter/nf_nat_proto_tcp.c
index 7e26a7e9bee1..439164c7a626 100644
--- a/net/ipv4/netfilter/nf_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_tcp.c
@@ -8,6 +8,7 @@
8 8
9#include <linux/types.h> 9#include <linux/types.h>
10#include <linux/init.h> 10#include <linux/init.h>
11#include <linux/random.h>
11#include <linux/ip.h> 12#include <linux/ip.h>
12#include <linux/tcp.h> 13#include <linux/tcp.h>
13 14
@@ -75,6 +76,9 @@ tcp_unique_tuple(struct nf_conntrack_tuple *tuple,
75 range_size = ntohs(range->max.tcp.port) - min + 1; 76 range_size = ntohs(range->max.tcp.port) - min + 1;
76 } 77 }
77 78
79 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
80 port = net_random();
81
78 for (i = 0; i < range_size; i++, port++) { 82 for (i = 0; i < range_size; i++, port++) {
79 *portptr = htons(min + port % range_size); 83 *portptr = htons(min + port % range_size);
80 if (!nf_nat_used_tuple(tuple, ct)) 84 if (!nf_nat_used_tuple(tuple, ct))
diff --git a/net/ipv4/netfilter/nf_nat_proto_udp.c b/net/ipv4/netfilter/nf_nat_proto_udp.c
index ab0ce4c8699f..8cae6e063bb6 100644
--- a/net/ipv4/netfilter/nf_nat_proto_udp.c
+++ b/net/ipv4/netfilter/nf_nat_proto_udp.c
@@ -8,6 +8,7 @@
8 8
9#include <linux/types.h> 9#include <linux/types.h>
10#include <linux/init.h> 10#include <linux/init.h>
11#include <linux/random.h>
11#include <linux/ip.h> 12#include <linux/ip.h>
12#include <linux/udp.h> 13#include <linux/udp.h>
13 14
@@ -73,6 +74,9 @@ udp_unique_tuple(struct nf_conntrack_tuple *tuple,
73 range_size = ntohs(range->max.udp.port) - min + 1; 74 range_size = ntohs(range->max.udp.port) - min + 1;
74 } 75 }
75 76
77 if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)
78 port = net_random();
79
76 for (i = 0; i < range_size; i++, port++) { 80 for (i = 0; i < range_size; i++, port++) {
77 *portptr = htons(min + port % range_size); 81 *portptr = htons(min + port % range_size);
78 if (!nf_nat_used_tuple(tuple, ct)) 82 if (!nf_nat_used_tuple(tuple, ct))
diff --git a/net/ipv4/netfilter/nf_nat_rule.c b/net/ipv4/netfilter/nf_nat_rule.c
index b868ee0195d4..3745efe70302 100644
--- a/net/ipv4/netfilter/nf_nat_rule.c
+++ b/net/ipv4/netfilter/nf_nat_rule.c
@@ -226,6 +226,10 @@ static int ipt_dnat_checkentry(const char *tablename,
226 printk("DNAT: multiple ranges no longer supported\n"); 226 printk("DNAT: multiple ranges no longer supported\n");
227 return 0; 227 return 0;
228 } 228 }
229 if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM) {
230 printk("DNAT: port randomization not supported\n");
231 return 0;
232 }
229 return 1; 233 return 1;
230} 234}
231 235