Commit 41f4689a authored by Eric Leblond's avatar Eric Leblond Committed by David S. Miller
Browse files

[NETFILTER]: NAT: optional source port randomization support 



This patch adds support to NAT to randomize source ports.

Signed-off-by: default avatarEric Leblond <eric@inl.fr>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent cdd289a2

include/linux/netfilter_ipv4/ip_nat.h

+1 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ enum ip_nat_manip_type 


#define IP_NAT_RANGE_MAP_IPS 1

#define IP_NAT_RANGE_PROTO_SPECIFIED 2

#define IP_NAT_RANGE_PROTO_RANDOM 4 /* add randomness to "port" selection */



/* NAT sequence number modifications */

struct ip_nat_seq {

include/net/netfilter/nf_nat.h

+1 −0
Original line number Diff line number Diff line
@@ -16,6 +16,7 @@ enum nf_nat_manip_type 


#define IP_NAT_RANGE_MAP_IPS 1

#define IP_NAT_RANGE_PROTO_SPECIFIED 2

#define IP_NAT_RANGE_PROTO_RANDOM 4



/* NAT sequence number modifications */

struct nf_nat_seq {

net/ipv4/netfilter/ip_nat_core.c

+10 −2
Original line number Diff line number Diff line
@@ -246,6 +246,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple, 
	if (maniptype == IP_NAT_MANIP_SRC) {

		if (find_appropriate_src(orig_tuple, tuple, range)) {

			DEBUGP("get_unique_tuple: Found current src map\n");

			if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM))

				if (!ip_nat_used_tuple(tuple, conntrack))

					return;

		}
@@ -261,6 +262,13 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple, 


	proto = ip_nat_proto_find_get(orig_tuple->dst.protonum);



	/* Change protocol info to have some randomization */

	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {

		proto->unique_tuple(tuple, range, maniptype, conntrack);

		ip_nat_proto_put(proto);

		return;

	}



	/* Only bother mapping if it's not already in range and unique */

	if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)

	     || proto->in_range(tuple, maniptype, &range->min, &range->max))

net/ipv4/netfilter/ip_nat_proto_tcp.c

+5 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 


#include <linux/types.h>

#include <linux/init.h>

#include <linux/random.h>

#include <linux/netfilter.h>

#include <linux/ip.h>

#include <linux/tcp.h>
@@ -75,6 +76,10 @@ tcp_unique_tuple(struct ip_conntrack_tuple *tuple, 
		range_size = ntohs(range->max.tcp.port) - min + 1;

	}



	/* Start from random port to avoid prediction */

	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)

		port =  net_random();



	for (i = 0; i < range_size; i++, port++) {

		*portptr = htons(min + port % range_size);

		if (!ip_nat_used_tuple(tuple, conntrack)) {

net/ipv4/netfilter/ip_nat_proto_udp.c

+5 −0
Original line number Diff line number Diff line
@@ -8,6 +8,7 @@ 


#include <linux/types.h>

#include <linux/init.h>

#include <linux/random.h>

#include <linux/netfilter.h>

#include <linux/ip.h>

#include <linux/udp.h>
@@ -74,6 +75,10 @@ udp_unique_tuple(struct ip_conntrack_tuple *tuple, 
		range_size = ntohs(range->max.udp.port) - min + 1;

	}



	/* Start from random port to avoid prediction */

	if (range->flags & IP_NAT_RANGE_PROTO_RANDOM)

		port = net_random();



	for (i = 0; i < range_size; i++, port++) {

		*portptr = htons(min + port % range_size);

		if (!ip_nat_used_tuple(tuple, conntrack))

CRA Git | Maintained and supported by SUSTech CRA and CCSE