[netfilter-cvslog] r6848 - trunk/iptables/extensions

kaber at trash.net kaber at trash.net
Tue May 29 13:24:46 CEST 2007 

Author: kaber at trash.net
Date: 2007-05-29 13:24:45 +0200 (Tue, 29 May 2007)
New Revision: 6848

Modified:
   trunk/iptables/extensions/libipt_DNAT.c
   trunk/iptables/extensions/libipt_DNAT.man
   trunk/iptables/extensions/libipt_MASQUERADE.man
   trunk/iptables/extensions/libipt_REDIRECT.c
   trunk/iptables/extensions/libipt_REDIRECT.man
   trunk/iptables/extensions/libipt_SNAT.c
   trunk/iptables/extensions/libipt_SNAT.man
Log:
Add --random option to DNAT and REDIRECT targets and fix the manpage mess this option left behind.


Modified: trunk/iptables/extensions/libipt_DNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_DNAT.c	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_DNAT.c	2007-05-29 11:24:45 UTC (rev 6848)
@@ -8,6 +8,9 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/nf_nat.h>
 
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
 /* Dest NAT data consists of a multi-range, indicating where to map
    to. */
 struct ipt_natinfo
@@ -24,12 +27,14 @@
 "DNAT v%s options:\n"
 " --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
 "				Address to map destination to.\n"
-"				(You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
 IPTABLES_VERSION);
 }
 
 static struct option opts[] = {
 	{ "to-destination", 1, 0, '1' },
+	{ "random", 0, 0, '2' },
 	{ 0 }
 };
 
@@ -163,9 +168,18 @@
 					   "Multiple --to-destination not supported");
 		}
 		*target = parse_to(optarg, portok, info);
-		*flags = 1;
+		/* WTF do we need this for?? */
+		if (*flags & IPT_DNAT_OPT_RANDOM)
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_DNAT_OPT_DEST;
 		return 1;
 
+	case '2':
+		if (*flags & IPT_DNAT_OPT_DEST) {
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+			*flags |= IPT_DNAT_OPT_RANDOM;
+		} else
+			*flags |= IPT_DNAT_OPT_RANDOM;
 	default:
 		return 0;
 	}
@@ -212,6 +226,8 @@
 	for (i = 0; i < info->mr.rangesize; i++) {
 		print_range(&info->mr.range[i]);
 		printf(" ");
+		if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("random ");
 	}
 }
 
@@ -226,6 +242,8 @@
 		printf("--to-destination ");
 		print_range(&info->mr.range[i]);
 		printf(" ");
+		if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("--random ");
 	}
 }
 

Modified: trunk/iptables/extensions/libipt_DNAT.man
===================================================================
--- trunk/iptables/extensions/libipt_DNAT.man	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_DNAT.man	2007-05-29 11:24:45 UTC (rev 6848)
@@ -20,12 +20,17 @@
 If no port range is specified, then the destination port will never be
 modified. If no IP address is specified then only the destination port
 will be modified.
-.RS
-.PP
+
 In Kernels up to 2.6.10 you can add several --to-destination options.  For
 those kernels, if you specify more than one destination address, either via an
 address range or multiple --to-destination options, a simple round-robin (one
 after another in cycle) load balancing takes place between these addresses.
 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
 anymore.
-
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP

Modified: trunk/iptables/extensions/libipt_MASQUERADE.man
===================================================================
--- trunk/iptables/extensions/libipt_MASQUERADE.man	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_MASQUERADE.man	2007-05-29 11:24:45 UTC (rev 6848)
@@ -14,19 +14,17 @@
 .TP
 .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
 This specifies a range of source ports to use, overriding the default
-.TP
-.BR "--random"
-Randomize source port mapping
-.TP
 .B SNAT
 source port-selection heuristics (see above).  This is only valid
 if the rule also specifies
 .B "-p tcp"
 or
 .BR "-p udp" .
+.TP
+.BR "--random"
+Randomize source port mapping
 If option
 .B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-
-
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP

Modified: trunk/iptables/extensions/libipt_REDIRECT.c
===================================================================
--- trunk/iptables/extensions/libipt_REDIRECT.c	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_REDIRECT.c	2007-05-29 11:24:45 UTC (rev 6848)
@@ -8,6 +8,9 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/nf_nat.h>
 
+#define IPT_REDIRECT_OPT_DEST	0x01
+#define IPT_REDIRECT_OPT_RANDOM	0x02
+
 /* Function which prints out usage message. */
 static void
 help(void)
@@ -21,6 +24,7 @@
 
 static struct option opts[] = {
 	{ "to-ports", 1, 0, '1' },
+	{ "random", 1, 0, '2' },
 	{ 0 }
 };
 
@@ -101,8 +105,19 @@
 				   "Unexpected `!' after --to-ports");
 
 		parse_ports(optarg, mr);
+		if (*flags & IPT_REDIRECT_OPT_RANDOM)
+			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_REDIRECT_OPT_DEST;
 		return 1;
 
+	case '2':
+		if (*flags & IPT_REDIRECT_OPT_DEST) {
+			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+			*flags |= IPT_REDIRECT_OPT_RANDOM;
+		} else
+			*flags |= IPT_REDIRECT_OPT_RANDOM;
+		return 1;
+
 	default:
 		return 0;
 	}
@@ -129,6 +144,8 @@
 		if (r->max.tcp.port != r->min.tcp.port)
 			printf("-%hu", ntohs(r->max.tcp.port));
 		printf(" ");
+		if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("random ");
 	}
 }
 
@@ -146,6 +163,8 @@
 		if (r->max.tcp.port != r->min.tcp.port)
 			printf("-%hu", ntohs(r->max.tcp.port));
 		printf(" ");
+		if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("--random ");
 	}
 }
 

Modified: trunk/iptables/extensions/libipt_REDIRECT.man
===================================================================
--- trunk/iptables/extensions/libipt_REDIRECT.man	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_REDIRECT.man	2007-05-29 11:24:45 UTC (rev 6848)
@@ -17,3 +17,10 @@
 .B "-p tcp"
 or
 .BR "-p udp" .
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP

Modified: trunk/iptables/extensions/libipt_SNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.c	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_SNAT.c	2007-05-29 11:24:45 UTC (rev 6848)
@@ -25,11 +25,10 @@
 {
 	printf(
 "SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]"
-"[--random]"
-"\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
 "				Address to map source to.\n"
-"				(You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
 IPTABLES_VERSION);
 }
 
@@ -171,13 +170,13 @@
 		*target = parse_to(optarg, portok, info);
 		/* WTF do we need this for?? */
 		if (*flags & IPT_SNAT_OPT_RANDOM)
-			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
-		*flags = IPT_SNAT_OPT_SOURCE;
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_SNAT_OPT_SOURCE;
 		return 1;
 
 	case '2':
 		if (*flags & IPT_SNAT_OPT_SOURCE) {
-			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
 			*flags |= IPT_SNAT_OPT_RANDOM;
 		} else
 			*flags |= IPT_SNAT_OPT_RANDOM;

Modified: trunk/iptables/extensions/libipt_SNAT.man
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.man	2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_SNAT.man	2007-05-29 11:24:45 UTC (rev 6848)
@@ -7,7 +7,7 @@
 mangled), and rules should cease being examined.  It takes one type
 of option:
 .TP
-.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
 which can specify a single new source IP address, an inclusive range
 of IP addresses, and optionally, a port range (which is only valid if
 the rule also specifies
@@ -17,15 +17,18 @@
 If no port range is specified, then source ports below 512 will be
 mapped to other ports below 512: those between 512 and 1023 inclusive
 will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will  If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-.RS
-.PP
+1024 or above. Where possible, no port alteration will
+
 In Kernels up to 2.6.10, you can add several --to-source options.  For those
 kernels, if you specify more than one source address, either via an address
 range or multiple --to-source options, a simple round-robin (one after another
 in cycle) takes place between these addresses.
 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
 anymore.
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP

More information about the netfilter-cvslog mailing list