[netfilter-cvslog] r6848 - trunk/iptables/extensions
kaber at trash.net
kaber at trash.net
Tue May 29 13:24:46 CEST 2007
Author: kaber at trash.net
Date: 2007-05-29 13:24:45 +0200 (Tue, 29 May 2007)
New Revision: 6848
Modified:
trunk/iptables/extensions/libipt_DNAT.c
trunk/iptables/extensions/libipt_DNAT.man
trunk/iptables/extensions/libipt_MASQUERADE.man
trunk/iptables/extensions/libipt_REDIRECT.c
trunk/iptables/extensions/libipt_REDIRECT.man
trunk/iptables/extensions/libipt_SNAT.c
trunk/iptables/extensions/libipt_SNAT.man
Log:
Add --random option to DNAT and REDIRECT targets and fix the manpage mess this option left behind.
Modified: trunk/iptables/extensions/libipt_DNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_DNAT.c 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_DNAT.c 2007-05-29 11:24:45 UTC (rev 6848)
@@ -8,6 +8,9 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
/* Dest NAT data consists of a multi-range, indicating where to map
to. */
struct ipt_natinfo
@@ -24,12 +27,14 @@
"DNAT v%s options:\n"
" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map destination to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
static struct option opts[] = {
{ "to-destination", 1, 0, '1' },
+ { "random", 0, 0, '2' },
{ 0 }
};
@@ -163,9 +168,18 @@
"Multiple --to-destination not supported");
}
*target = parse_to(optarg, portok, info);
- *flags = 1;
+ /* WTF do we need this for?? */
+ if (*flags & IPT_DNAT_OPT_RANDOM)
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_DEST;
return 1;
+ case '2':
+ if (*flags & IPT_DNAT_OPT_DEST) {
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_RANDOM;
+ } else
+ *flags |= IPT_DNAT_OPT_RANDOM;
default:
return 0;
}
@@ -212,6 +226,8 @@
for (i = 0; i < info->mr.rangesize; i++) {
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
@@ -226,6 +242,8 @@
printf("--to-destination ");
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
Modified: trunk/iptables/extensions/libipt_DNAT.man
===================================================================
--- trunk/iptables/extensions/libipt_DNAT.man 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_DNAT.man 2007-05-29 11:24:45 UTC (rev 6848)
@@ -20,12 +20,17 @@
If no port range is specified, then the destination port will never be
modified. If no IP address is specified then only the destination port
will be modified.
-.RS
-.PP
+
In Kernels up to 2.6.10 you can add several --to-destination options. For
those kernels, if you specify more than one destination address, either via an
address range or multiple --to-destination options, a simple round-robin (one
after another in cycle) load balancing takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
-
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
Modified: trunk/iptables/extensions/libipt_MASQUERADE.man
===================================================================
--- trunk/iptables/extensions/libipt_MASQUERADE.man 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_MASQUERADE.man 2007-05-29 11:24:45 UTC (rev 6848)
@@ -14,19 +14,17 @@
.TP
.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
This specifies a range of source ports to use, overriding the default
-.TP
-.BR "--random"
-Randomize source port mapping
-.TP
.B SNAT
source port-selection heuristics (see above). This is only valid
if the rule also specifies
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+Randomize source port mapping
If option
.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-
-
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
Modified: trunk/iptables/extensions/libipt_REDIRECT.c
===================================================================
--- trunk/iptables/extensions/libipt_REDIRECT.c 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_REDIRECT.c 2007-05-29 11:24:45 UTC (rev 6848)
@@ -8,6 +8,9 @@
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_REDIRECT_OPT_DEST 0x01
+#define IPT_REDIRECT_OPT_RANDOM 0x02
+
/* Function which prints out usage message. */
static void
help(void)
@@ -21,6 +24,7 @@
static struct option opts[] = {
{ "to-ports", 1, 0, '1' },
+ { "random", 1, 0, '2' },
{ 0 }
};
@@ -101,8 +105,19 @@
"Unexpected `!' after --to-ports");
parse_ports(optarg, mr);
+ if (*flags & IPT_REDIRECT_OPT_RANDOM)
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_DEST;
return 1;
+ case '2':
+ if (*flags & IPT_REDIRECT_OPT_DEST) {
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ } else
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ return 1;
+
default:
return 0;
}
@@ -129,6 +144,8 @@
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
@@ -146,6 +163,8 @@
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
Modified: trunk/iptables/extensions/libipt_REDIRECT.man
===================================================================
--- trunk/iptables/extensions/libipt_REDIRECT.man 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_REDIRECT.man 2007-05-29 11:24:45 UTC (rev 6848)
@@ -17,3 +17,10 @@
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
Modified: trunk/iptables/extensions/libipt_SNAT.c
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.c 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_SNAT.c 2007-05-29 11:24:45 UTC (rev 6848)
@@ -25,11 +25,10 @@
{
printf(
"SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]"
-"[--random]"
-"\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map source to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
@@ -171,13 +170,13 @@
*target = parse_to(optarg, portok, info);
/* WTF do we need this for?? */
if (*flags & IPT_SNAT_OPT_RANDOM)
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
- *flags = IPT_SNAT_OPT_SOURCE;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_SNAT_OPT_SOURCE;
return 1;
case '2':
if (*flags & IPT_SNAT_OPT_SOURCE) {
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
*flags |= IPT_SNAT_OPT_RANDOM;
} else
*flags |= IPT_SNAT_OPT_RANDOM;
Modified: trunk/iptables/extensions/libipt_SNAT.man
===================================================================
--- trunk/iptables/extensions/libipt_SNAT.man 2007-05-28 12:46:38 UTC (rev 6847)
+++ trunk/iptables/extensions/libipt_SNAT.man 2007-05-29 11:24:45 UTC (rev 6848)
@@ -7,7 +7,7 @@
mangled), and rules should cease being examined. It takes one type
of option:
.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
@@ -17,15 +17,18 @@
If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-.RS
-.PP
+1024 or above. Where possible, no port alteration will
+
In Kernels up to 2.6.10, you can add several --to-source options. For those
kernels, if you specify more than one source address, either via an address
range or multiple --to-source options, a simple round-robin (one after another
in cycle) takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
More information about the netfilter-cvslog
mailing list