[Patch 0/2] Avoid direct connections between NATed hosts
Jan Engelhardt
jengelh at linux01.gwdg.de
Fri Jan 12 23:53:36 CET 2007
>This patches against kernel and iptables add the capability to randomize
>the source port used when doing SNAT.
You might also want to patch MASQUERADE and SAME.
>+ if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) {
>+ if (!ip_nat_used_tuple(tuple, conntrack))
>+ return;
>+ }
> }
> }
>
Drop the extra { } - various places.
>@@ -18,6 +18,8 @@ #include <linux/netfilter_ipv4/ip_nat_co
> #include <linux/netfilter_ipv4/ip_nat_rule.h>
> #include <linux/netfilter_ipv4/ip_nat_protocol.h>
>
>+#include <linux/random.h>
>+
> static int
> udp_in_range(const struct ip_conntrack_tuple *tuple,
> enum ip_nat_manip_type maniptype,
>@@ -74,6 +76,10 @@ udp_unique_tuple(struct ip_conntrack_tup
> range_size = ntohs(range->max.udp.port) - min + 1;
> }
>
>+ /* Start from random port to avoid prediction */
>+ if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) {
>+ get_random_bytes(&port,sizeof(port));
>+ }
> for (i = 0; i < range_size; i++, port++) {
> *portptr = htons(min + port % range_size);
> if (!ip_nat_used_tuple(tuple, conntrack))
Do we want get_random_bytes(), or would net_random() suffice?
-`J'
--
More information about the netfilter-devel
mailing list