From mboxrd@z Thu Jan 1 00:00:00 1970 From: Eric Leblond Subject: [Patch 1/2] Avoid direct connections between NATed hosts Date: Fri, 12 Jan 2007 18:02:37 +0100 Message-ID: <1168621358.28615.17.camel@localhost.localdomain> References: <1168621167.28615.14.camel@localhost.localdomain> Mime-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="=-wgg7OtANdHEkax2RchbY" Return-path: To: netfilter-devel@lists.netfilter.org In-Reply-To: <1168621167.28615.14.camel@localhost.localdomain> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: netfilter-devel-bounces@lists.netfilter.org Errors-To: netfilter-devel-bounces@lists.netfilter.org List-Id: netfilter-devel.vger.kernel.org --=-wgg7OtANdHEkax2RchbY Content-Type: multipart/mixed; boundary="=-fT5IJd2fbXhZ9hO4qQb/" --=-fT5IJd2fbXhZ9hO4qQb/ Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: quoted-printable Hi, Here's the patch against Linux git tree (2.6.20-rc4). It modifies nf_nat and ip_nat. BR, --=20 =C9ric Leblond, eleblond@inl.fr T=E9l=E9phone : 01 44 89 46 39, Fax : 01 44 89 45 01 INL, http://www.inl.fr --=-fT5IJd2fbXhZ9hO4qQb/ Content-Disposition: attachment; filename*0=0002-Add-flags-on-SNAT-rules-to-add-randomness-in-protocol.tx; filename*1=t Content-Type: text/plain; name=0002-Add-flags-on-SNAT-rules-to-add-randomness-in-protocol.txt; charset=ISO-8859-15 Content-Transfer-Encoding: base64 U2lnbmVkLW9mZi1ieTogRXJpYyBMZWJsb25kIDxlcmljQGlubC5mcj4NCi0tLQ0KIGluY2x1ZGUv bGludXgvbmV0ZmlsdGVyX2lwdjQvaXBfbmF0LmggfCAgICAxICsNCiBpbmNsdWRlL25ldC9uZXRm aWx0ZXIvbmZfbmF0LmggICAgICAgIHwgICAgMSArDQogbmV0L2lwdjQvbmV0ZmlsdGVyL2lwX25h dF9jb3JlLmMgICAgICB8ICAgMTMgKysrKysrKysrKystLQ0KIG5ldC9pcHY0L25ldGZpbHRlci9p cF9uYXRfcHJvdG9fdGNwLmMgfCAgICA2ICsrKysrKw0KIG5ldC9pcHY0L25ldGZpbHRlci9pcF9u YXRfcHJvdG9fdWRwLmMgfCAgICA2ICsrKysrKw0KIG5ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRf Y29yZS5jICAgICAgfCAgIDEzICsrKysrKysrKysrLS0NCiBuZXQvaXB2NC9uZXRmaWx0ZXIvbmZf bmF0X3Byb3RvX3RjcC5jIHwgICAgNSArKysrKw0KIG5ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRf cHJvdG9fdWRwLmMgfCAgICAzICsrKw0KIDggZmlsZXMgY2hhbmdlZCwgNDQgaW5zZXJ0aW9ucygr KSwgNCBkZWxldGlvbnMoLSkNCg0KZGlmZiAtLWdpdCBhL2luY2x1ZGUvbGludXgvbmV0ZmlsdGVy X2lwdjQvaXBfbmF0LmggYi9pbmNsdWRlL2xpbnV4L25ldGZpbHRlcl9pcHY0L2lwX25hdC5oDQpp bmRleCBiZGY1NTM2Li5iYmNhODlhIDEwMDY0NA0KLS0tIGEvaW5jbHVkZS9saW51eC9uZXRmaWx0 ZXJfaXB2NC9pcF9uYXQuaA0KKysrIGIvaW5jbHVkZS9saW51eC9uZXRmaWx0ZXJfaXB2NC9pcF9u YXQuaA0KQEAgLTE2LDYgKzE2LDcgQEAgI2RlZmluZSBIT09LMk1BTklQKGhvb2tudW0pICgoaG9v a251bSkgIQ0KDQogI2RlZmluZSBJUF9OQVRfUkFOR0VfTUFQX0lQUyAxDQogI2RlZmluZSBJUF9O QVRfUkFOR0VfUFJPVE9fU1BFQ0lGSUVEIDINCisjZGVmaW5lIElQX05BVF9SQU5HRV9QUk9UT19S QU5ET00gNCAvKiBhZGQgcmFuZG9tbmVzcyB0byAicG9ydCIgc2VsZWN0aW9uICovDQoNCiAvKiBO QVQgc2VxdWVuY2UgbnVtYmVyIG1vZGlmaWNhdGlvbnMgKi8NCiBzdHJ1Y3QgaXBfbmF0X3NlcSB7 DQpkaWZmIC0tZ2l0IGEvaW5jbHVkZS9uZXQvbmV0ZmlsdGVyL25mX25hdC5oIGIvaW5jbHVkZS9u ZXQvbmV0ZmlsdGVyL25mX25hdC5oDQppbmRleCA2MWM2MjA2Li5iYzU3ZGQ3IDEwMDY0NA0KLS0t IGEvaW5jbHVkZS9uZXQvbmV0ZmlsdGVyL25mX25hdC5oDQorKysgYi9pbmNsdWRlL25ldC9uZXRm aWx0ZXIvbmZfbmF0LmgNCkBAIC0xNiw2ICsxNiw3IEBAICNkZWZpbmUgSE9PSzJNQU5JUChob29r bnVtKSAoKGhvb2tudW0pICENCg0KICNkZWZpbmUgSVBfTkFUX1JBTkdFX01BUF9JUFMgMQ0KICNk ZWZpbmUgSVBfTkFUX1JBTkdFX1BST1RPX1NQRUNJRklFRCAyDQorI2RlZmluZSBJUF9OQVRfUkFO R0VfUFJPVE9fUkFORE9NIDQNCg0KIC8qIE5BVCBzZXF1ZW5jZSBudW1iZXIgbW9kaWZpY2F0aW9u cyAqLw0KIHN0cnVjdCBuZl9uYXRfc2VxIHsNCmRpZmYgLS1naXQgYS9uZXQvaXB2NC9uZXRmaWx0 ZXIvaXBfbmF0X2NvcmUuYyBiL25ldC9pcHY0L25ldGZpbHRlci9pcF9uYXRfY29yZS5jDQppbmRl eCA5ZDFhNTE3Li5mYjBhNzNlIDEwMDY0NA0KLS0tIGEvbmV0L2lwdjQvbmV0ZmlsdGVyL2lwX25h dF9jb3JlLmMNCisrKyBiL25ldC9pcHY0L25ldGZpbHRlci9pcF9uYXRfY29yZS5jDQpAQCAtMjQ2 LDggKzI0NiwxMCBAQCBnZXRfdW5pcXVlX3R1cGxlKHN0cnVjdCBpcF9jb25udHJhY2tfdHVwDQog CWlmIChtYW5pcHR5cGUgPT0gSVBfTkFUX01BTklQX1NSQykgew0KIAkJaWYgKGZpbmRfYXBwcm9w cmlhdGVfc3JjKG9yaWdfdHVwbGUsIHR1cGxlLCByYW5nZSkpIHsNCiAJCQlERUJVR1AoImdldF91 bmlxdWVfdHVwbGU6IEZvdW5kIGN1cnJlbnQgc3JjIG1hcFxuIik7DQotCQkJaWYgKCFpcF9uYXRf dXNlZF90dXBsZSh0dXBsZSwgY29ubnRyYWNrKSkNCi0JCQkJcmV0dXJuOw0KKwkJCWlmICghKHJh bmdlLT5mbGFncyAmIElQX05BVF9SQU5HRV9QUk9UT19SQU5ET00pKSB7DQorCQkJCWlmICghaXBf bmF0X3VzZWRfdHVwbGUodHVwbGUsIGNvbm50cmFjaykpDQorCQkJCQlyZXR1cm47DQorCQkJfQ0K IAkJfQ0KIAl9DQoNCkBAIC0yNjEsNiArMjYzLDEzIEBAIGdldF91bmlxdWVfdHVwbGUoc3RydWN0 IGlwX2Nvbm50cmFja190dXANCg0KIAlwcm90byA9IGlwX25hdF9wcm90b19maW5kX2dldChvcmln X3R1cGxlLT5kc3QucHJvdG9udW0pOw0KDQorCS8qIENoYW5nZSBwcm90b2NvbCBpbmZvIHRvIGhh dmUgc29tZSByYW5kb21pemF0aW9uICovDQorCWlmIChyYW5nZS0+ZmxhZ3MgJiBJUF9OQVRfUkFO R0VfUFJPVE9fUkFORE9NKSB7DQorCQlwcm90by0+dW5pcXVlX3R1cGxlKHR1cGxlLCByYW5nZSwg bWFuaXB0eXBlLCBjb25udHJhY2spOw0KKwkJaXBfbmF0X3Byb3RvX3B1dChwcm90byk7DQorCQly ZXR1cm47DQorCX0NCisNCiAJLyogT25seSBib3RoZXIgbWFwcGluZyBpZiBpdCdzIG5vdCBhbHJl YWR5IGluIHJhbmdlIGFuZCB1bmlxdWUgKi8NCiAJaWYgKCghKHJhbmdlLT5mbGFncyAmIElQX05B VF9SQU5HRV9QUk9UT19TUEVDSUZJRUQpDQogCSAgICAgfHwgcHJvdG8tPmluX3JhbmdlKHR1cGxl LCBtYW5pcHR5cGUsICZyYW5nZS0+bWluLCAmcmFuZ2UtPm1heCkpDQpkaWZmIC0tZ2l0IGEvbmV0 L2lwdjQvbmV0ZmlsdGVyL2lwX25hdF9wcm90b190Y3AuYyBiL25ldC9pcHY0L25ldGZpbHRlci9p cF9uYXRfcHJvdG9fdGNwLmMNCmluZGV4IGI1ODZkMTguLjY4NjlhZDcgMTAwNjQ0DQotLS0gYS9u ZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0X3Byb3RvX3RjcC5jDQorKysgYi9uZXQvaXB2NC9uZXRm aWx0ZXIvaXBfbmF0X3Byb3RvX3RjcC5jDQpAQCAtMTgsNiArMTgsOCBAQCAjaW5jbHVkZSA8bGlu dXgvbmV0ZmlsdGVyX2lwdjQvaXBfbmF0X3J1DQogI2luY2x1ZGUgPGxpbnV4L25ldGZpbHRlcl9p cHY0L2lwX25hdF9wcm90b2NvbC5oPg0KICNpbmNsdWRlIDxsaW51eC9uZXRmaWx0ZXJfaXB2NC9p cF9uYXRfY29yZS5oPg0KDQorI2luY2x1ZGUgPGxpbnV4L3JhbmRvbS5oPg0KKw0KIHN0YXRpYyBp bnQNCiB0Y3BfaW5fcmFuZ2UoY29uc3Qgc3RydWN0IGlwX2Nvbm50cmFja190dXBsZSAqdHVwbGUs DQogCSAgICAgZW51bSBpcF9uYXRfbWFuaXBfdHlwZSBtYW5pcHR5cGUsDQpAQCAtNzUsNiArNzcs MTAgQEAgdGNwX3VuaXF1ZV90dXBsZShzdHJ1Y3QgaXBfY29ubnRyYWNrX3R1cA0KIAkJcmFuZ2Vf c2l6ZSA9IG50b2hzKHJhbmdlLT5tYXgudGNwLnBvcnQpIC0gbWluICsgMTsNCiAJfQ0KDQorCS8q IFN0YXJ0IGZyb20gcmFuZG9tIHBvcnQgdG8gYXZvaWQgcHJlZGljdGlvbiAqLw0KKwlpZiAocmFu Z2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BST1RPX1JBTkRPTSkgew0KKwkJZ2V0X3JhbmRvbV9i eXRlcygmcG9ydCxzaXplb2YocG9ydCkpOw0KKwl9DQogCWZvciAoaSA9IDA7IGkgPCByYW5nZV9z aXplOyBpKyssIHBvcnQrKykgew0KIAkJKnBvcnRwdHIgPSBodG9ucyhtaW4gKyBwb3J0ICUgcmFu Z2Vfc2l6ZSk7DQogCQlpZiAoIWlwX25hdF91c2VkX3R1cGxlKHR1cGxlLCBjb25udHJhY2spKSB7 DQpkaWZmIC0tZ2l0IGEvbmV0L2lwdjQvbmV0ZmlsdGVyL2lwX25hdF9wcm90b191ZHAuYyBiL25l dC9pcHY0L25ldGZpbHRlci9pcF9uYXRfcHJvdG9fdWRwLmMNCmluZGV4IDVjZWQwODcuLjM4ZDBk ZWYgMTAwNjQ0DQotLS0gYS9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0X3Byb3RvX3VkcC5jDQor KysgYi9uZXQvaXB2NC9uZXRmaWx0ZXIvaXBfbmF0X3Byb3RvX3VkcC5jDQpAQCAtMTgsNiArMTgs OCBAQCAjaW5jbHVkZSA8bGludXgvbmV0ZmlsdGVyX2lwdjQvaXBfbmF0X2NvDQogI2luY2x1ZGUg PGxpbnV4L25ldGZpbHRlcl9pcHY0L2lwX25hdF9ydWxlLmg+DQogI2luY2x1ZGUgPGxpbnV4L25l dGZpbHRlcl9pcHY0L2lwX25hdF9wcm90b2NvbC5oPg0KDQorI2luY2x1ZGUgPGxpbnV4L3JhbmRv bS5oPg0KKw0KIHN0YXRpYyBpbnQNCiB1ZHBfaW5fcmFuZ2UoY29uc3Qgc3RydWN0IGlwX2Nvbm50 cmFja190dXBsZSAqdHVwbGUsDQogCSAgICAgZW51bSBpcF9uYXRfbWFuaXBfdHlwZSBtYW5pcHR5 cGUsDQpAQCAtNzQsNiArNzYsMTAgQEAgdWRwX3VuaXF1ZV90dXBsZShzdHJ1Y3QgaXBfY29ubnRy YWNrX3R1cA0KIAkJcmFuZ2Vfc2l6ZSA9IG50b2hzKHJhbmdlLT5tYXgudWRwLnBvcnQpIC0gbWlu ICsgMTsNCiAJfQ0KDQorCS8qIFN0YXJ0IGZyb20gcmFuZG9tIHBvcnQgdG8gYXZvaWQgcHJlZGlj dGlvbiAqLw0KKwlpZiAocmFuZ2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BST1RPX1JBTkRPTSkg ew0KKwkJZ2V0X3JhbmRvbV9ieXRlcygmcG9ydCxzaXplb2YocG9ydCkpOw0KKwl9DQogCWZvciAo aSA9IDA7IGkgPCByYW5nZV9zaXplOyBpKyssIHBvcnQrKykgew0KIAkJKnBvcnRwdHIgPSBodG9u cyhtaW4gKyBwb3J0ICUgcmFuZ2Vfc2l6ZSk7DQogCQlpZiAoIWlwX25hdF91c2VkX3R1cGxlKHR1 cGxlLCBjb25udHJhY2spKQ0KZGlmZiAtLWdpdCBhL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRf Y29yZS5jIGIvbmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9jb3JlLmMNCmluZGV4IDg2YTkyMjcu LjlmMWI0ZWMgMTAwNjQ0DQotLS0gYS9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0X2NvcmUuYw0K KysrIGIvbmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9jb3JlLmMNCkBAIC0yNTQsOCArMjU0LDEw IEBAIGdldF91bmlxdWVfdHVwbGUoc3RydWN0IG5mX2Nvbm50cmFja190dXANCiAJaWYgKG1hbmlw dHlwZSA9PSBJUF9OQVRfTUFOSVBfU1JDKSB7DQogCQlpZiAoZmluZF9hcHByb3ByaWF0ZV9zcmMo b3JpZ190dXBsZSwgdHVwbGUsIHJhbmdlKSkgew0KIAkJCURFQlVHUCgiZ2V0X3VuaXF1ZV90dXBs ZTogRm91bmQgY3VycmVudCBzcmMgbWFwXG4iKTsNCi0JCQlpZiAoIW5mX25hdF91c2VkX3R1cGxl KHR1cGxlLCBjdCkpDQotCQkJCXJldHVybjsNCisJCQlpZiAoIShyYW5nZS0+ZmxhZ3MgJiBJUF9O QVRfUkFOR0VfUFJPVE9fUkFORE9NKSkgew0KKwkJCQlpZiAoIW5mX25hdF91c2VkX3R1cGxlKHR1 cGxlLCBjdCkpDQorCQkJCQlyZXR1cm47DQorCQkJfQ0KIAkJfQ0KIAl9DQoNCkBAIC0yNjksNiAr MjcxLDEzIEBAIGdldF91bmlxdWVfdHVwbGUoc3RydWN0IG5mX2Nvbm50cmFja190dXANCg0KIAlw cm90byA9IG5mX25hdF9wcm90b19maW5kX2dldChvcmlnX3R1cGxlLT5kc3QucHJvdG9udW0pOw0K DQorCS8qIENoYW5nZSBwcm90b2NvbCBpbmZvIHRvIGhhdmUgc29tZSByYW5kb21pemF0aW9uICov DQorCWlmIChyYW5nZS0+ZmxhZ3MgJiBJUF9OQVRfUkFOR0VfUFJPVE9fUkFORE9NKSB7DQorCQlw cm90by0+dW5pcXVlX3R1cGxlKHR1cGxlLCByYW5nZSwgbWFuaXB0eXBlLCBjdCk7DQorCQluZl9u YXRfcHJvdG9fcHV0KHByb3RvKTsNCisJCXJldHVybjsNCisJfQ0KKw0KIAkvKiBPbmx5IGJvdGhl ciBtYXBwaW5nIGlmIGl0J3Mgbm90IGFscmVhZHkgaW4gcmFuZ2UgYW5kIHVuaXF1ZSAqLw0KIAlp ZiAoKCEocmFuZ2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BST1RPX1NQRUNJRklFRCkgfHwNCiAJ ICAgICBwcm90by0+aW5fcmFuZ2UodHVwbGUsIG1hbmlwdHlwZSwgJnJhbmdlLT5taW4sICZyYW5n ZS0+bWF4KSkgJiYNCmRpZmYgLS1naXQgYS9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0X3Byb3Rv X3RjcC5jIGIvbmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9wcm90b190Y3AuYw0KaW5kZXggN2Uy NmE3ZS4uYzM0OGJjOSAxMDA2NDQNCi0tLSBhL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJv dG9fdGNwLmMNCisrKyBiL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJvdG9fdGNwLmMNCkBA IC0xOCw2ICsxOCw4IEBAICNpbmNsdWRlIDxuZXQvbmV0ZmlsdGVyL25mX25hdF9ydWxlLmg+DQog I2luY2x1ZGUgPG5ldC9uZXRmaWx0ZXIvbmZfbmF0X3Byb3RvY29sLmg+DQogI2luY2x1ZGUgPG5l dC9uZXRmaWx0ZXIvbmZfbmF0X2NvcmUuaD4NCg0KKyNpbmNsdWRlIDxsaW51eC9yYW5kb20uaD4N CisNCiBzdGF0aWMgaW50DQogdGNwX2luX3JhbmdlKGNvbnN0IHN0cnVjdCBuZl9jb25udHJhY2tf dHVwbGUgKnR1cGxlLA0KIAkgICAgIGVudW0gbmZfbmF0X21hbmlwX3R5cGUgbWFuaXB0eXBlLA0K QEAgLTc1LDYgKzc3LDkgQEAgdGNwX3VuaXF1ZV90dXBsZShzdHJ1Y3QgbmZfY29ubnRyYWNrX3R1 cA0KIAkJcmFuZ2Vfc2l6ZSA9IG50b2hzKHJhbmdlLT5tYXgudGNwLnBvcnQpIC0gbWluICsgMTsN CiAJfQ0KDQorCWlmIChyYW5nZS0+ZmxhZ3MgJiBJUF9OQVRfUkFOR0VfUFJPVE9fUkFORE9NKSB7 DQorCQlnZXRfcmFuZG9tX2J5dGVzKCZwb3J0LHNpemVvZihwb3J0KSk7DQorCX0NCiAJZm9yIChp ID0gMDsgaSA8IHJhbmdlX3NpemU7IGkrKywgcG9ydCsrKSB7DQogCQkqcG9ydHB0ciA9IGh0b25z KG1pbiArIHBvcnQgJSByYW5nZV9zaXplKTsNCiAJCWlmICghbmZfbmF0X3VzZWRfdHVwbGUodHVw bGUsIGN0KSkNCmRpZmYgLS1naXQgYS9uZXQvaXB2NC9uZXRmaWx0ZXIvbmZfbmF0X3Byb3RvX3Vk cC5jIGIvbmV0L2lwdjQvbmV0ZmlsdGVyL25mX25hdF9wcm90b191ZHAuYw0KaW5kZXggYWIwY2U0 Yy4uOTcwMGYwNSAxMDA2NDQNCi0tLSBhL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJvdG9f dWRwLmMNCisrKyBiL25ldC9pcHY0L25ldGZpbHRlci9uZl9uYXRfcHJvdG9fdWRwLmMNCkBAIC03 Myw2ICs3Myw5IEBAIHVkcF91bmlxdWVfdHVwbGUoc3RydWN0IG5mX2Nvbm50cmFja190dXANCiAJ CXJhbmdlX3NpemUgPSBudG9ocyhyYW5nZS0+bWF4LnVkcC5wb3J0KSAtIG1pbiArIDE7DQogCX0N Cg0KKwlpZiAocmFuZ2UtPmZsYWdzICYgSVBfTkFUX1JBTkdFX1BST1RPX1JBTkRPTSkgew0KKwkJ Z2V0X3JhbmRvbV9ieXRlcygmcG9ydCxzaXplb2YocG9ydCkpOw0KKwl9DQogCWZvciAoaSA9IDA7 IGkgPCByYW5nZV9zaXplOyBpKyssIHBvcnQrKykgew0KIAkJKnBvcnRwdHIgPSBodG9ucyhtaW4g KyBwb3J0ICUgcmFuZ2Vfc2l6ZSk7DQogCQlpZiAoIW5mX25hdF91c2VkX3R1cGxlKHR1cGxlLCBj dCkpDQotLQ0KMS40LjENCg0K --=-fT5IJd2fbXhZ9hO4qQb/-- --=-wgg7OtANdHEkax2RchbY Content-Type: application/pgp-signature; name=signature.asc Content-Description: Ceci est une partie de message =?ISO-8859-1?Q?num=E9riquement?= =?ISO-8859-1?Q?_sign=E9e?= -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.1 (GNU/Linux) iD8DBQBFp78tnxA7CdMWjzIRAt3DAJ9znpreBrsma1J2SWVLRplEzUB6GgCfa/Ku w/6A1UFfzinZc4JSb3oWW/s= =V3Sc -----END PGP SIGNATURE----- --=-wgg7OtANdHEkax2RchbY--