From: Eric Leblond <eric@inl.fr>
To: netfilter-devel@lists.netfilter.org
Subject: [Patch 2/2] iptables: add random option to SNAT
Date: Fri, 12 Jan 2007 18:04:46 +0100 [thread overview]
Message-ID: <1168621486.28615.21.camel@localhost.localdomain> (raw)
In-Reply-To: <1168621167.28615.14.camel@localhost.localdomain>
[-- Attachment #1.1: Type: text/plain, Size: 160 bytes --]
Hi,
Here's the patch against iptables.
BR,
--
Éric Leblond, eleblond@inl.fr
Téléphone : 01 44 89 46 39, Fax : 01 44 89 45 01
INL, http://www.inl.fr
[-- Attachment #1.2: iptables-random-nat.diff --]
[-- Type: text/x-patch, Size: 3626 bytes --]
Index: extensions/libipt_SNAT.c
===================================================================
--- extensions/libipt_SNAT.c (révision 6735)
+++ extensions/libipt_SNAT.c (copie de travail)
@@ -22,9 +22,11 @@
{
printf(
"SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port][:random]\n"
" Address to map source to.\n"
-" (You can use this more than once)\n\n",
+" (You can use this more than once)\n"
+" random adds randomness in port selection\n"
+" to avoid attack by port prediction\n",
IPTABLES_VERSION);
}
@@ -57,7 +59,7 @@
parse_to(char *arg, int portok, struct ipt_natinfo *info)
{
struct ip_nat_range range;
- char *colon, *dash, *error;
+ char *colon, *dash, *random;
struct in_addr *ip;
memset(&range, 0, sizeof(range));
@@ -66,44 +68,55 @@
if (colon) {
int port;
- if (!portok)
- exit_error(PARAMETER_PROBLEM,
- "Need TCP or UDP with port specification");
+ if (*(colon+1) == 'r') {
+ /* syntax is IP1-IP2:R we just set random */
+ range.flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ } else {
+ if (!portok)
+ exit_error(PARAMETER_PROBLEM,
+ "Need TCP or UDP with port specification");
- range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
+ range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
- port = atoi(colon+1);
- if (port <= 0 || port > 65535)
- exit_error(PARAMETER_PROBLEM,
- "Port `%s' not valid\n", colon+1);
+ port = atoi(colon+1);
+ if (port <= 0 || port > 65535)
+ exit_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", colon+1);
- error = strchr(colon+1, ':');
- if (error)
- exit_error(PARAMETER_PROBLEM,
- "Invalid port:port syntax - use dash\n");
+ random = strchr(colon+1, ':');
+ if (random) {
+ if (*(random+1) != 'r'){
+ exit_error(PARAMETER_PROBLEM,
+ "Invalid port:port syntax - use dash\n");
+ } else {
+ range.flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *random = '\0';
+ }
+ }
- dash = strchr(colon, '-');
- if (!dash) {
- range.min.tcp.port
- = range.max.tcp.port
- = htons(port);
- } else {
- int maxport;
+ dash = strchr(colon, '-');
+ if (!dash) {
+ range.min.tcp.port
+ = range.max.tcp.port
+ = htons(port);
+ } else {
+ int maxport;
- maxport = atoi(dash + 1);
- if (maxport <= 0 || maxport > 65535)
- exit_error(PARAMETER_PROBLEM,
- "Port `%s' not valid\n", dash+1);
- if (maxport < port)
- /* People are stupid. */
- exit_error(PARAMETER_PROBLEM,
- "Port range `%s' funky\n", colon+1);
- range.min.tcp.port = htons(port);
- range.max.tcp.port = htons(maxport);
+ maxport = atoi(dash + 1);
+ if (maxport <= 0 || maxport > 65535)
+ exit_error(PARAMETER_PROBLEM,
+ "Port `%s' not valid\n", dash+1);
+ if (maxport < port)
+ /* People are stupid. */
+ exit_error(PARAMETER_PROBLEM,
+ "Port range `%s' funky\n", colon+1);
+ range.min.tcp.port = htons(port);
+ range.max.tcp.port = htons(maxport);
+ }
+ /* Starts with a colon? No IP info...*/
+ if (colon == arg)
+ return &(append_range(info, &range)->t);
}
- /* Starts with a colon? No IP info...*/
- if (colon == arg)
- return &(append_range(info, &range)->t);
*colon = '\0';
}
@@ -197,6 +210,9 @@
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
}
+ if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) {
+ printf(":random");
+ }
}
/* Prints out the targinfo. */
[-- Attachment #2: Ceci est une partie de message numériquement signée --]
[-- Type: application/pgp-signature, Size: 189 bytes --]
next prev parent reply other threads:[~2007-01-12 17:04 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-01-12 16:59 [Patch 0/2] Avoid direct connections between NATed hosts Eric Leblond
2007-01-12 17:02 ` [Patch 1/2] " Eric Leblond
2007-01-12 17:04 ` Eric Leblond [this message]
2007-01-12 17:11 ` [Patch 0/2] " Rémi Denis-Courmont
2007-01-12 17:20 ` Patrick McHardy
2007-01-12 17:39 ` Rémi Denis-Courmont
2007-01-17 12:13 ` Patrick McHardy
2007-01-12 22:53 ` Jan Engelhardt
2007-01-13 12:06 ` Resend [Patch 2/2] iptables: add random option to SNAT Eric Leblond
2007-01-13 21:00 ` Resend [Patch 1/2] Avoid direct connections between NATed hosts Eric Leblond
2007-01-17 12:23 ` Patrick McHardy
2007-01-17 15:18 ` Eric Leblond
2007-01-19 15:36 ` Patrick McHardy
2007-01-26 14:00 ` Patrick McHardy
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1168621486.28615.21.camel@localhost.localdomain \
--to=eric@inl.fr \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).