Index: extensions/libipt_SNAT.c =================================================================== --- extensions/libipt_SNAT.c (révision 6735) +++ extensions/libipt_SNAT.c (copie de travail) @@ -22,9 +22,11 @@ { printf( "SNAT v%s options:\n" -" --to-source [-][:port-port]\n" +" --to-source [-][:port-port][:random]\n" " Address to map source to.\n" -" (You can use this more than once)\n\n", +" (You can use this more than once)\n" +" random adds randomness in port selection\n" +" to avoid attack by port prediction\n", IPTABLES_VERSION); } @@ -57,7 +59,7 @@ parse_to(char *arg, int portok, struct ipt_natinfo *info) { struct ip_nat_range range; - char *colon, *dash, *error; + char *colon, *dash, *random; struct in_addr *ip; memset(&range, 0, sizeof(range)); @@ -66,44 +68,55 @@ if (colon) { int port; - if (!portok) - exit_error(PARAMETER_PROBLEM, - "Need TCP or UDP with port specification"); + if (*(colon+1) == 'r') { + /* syntax is IP1-IP2:R we just set random */ + range.flags |= IP_NAT_RANGE_PROTO_RANDOM; + } else { + if (!portok) + exit_error(PARAMETER_PROBLEM, + "Need TCP or UDP with port specification"); - range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; + range.flags |= IP_NAT_RANGE_PROTO_SPECIFIED; - port = atoi(colon+1); - if (port <= 0 || port > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", colon+1); + port = atoi(colon+1); + if (port <= 0 || port > 65535) + exit_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", colon+1); - error = strchr(colon+1, ':'); - if (error) - exit_error(PARAMETER_PROBLEM, - "Invalid port:port syntax - use dash\n"); + random = strchr(colon+1, ':'); + if (random) { + if (*(random+1) != 'r'){ + exit_error(PARAMETER_PROBLEM, + "Invalid port:port syntax - use dash\n"); + } else { + range.flags |= IP_NAT_RANGE_PROTO_RANDOM; + *random = '\0'; + } + } - dash = strchr(colon, '-'); - if (!dash) { - range.min.tcp.port - = range.max.tcp.port - = htons(port); - } else { - int maxport; + dash = strchr(colon, '-'); + if (!dash) { + range.min.tcp.port + = range.max.tcp.port + = htons(port); + } else { + int maxport; - maxport = atoi(dash + 1); - if (maxport <= 0 || maxport > 65535) - exit_error(PARAMETER_PROBLEM, - "Port `%s' not valid\n", dash+1); - if (maxport < port) - /* People are stupid. */ - exit_error(PARAMETER_PROBLEM, - "Port range `%s' funky\n", colon+1); - range.min.tcp.port = htons(port); - range.max.tcp.port = htons(maxport); + maxport = atoi(dash + 1); + if (maxport <= 0 || maxport > 65535) + exit_error(PARAMETER_PROBLEM, + "Port `%s' not valid\n", dash+1); + if (maxport < port) + /* People are stupid. */ + exit_error(PARAMETER_PROBLEM, + "Port range `%s' funky\n", colon+1); + range.min.tcp.port = htons(port); + range.max.tcp.port = htons(maxport); + } + /* Starts with a colon? No IP info...*/ + if (colon == arg) + return &(append_range(info, &range)->t); } - /* Starts with a colon? No IP info...*/ - if (colon == arg) - return &(append_range(info, &range)->t); *colon = '\0'; } @@ -197,6 +210,9 @@ if (r->max.tcp.port != r->min.tcp.port) printf("-%hu", ntohs(r->max.tcp.port)); } + if (r->flags & IP_NAT_RANGE_PROTO_RANDOM) { + printf(":random"); + } } /* Prints out the targinfo. */