Commit | Line | Data |
---|---|---|
937e0dfd PM |
1 | /* (C) 1999-2001 Paul `Rusty' Russell |
2 | * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> | |
3 | * (C) 2008 Patrick McHardy <kaber@trash.net> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/types.h> | |
11 | #include <linux/random.h> | |
12 | #include <linux/ip.h> | |
13 | ||
14 | #include <linux/netfilter.h> | |
6e5714ea | 15 | #include <net/secure_seq.h> |
937e0dfd PM |
16 | #include <net/netfilter/nf_nat.h> |
17 | #include <net/netfilter/nf_nat_core.h> | |
18 | #include <net/netfilter/nf_nat_rule.h> | |
19 | #include <net/netfilter/nf_nat_protocol.h> | |
20 | ||
f2ea825f JE |
21 | bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, |
22 | enum nf_nat_manip_type maniptype, | |
23 | const union nf_conntrack_man_proto *min, | |
24 | const union nf_conntrack_man_proto *max) | |
937e0dfd PM |
25 | { |
26 | __be16 port; | |
27 | ||
28 | if (maniptype == IP_NAT_MANIP_SRC) | |
29 | port = tuple->src.u.all; | |
30 | else | |
31 | port = tuple->dst.u.all; | |
32 | ||
33 | return ntohs(port) >= ntohs(min->all) && | |
34 | ntohs(port) <= ntohs(max->all); | |
35 | } | |
36 | EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); | |
37 | ||
f43dc98b | 38 | void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, |
f2ea825f JE |
39 | const struct nf_nat_range *range, |
40 | enum nf_nat_manip_type maniptype, | |
41 | const struct nf_conn *ct, | |
42 | u_int16_t *rover) | |
937e0dfd PM |
43 | { |
44 | unsigned int range_size, min, i; | |
45 | __be16 *portptr; | |
5abd363f | 46 | u_int16_t off; |
937e0dfd PM |
47 | |
48 | if (maniptype == IP_NAT_MANIP_SRC) | |
49 | portptr = &tuple->src.u.all; | |
50 | else | |
51 | portptr = &tuple->dst.u.all; | |
52 | ||
53 | /* If no range specified... */ | |
54 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | |
55 | /* If it's dst rewrite, can't change port */ | |
56 | if (maniptype == IP_NAT_MANIP_DST) | |
f43dc98b | 57 | return; |
937e0dfd PM |
58 | |
59 | if (ntohs(*portptr) < 1024) { | |
60 | /* Loose convention: >> 512 is credential passing */ | |
61 | if (ntohs(*portptr) < 512) { | |
62 | min = 1; | |
63 | range_size = 511 - min + 1; | |
64 | } else { | |
65 | min = 600; | |
66 | range_size = 1023 - min + 1; | |
67 | } | |
68 | } else { | |
69 | min = 1024; | |
70 | range_size = 65535 - 1024 + 1; | |
71 | } | |
72 | } else { | |
73 | min = ntohs(range->min.all); | |
74 | range_size = ntohs(range->max.all) - min + 1; | |
75 | } | |
76 | ||
77 | if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) | |
9f593653 SH |
78 | off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, |
79 | maniptype == IP_NAT_MANIP_SRC | |
80 | ? tuple->dst.u.all | |
81 | : tuple->src.u.all); | |
82 | else | |
83 | off = *rover; | |
937e0dfd | 84 | |
2452a99d | 85 | for (i = 0; ; ++off) { |
5abd363f | 86 | *portptr = htons(min + off % range_size); |
2452a99d | 87 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
5abd363f PM |
88 | continue; |
89 | if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) | |
90 | *rover = off; | |
f43dc98b | 91 | return; |
937e0dfd | 92 | } |
f43dc98b | 93 | return; |
937e0dfd PM |
94 | } |
95 | EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); | |
535b57c7 PM |
96 | |
97 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | |
98 | int nf_nat_proto_range_to_nlattr(struct sk_buff *skb, | |
99 | const struct nf_nat_range *range) | |
100 | { | |
101 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MIN, range->min.all); | |
102 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MAX, range->max.all); | |
103 | return 0; | |
104 | ||
105 | nla_put_failure: | |
106 | return -1; | |
107 | } | |
108 | EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range); | |
109 | ||
110 | int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], | |
111 | struct nf_nat_range *range) | |
112 | { | |
535b57c7 | 113 | if (tb[CTA_PROTONAT_PORT_MIN]) { |
535b57c7 | 114 | range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); |
ca6a5074 PM |
115 | range->max.all = range->min.tcp.port; |
116 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | |
535b57c7 | 117 | } |
ca6a5074 | 118 | if (tb[CTA_PROTONAT_PORT_MAX]) { |
535b57c7 | 119 | range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); |
ca6a5074 | 120 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; |
535b57c7 | 121 | } |
ca6a5074 | 122 | return 0; |
535b57c7 PM |
123 | } |
124 | EXPORT_SYMBOL_GPL(nf_nat_proto_range_to_nlattr); | |
125 | #endif |