[deliverable/linux.git] / net / ipv4 / netfilter / nf_nat_proto_common.c

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
 * (C) 2008 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/types.h>
#include <linux/random.h>
#include <linux/ip.h>

#include <linux/netfilter.h>
#include <linux/export.h>
#include <net/secure_seq.h>
#include <net/netfilter/nf_nat.h>
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_rule.h>
#include <net/netfilter/nf_nat_protocol.h>

bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
			   enum nf_nat_manip_type maniptype,
			   const union nf_conntrack_man_proto *min,
			   const union nf_conntrack_man_proto *max)
{
	__be16 port;

	if (maniptype == NF_NAT_MANIP_SRC)
		port = tuple->src.u.all;
	else
		port = tuple->dst.u.all;

	return ntohs(port) >= ntohs(min->all) &&
	       ntohs(port) <= ntohs(max->all);
}
EXPORT_SYMBOL_GPL(nf_nat_proto_in_range);

void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
			       const struct nf_nat_ipv4_range *range,
			       enum nf_nat_manip_type maniptype,
			       const struct nf_conn *ct,
			       u_int16_t *rover)
{
	unsigned int range_size, min, i;
	__be16 *portptr;
	u_int16_t off;

	if (maniptype == NF_NAT_MANIP_SRC)
		portptr = &tuple->src.u.all;
	else
		portptr = &tuple->dst.u.all;

	/* If no range specified... */
	if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
		/* If it's dst rewrite, can't change port */
		if (maniptype == NF_NAT_MANIP_DST)
			return;

		if (ntohs(*portptr) < 1024) {
			/* Loose convention: >> 512 is credential passing */
			if (ntohs(*portptr) < 512) {
				min = 1;
				range_size = 511 - min + 1;
			} else {
				min = 600;
				range_size = 1023 - min + 1;
			}
		} else {
			min = 1024;
			range_size = 65535 - 1024 + 1;
		}
	} else {
		min = ntohs(range->min.all);
		range_size = ntohs(range->max.all) - min + 1;
	}

	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
		off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
						 maniptype == NF_NAT_MANIP_SRC
						 ? tuple->dst.u.all
						 : tuple->src.u.all);
	else
		off = *rover;

	for (i = 0; ; ++off) {
		*portptr = htons(min + off % range_size);
		if (++i != range_size && nf_nat_used_tuple(tuple, ct))
			continue;
		if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM))
			*rover = off;
		return;
	}
	return;
}
EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple);

#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
int nf_nat_proto_nlattr_to_range(struct nlattr *tb[],
				 struct nf_nat_ipv4_range *range)
{
	if (tb[CTA_PROTONAT_PORT_MIN]) {
		range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]);
		range->max.all = range->min.tcp.port;
		range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
	}
	if (tb[CTA_PROTONAT_PORT_MAX]) {
		range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]);
		range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED;
	}
	return 0;
}
EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range);
#endif
Commit	Line	Data
937e0dfd PM	1	/* (C) 1999-2001 Paul `Rusty' Russell
	2	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
	3	* (C) 2008 Patrick McHardy <kaber@trash.net>
	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*/
	9
	10	#include <linux/types.h>
	11	#include <linux/random.h>
	12	#include <linux/ip.h>
	13
	14	#include <linux/netfilter.h>
bc3b2d7f	15	#include <linux/export.h>
6e5714ea	16	#include <net/secure_seq.h>
937e0dfd PM	17	#include <net/netfilter/nf_nat.h>
	18	#include <net/netfilter/nf_nat_core.h>
	19	#include <net/netfilter/nf_nat_rule.h>
	20	#include <net/netfilter/nf_nat_protocol.h>
	21
f2ea825f JE	22	bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple,
	23	enum nf_nat_manip_type maniptype,
	24	const union nf_conntrack_man_proto *min,
	25	const union nf_conntrack_man_proto *max)
937e0dfd PM	26	{
	27	__be16 port;
	28
cbc9f2f4	29	if (maniptype == NF_NAT_MANIP_SRC)
937e0dfd PM	30	port = tuple->src.u.all;
	31	else
	32	port = tuple->dst.u.all;
	33
	34	return ntohs(port) >= ntohs(min->all) &&
	35	ntohs(port) <= ntohs(max->all);
	36	}
	37	EXPORT_SYMBOL_GPL(nf_nat_proto_in_range);
	38
f43dc98b	39	void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple,
cbc9f2f4	40	const struct nf_nat_ipv4_range *range,
f2ea825f JE	41	enum nf_nat_manip_type maniptype,
	42	const struct nf_conn *ct,
	43	u_int16_t *rover)
937e0dfd PM	44	{
	45	unsigned int range_size, min, i;
	46	__be16 *portptr;
5abd363f	47	u_int16_t off;
937e0dfd	48
cbc9f2f4	49	if (maniptype == NF_NAT_MANIP_SRC)
937e0dfd PM	50	portptr = &tuple->src.u.all;
	51	else
	52	portptr = &tuple->dst.u.all;
	53
	54	/* If no range specified... */
cbc9f2f4	55	if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) {
937e0dfd	56	/* If it's dst rewrite, can't change port */
cbc9f2f4	57	if (maniptype == NF_NAT_MANIP_DST)
f43dc98b	58	return;
937e0dfd PM	59
	60	if (ntohs(*portptr) < 1024) {
	61	/* Loose convention: >> 512 is credential passing */
	62	if (ntohs(*portptr) < 512) {
	63	min = 1;
	64	range_size = 511 - min + 1;
	65	} else {
	66	min = 600;
	67	range_size = 1023 - min + 1;
	68	}
	69	} else {
	70	min = 1024;
	71	range_size = 65535 - 1024 + 1;
	72	}
	73	} else {
	74	min = ntohs(range->min.all);
	75	range_size = ntohs(range->max.all) - min + 1;
	76	}
	77
cbc9f2f4	78	if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
9f593653	79	off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip,
cbc9f2f4	80	maniptype == NF_NAT_MANIP_SRC
9f593653 SH	81	? tuple->dst.u.all
	82	: tuple->src.u.all);
	83	else
	84	off = *rover;
937e0dfd	85
2452a99d	86	for (i = 0; ; ++off) {
5abd363f	87	*portptr = htons(min + off % range_size);
2452a99d	88	if (++i != range_size && nf_nat_used_tuple(tuple, ct))
5abd363f	89	continue;
cbc9f2f4	90	if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM))
5abd363f	91	*rover = off;
f43dc98b	92	return;
937e0dfd	93	}
f43dc98b	94	return;
937e0dfd PM	95	}
937e0dfd PM	96	EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple);
535b57c7 PM	97
535b57c7 PM	98	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)
535b57c7	99	int nf_nat_proto_nlattr_to_range(struct nlattr *tb[],
cbc9f2f4	100	struct nf_nat_ipv4_range *range)
535b57c7	101	{
535b57c7	102	if (tb[CTA_PROTONAT_PORT_MIN]) {
535b57c7	103	range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]);
ca6a5074	104	range->max.all = range->min.tcp.port;
cbc9f2f4	105	range->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED;
535b57c7	106	}
ca6a5074	107	if (tb[CTA_PROTONAT_PORT_MAX]) {
535b57c7	108	range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]);
cbc9f2f4	109	range->flags \|= NF_NAT_RANGE_PROTO_SPECIFIED;
535b57c7	110	}
ca6a5074	111	return 0;
535b57c7	112	}
b9e61f0d	113	EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range);
535b57c7	114	#endif