Commit | Line | Data |
---|---|---|
937e0dfd PM |
1 | /* (C) 1999-2001 Paul `Rusty' Russell |
2 | * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> | |
3 | * (C) 2008 Patrick McHardy <kaber@trash.net> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/types.h> | |
11 | #include <linux/random.h> | |
12 | #include <linux/ip.h> | |
13 | ||
14 | #include <linux/netfilter.h> | |
bc3b2d7f | 15 | #include <linux/export.h> |
6e5714ea | 16 | #include <net/secure_seq.h> |
937e0dfd PM |
17 | #include <net/netfilter/nf_nat.h> |
18 | #include <net/netfilter/nf_nat_core.h> | |
19 | #include <net/netfilter/nf_nat_rule.h> | |
20 | #include <net/netfilter/nf_nat_protocol.h> | |
21 | ||
f2ea825f JE |
22 | bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, |
23 | enum nf_nat_manip_type maniptype, | |
24 | const union nf_conntrack_man_proto *min, | |
25 | const union nf_conntrack_man_proto *max) | |
937e0dfd PM |
26 | { |
27 | __be16 port; | |
28 | ||
29 | if (maniptype == IP_NAT_MANIP_SRC) | |
30 | port = tuple->src.u.all; | |
31 | else | |
32 | port = tuple->dst.u.all; | |
33 | ||
34 | return ntohs(port) >= ntohs(min->all) && | |
35 | ntohs(port) <= ntohs(max->all); | |
36 | } | |
37 | EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); | |
38 | ||
f43dc98b | 39 | void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, |
f2ea825f JE |
40 | const struct nf_nat_range *range, |
41 | enum nf_nat_manip_type maniptype, | |
42 | const struct nf_conn *ct, | |
43 | u_int16_t *rover) | |
937e0dfd PM |
44 | { |
45 | unsigned int range_size, min, i; | |
46 | __be16 *portptr; | |
5abd363f | 47 | u_int16_t off; |
937e0dfd PM |
48 | |
49 | if (maniptype == IP_NAT_MANIP_SRC) | |
50 | portptr = &tuple->src.u.all; | |
51 | else | |
52 | portptr = &tuple->dst.u.all; | |
53 | ||
54 | /* If no range specified... */ | |
55 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | |
56 | /* If it's dst rewrite, can't change port */ | |
57 | if (maniptype == IP_NAT_MANIP_DST) | |
f43dc98b | 58 | return; |
937e0dfd PM |
59 | |
60 | if (ntohs(*portptr) < 1024) { | |
61 | /* Loose convention: >> 512 is credential passing */ | |
62 | if (ntohs(*portptr) < 512) { | |
63 | min = 1; | |
64 | range_size = 511 - min + 1; | |
65 | } else { | |
66 | min = 600; | |
67 | range_size = 1023 - min + 1; | |
68 | } | |
69 | } else { | |
70 | min = 1024; | |
71 | range_size = 65535 - 1024 + 1; | |
72 | } | |
73 | } else { | |
74 | min = ntohs(range->min.all); | |
75 | range_size = ntohs(range->max.all) - min + 1; | |
76 | } | |
77 | ||
78 | if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) | |
9f593653 SH |
79 | off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, |
80 | maniptype == IP_NAT_MANIP_SRC | |
81 | ? tuple->dst.u.all | |
82 | : tuple->src.u.all); | |
83 | else | |
84 | off = *rover; | |
937e0dfd | 85 | |
2452a99d | 86 | for (i = 0; ; ++off) { |
5abd363f | 87 | *portptr = htons(min + off % range_size); |
2452a99d | 88 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
5abd363f PM |
89 | continue; |
90 | if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) | |
91 | *rover = off; | |
f43dc98b | 92 | return; |
937e0dfd | 93 | } |
f43dc98b | 94 | return; |
937e0dfd PM |
95 | } |
96 | EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); | |
535b57c7 PM |
97 | |
98 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | |
99 | int nf_nat_proto_range_to_nlattr(struct sk_buff *skb, | |
100 | const struct nf_nat_range *range) | |
101 | { | |
102 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MIN, range->min.all); | |
103 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MAX, range->max.all); | |
104 | return 0; | |
105 | ||
106 | nla_put_failure: | |
107 | return -1; | |
108 | } | |
109 | EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range); | |
110 | ||
111 | int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], | |
112 | struct nf_nat_range *range) | |
113 | { | |
535b57c7 | 114 | if (tb[CTA_PROTONAT_PORT_MIN]) { |
535b57c7 | 115 | range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); |
ca6a5074 PM |
116 | range->max.all = range->min.tcp.port; |
117 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | |
535b57c7 | 118 | } |
ca6a5074 | 119 | if (tb[CTA_PROTONAT_PORT_MAX]) { |
535b57c7 | 120 | range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); |
ca6a5074 | 121 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; |
535b57c7 | 122 | } |
ca6a5074 | 123 | return 0; |
535b57c7 PM |
124 | } |
125 | EXPORT_SYMBOL_GPL(nf_nat_proto_range_to_nlattr); | |
126 | #endif |