iptables: masquerade: add randomize-full support

Signed-off-by: Max Laverse <max@laverse.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/extensions/libip6t_MASQUERADE.c b/extensions/libip6t_MASQUERADE.c
index 3b59e43ece796b8a5a9205dff43601aeddbc2dc6..f92760fa08c0c9352a16f71bac67fe07f0d0eefe 100644 (file)
--- a/extensions/libip6t_MASQUERADE.c
+++ b/extensions/libip6t_MASQUERADE.c
@@ -18,6 +18,7 @@
 enum {
        O_TO_PORTS = 0,
        O_RANDOM,
+       O_RANDOM_FULLY,
 };
 
 static void MASQUERADE_help(void)
@@ -27,12 +28,15 @@ static void MASQUERADE_help(void)
 " --to-ports <port>[-<port>]\n"
 "                              Port (range) to map to.\n"
 " --random\n"
-"                              Randomize source port.\n");
+"                              Randomize source port.\n"
+" --random-fully\n"
+"                              Fully randomize source port.\n");
 }
 
 static const struct xt_option_entry MASQUERADE_opts[] = {
        {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
        {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+       {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
        XTOPT_TABLEEND,
 };
 
@@ -96,6 +100,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
        case O_RANDOM:
                r->flags |=  NF_NAT_RANGE_PROTO_RANDOM;
                break;
+       case O_RANDOM_FULLY:
+               r->flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+               break;
        }
 }
 
@@ -114,6 +121,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
 
        if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
                printf(" random");
+
+       if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+               printf(" random-fully");
 }
 
 static void
@@ -129,6 +139,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
 
        if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
                printf(" --random");
+
+       if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+               printf(" --random-fully");
 }
 
 static int MASQUERADE_xlate(struct xt_xlate *xl,
@@ -148,6 +161,10 @@ static int MASQUERADE_xlate(struct xt_xlate *xl,
        if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
                xt_xlate_add(xl, "random ");
 
+       xt_xlate_add(xl, " ");
+       if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+               xt_xlate_add(xl, "random-fully ");
+
        return 1;
 }
 

diff --git a/extensions/libip6t_MASQUERADE.t b/extensions/libip6t_MASQUERADE.t
index 4650204041bf6ee755bfaa796885eba2b154fc82..e25d2a04ab7b06b25eab3d34e7e73854c42ab4de 100644 (file)
--- a/extensions/libip6t_MASQUERADE.t
+++ b/extensions/libip6t_MASQUERADE.t
@@ -2,6 +2,7 @@
 *nat
 -j MASQUERADE;=;OK
 -j MASQUERADE --random;=;OK
+-j MASQUERADE --random-fully;=;OK
 -p tcp -j MASQUERADE --to-ports 1024;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL

diff --git a/extensions/libipt_MASQUERADE.c b/extensions/libipt_MASQUERADE.c
index b7b5fc746f9e16c93ffb251424bf34c779dd5b34..90bf60659c4f4aa419c621f031f65ed9a38b5361 100644 (file)
--- a/extensions/libipt_MASQUERADE.c
+++ b/extensions/libipt_MASQUERADE.c
@@ -11,6 +11,7 @@
 enum {
        O_TO_PORTS = 0,
        O_RANDOM,
+       O_RANDOM_FULLY,
 };
 
 static void MASQUERADE_help(void)
@@ -20,12 +21,15 @@ static void MASQUERADE_help(void)
 " --to-ports <port>[-<port>]\n"
 "                              Port (range) to map to.\n"
 " --random\n"
-"                              Randomize source port.\n");
+"                              Randomize source port.\n"
+" --random-fully\n"
+"                              Fully randomize source port.\n");
 }
 
 static const struct xt_option_entry MASQUERADE_opts[] = {
        {.name = "to-ports", .id = O_TO_PORTS, .type = XTTYPE_STRING},
        {.name = "random", .id = O_RANDOM, .type = XTTYPE_NONE},
+       {.name = "random-fully", .id = O_RANDOM_FULLY, .type = XTTYPE_NONE},
        XTOPT_TABLEEND,
 };
 
@@ -97,6 +101,9 @@ static void MASQUERADE_parse(struct xt_option_call *cb)
        case O_RANDOM:
                mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM;
                break;
+       case O_RANDOM_FULLY:
+               mr->range[0].flags |=  NF_NAT_RANGE_PROTO_RANDOM_FULLY;
+               break;
        }
 }
 
@@ -116,6 +123,9 @@ MASQUERADE_print(const void *ip, const struct xt_entry_target *target,
 
        if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
                printf(" random");
+
+       if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+               printf(" random-fully");
 }
 
 static void
@@ -132,6 +142,9 @@ MASQUERADE_save(const void *ip, const struct xt_entry_target *target)
 
        if (r->flags & NF_NAT_RANGE_PROTO_RANDOM)
                printf(" --random");
+
+       if (r->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY)
+               printf(" --random-fully");
 }
 
 static int MASQUERADE_xlate(struct xt_xlate *xl,

diff --git a/extensions/libipt_MASQUERADE.t b/extensions/libipt_MASQUERADE.t
index 4650204041bf6ee755bfaa796885eba2b154fc82..e25d2a04ab7b06b25eab3d34e7e73854c42ab4de 100644 (file)
--- a/extensions/libipt_MASQUERADE.t
+++ b/extensions/libipt_MASQUERADE.t
@@ -2,6 +2,7 @@
 *nat
 -j MASQUERADE;=;OK
 -j MASQUERADE --random;=;OK
+-j MASQUERADE --random-fully;=;OK
 -p tcp -j MASQUERADE --to-ports 1024;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65535;=;OK
 -p udp -j MASQUERADE --to-ports 1024-65536;;FAIL

diff --git a/extensions/libxt_MASQUERADE.man b/extensions/libxt_MASQUERADE.man
index c9e3950104d8ee6e3a31db50e3d674b8e23f628b..cc1e769043bcb9117c428891efac86de1bfd1e55 100644 (file)
--- a/extensions/libxt_MASQUERADE.man
+++ b/extensions/libxt_MASQUERADE.man
@@ -25,4 +25,10 @@ If option
 \fB\-\-random\fP
 is used then port mapping will be randomized (kernel >= 2.6.21).
 .TP
+\fB\-\-random-fully\fP
+Full randomize source port mapping
+If option
+\fB\-\-random-fully\fP
+is used then port mapping will be fully randomized (kernel >= 3.13).
+.TP
 IPv6 support available since Linux kernels >= 3.7.