#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
/* Dest NAT data consists of a multi-range, indicating where to map
to. */
struct ipt_natinfo
"DNAT v%s options:\n"
" --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map destination to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
static struct option opts[] = {
{ "to-destination", 1, 0, '1' },
+ { "random", 0, 0, '2' },
{ 0 }
};
"Multiple --to-destination not supported");
}
*target = parse_to(optarg, portok, info);
- *flags = 1;
+ /* WTF do we need this for?? */
+ if (*flags & IPT_DNAT_OPT_RANDOM)
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_DEST;
return 1;
+ case '2':
+ if (*flags & IPT_DNAT_OPT_DEST) {
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_DNAT_OPT_RANDOM;
+ } else
+ *flags |= IPT_DNAT_OPT_RANDOM;
default:
return 0;
}
for (i = 0; i < info->mr.rangesize; i++) {
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
printf("--to-destination ");
print_range(&info->mr.range[i]);
printf(" ");
+ if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
If no port range is specified, then the destination port will never be
modified. If no IP address is specified then only the destination port
will be modified.
-.RS
-.PP
+
In Kernels up to 2.6.10 you can add several --to-destination options. For
those kernels, if you specify more than one destination address, either via an
address range or multiple --to-destination options, a simple round-robin (one
after another in cycle) load balancing takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
-
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
.TP
.BR "--to-ports " "\fIport\fP[-\fIport\fP]"
This specifies a range of source ports to use, overriding the default
-.TP
-.BR "--random"
-Randomize source port mapping
-.TP
.B SNAT
source port-selection heuristics (see above). This is only valid
if the rule also specifies
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+Randomize source port mapping
If option
.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-
-
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
+#define IPT_REDIRECT_OPT_DEST 0x01
+#define IPT_REDIRECT_OPT_RANDOM 0x02
+
/* Function which prints out usage message. */
static void
help(void)
static struct option opts[] = {
{ "to-ports", 1, 0, '1' },
+ { "random", 1, 0, '2' },
{ 0 }
};
"Unexpected `!' after --to-ports");
parse_ports(optarg, mr);
+ if (*flags & IPT_REDIRECT_OPT_RANDOM)
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_DEST;
+ return 1;
+
+ case '2':
+ if (*flags & IPT_REDIRECT_OPT_DEST) {
+ mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
+ } else
+ *flags |= IPT_REDIRECT_OPT_RANDOM;
return 1;
default:
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("random ");
}
}
if (r->max.tcp.port != r->min.tcp.port)
printf("-%hu", ntohs(r->max.tcp.port));
printf(" ");
+ if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+ printf("--random ");
}
}
.B "-p tcp"
or
.BR "-p udp" .
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
{
printf(
"SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]"
-"[--random]"
-"\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
" Address to map source to.\n"
-" (You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
IPTABLES_VERSION);
}
*target = parse_to(optarg, portok, info);
/* WTF do we need this for?? */
if (*flags & IPT_SNAT_OPT_RANDOM)
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
- *flags = IPT_SNAT_OPT_SOURCE;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ *flags |= IPT_SNAT_OPT_SOURCE;
return 1;
case '2':
if (*flags & IPT_SNAT_OPT_SOURCE) {
- info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+ info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
*flags |= IPT_SNAT_OPT_RANDOM;
} else
*flags |= IPT_SNAT_OPT_RANDOM;
mangled), and rules should cease being examined. It takes one type
of option:
.TP
-.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
which can specify a single new source IP address, an inclusive range
of IP addresses, and optionally, a port range (which is only valid if
the rule also specifies
If no port range is specified, then source ports below 512 will be
mapped to other ports below 512: those between 512 and 1023 inclusive
will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-.RS
-.PP
+1024 or above. Where possible, no port alteration will
+
In Kernels up to 2.6.10, you can add several --to-source options. For those
kernels, if you specify more than one source address, either via an address
range or multiple --to-source options, a simple round-robin (one after another
in cycle) takes place between these addresses.
Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
anymore.
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
projects / thirdparty / iptables.git / commitdiff
