Commit | Line | Data |
---|---|---|
937e0dfd PM |
1 | /* (C) 1999-2001 Paul `Rusty' Russell |
2 | * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> | |
3 | * (C) 2008 Patrick McHardy <kaber@trash.net> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/types.h> | |
11 | #include <linux/random.h> | |
12 | #include <linux/ip.h> | |
13 | ||
14 | #include <linux/netfilter.h> | |
15 | #include <net/netfilter/nf_nat.h> | |
16 | #include <net/netfilter/nf_nat_core.h> | |
17 | #include <net/netfilter/nf_nat_rule.h> | |
18 | #include <net/netfilter/nf_nat_protocol.h> | |
19 | ||
f2ea825f JE |
20 | bool nf_nat_proto_in_range(const struct nf_conntrack_tuple *tuple, |
21 | enum nf_nat_manip_type maniptype, | |
22 | const union nf_conntrack_man_proto *min, | |
23 | const union nf_conntrack_man_proto *max) | |
937e0dfd PM |
24 | { |
25 | __be16 port; | |
26 | ||
27 | if (maniptype == IP_NAT_MANIP_SRC) | |
28 | port = tuple->src.u.all; | |
29 | else | |
30 | port = tuple->dst.u.all; | |
31 | ||
32 | return ntohs(port) >= ntohs(min->all) && | |
33 | ntohs(port) <= ntohs(max->all); | |
34 | } | |
35 | EXPORT_SYMBOL_GPL(nf_nat_proto_in_range); | |
36 | ||
f43dc98b | 37 | void nf_nat_proto_unique_tuple(struct nf_conntrack_tuple *tuple, |
f2ea825f JE |
38 | const struct nf_nat_range *range, |
39 | enum nf_nat_manip_type maniptype, | |
40 | const struct nf_conn *ct, | |
41 | u_int16_t *rover) | |
937e0dfd PM |
42 | { |
43 | unsigned int range_size, min, i; | |
44 | __be16 *portptr; | |
5abd363f | 45 | u_int16_t off; |
937e0dfd PM |
46 | |
47 | if (maniptype == IP_NAT_MANIP_SRC) | |
48 | portptr = &tuple->src.u.all; | |
49 | else | |
50 | portptr = &tuple->dst.u.all; | |
51 | ||
52 | /* If no range specified... */ | |
53 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | |
54 | /* If it's dst rewrite, can't change port */ | |
55 | if (maniptype == IP_NAT_MANIP_DST) | |
f43dc98b | 56 | return; |
937e0dfd PM |
57 | |
58 | if (ntohs(*portptr) < 1024) { | |
59 | /* Loose convention: >> 512 is credential passing */ | |
60 | if (ntohs(*portptr) < 512) { | |
61 | min = 1; | |
62 | range_size = 511 - min + 1; | |
63 | } else { | |
64 | min = 600; | |
65 | range_size = 1023 - min + 1; | |
66 | } | |
67 | } else { | |
68 | min = 1024; | |
69 | range_size = 65535 - 1024 + 1; | |
70 | } | |
71 | } else { | |
72 | min = ntohs(range->min.all); | |
73 | range_size = ntohs(range->max.all) - min + 1; | |
74 | } | |
75 | ||
76 | if (range->flags & IP_NAT_RANGE_PROTO_RANDOM) | |
9f593653 SH |
77 | off = secure_ipv4_port_ephemeral(tuple->src.u3.ip, tuple->dst.u3.ip, |
78 | maniptype == IP_NAT_MANIP_SRC | |
79 | ? tuple->dst.u.all | |
80 | : tuple->src.u.all); | |
81 | else | |
82 | off = *rover; | |
937e0dfd | 83 | |
2452a99d | 84 | for (i = 0; ; ++off) { |
5abd363f | 85 | *portptr = htons(min + off % range_size); |
2452a99d | 86 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
5abd363f PM |
87 | continue; |
88 | if (!(range->flags & IP_NAT_RANGE_PROTO_RANDOM)) | |
89 | *rover = off; | |
f43dc98b | 90 | return; |
937e0dfd | 91 | } |
f43dc98b | 92 | return; |
937e0dfd PM |
93 | } |
94 | EXPORT_SYMBOL_GPL(nf_nat_proto_unique_tuple); | |
535b57c7 PM |
95 | |
96 | #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) | |
97 | int nf_nat_proto_range_to_nlattr(struct sk_buff *skb, | |
98 | const struct nf_nat_range *range) | |
99 | { | |
100 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MIN, range->min.all); | |
101 | NLA_PUT_BE16(skb, CTA_PROTONAT_PORT_MAX, range->max.all); | |
102 | return 0; | |
103 | ||
104 | nla_put_failure: | |
105 | return -1; | |
106 | } | |
107 | EXPORT_SYMBOL_GPL(nf_nat_proto_nlattr_to_range); | |
108 | ||
109 | int nf_nat_proto_nlattr_to_range(struct nlattr *tb[], | |
110 | struct nf_nat_range *range) | |
111 | { | |
535b57c7 | 112 | if (tb[CTA_PROTONAT_PORT_MIN]) { |
535b57c7 | 113 | range->min.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); |
ca6a5074 PM |
114 | range->max.all = range->min.tcp.port; |
115 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | |
535b57c7 | 116 | } |
ca6a5074 | 117 | if (tb[CTA_PROTONAT_PORT_MAX]) { |
535b57c7 | 118 | range->max.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); |
ca6a5074 | 119 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; |
535b57c7 | 120 | } |
ca6a5074 | 121 | return 0; |
535b57c7 PM |
122 | } |
123 | EXPORT_SYMBOL_GPL(nf_nat_proto_range_to_nlattr); | |
124 | #endif |