]>
Commit | Line | Data |
---|---|---|
937e0dfd PM |
1 | /* (C) 1999-2001 Paul `Rusty' Russell |
2 | * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> | |
3 | * (C) 2008 Patrick McHardy <kaber@trash.net> | |
4 | * | |
5 | * This program is free software; you can redistribute it and/or modify | |
6 | * it under the terms of the GNU General Public License version 2 as | |
7 | * published by the Free Software Foundation. | |
8 | */ | |
9 | ||
10 | #include <linux/types.h> | |
11 | #include <linux/random.h> | |
937e0dfd | 12 | #include <linux/netfilter.h> |
bc3b2d7f | 13 | #include <linux/export.h> |
c7232c99 | 14 | |
937e0dfd PM |
15 | #include <net/netfilter/nf_nat.h> |
16 | #include <net/netfilter/nf_nat_core.h> | |
c7232c99 PM |
17 | #include <net/netfilter/nf_nat_l3proto.h> |
18 | #include <net/netfilter/nf_nat_l4proto.h> | |
937e0dfd | 19 | |
c7232c99 PM |
20 | bool nf_nat_l4proto_in_range(const struct nf_conntrack_tuple *tuple, |
21 | enum nf_nat_manip_type maniptype, | |
22 | const union nf_conntrack_man_proto *min, | |
23 | const union nf_conntrack_man_proto *max) | |
937e0dfd PM |
24 | { |
25 | __be16 port; | |
26 | ||
cbc9f2f4 | 27 | if (maniptype == NF_NAT_MANIP_SRC) |
937e0dfd PM |
28 | port = tuple->src.u.all; |
29 | else | |
30 | port = tuple->dst.u.all; | |
31 | ||
32 | return ntohs(port) >= ntohs(min->all) && | |
33 | ntohs(port) <= ntohs(max->all); | |
34 | } | |
c7232c99 | 35 | EXPORT_SYMBOL_GPL(nf_nat_l4proto_in_range); |
937e0dfd | 36 | |
c7232c99 PM |
37 | void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto, |
38 | struct nf_conntrack_tuple *tuple, | |
39 | const struct nf_nat_range *range, | |
40 | enum nf_nat_manip_type maniptype, | |
41 | const struct nf_conn *ct, | |
42 | u16 *rover) | |
937e0dfd PM |
43 | { |
44 | unsigned int range_size, min, i; | |
45 | __be16 *portptr; | |
5abd363f | 46 | u_int16_t off; |
937e0dfd | 47 | |
cbc9f2f4 | 48 | if (maniptype == NF_NAT_MANIP_SRC) |
937e0dfd PM |
49 | portptr = &tuple->src.u.all; |
50 | else | |
51 | portptr = &tuple->dst.u.all; | |
52 | ||
53 | /* If no range specified... */ | |
cbc9f2f4 | 54 | if (!(range->flags & NF_NAT_RANGE_PROTO_SPECIFIED)) { |
937e0dfd | 55 | /* If it's dst rewrite, can't change port */ |
cbc9f2f4 | 56 | if (maniptype == NF_NAT_MANIP_DST) |
f43dc98b | 57 | return; |
937e0dfd PM |
58 | |
59 | if (ntohs(*portptr) < 1024) { | |
60 | /* Loose convention: >> 512 is credential passing */ | |
61 | if (ntohs(*portptr) < 512) { | |
62 | min = 1; | |
63 | range_size = 511 - min + 1; | |
64 | } else { | |
65 | min = 600; | |
66 | range_size = 1023 - min + 1; | |
67 | } | |
68 | } else { | |
69 | min = 1024; | |
70 | range_size = 65535 - 1024 + 1; | |
71 | } | |
72 | } else { | |
c7232c99 PM |
73 | min = ntohs(range->min_proto.all); |
74 | range_size = ntohs(range->max_proto.all) - min + 1; | |
937e0dfd PM |
75 | } |
76 | ||
34ce3240 | 77 | if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) { |
c7232c99 PM |
78 | off = l3proto->secure_port(tuple, maniptype == NF_NAT_MANIP_SRC |
79 | ? tuple->dst.u.all | |
80 | : tuple->src.u.all); | |
34ce3240 DB |
81 | } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) { |
82 | off = prandom_u32(); | |
83 | } else { | |
9f593653 | 84 | off = *rover; |
34ce3240 | 85 | } |
937e0dfd | 86 | |
2452a99d | 87 | for (i = 0; ; ++off) { |
5abd363f | 88 | *portptr = htons(min + off % range_size); |
2452a99d | 89 | if (++i != range_size && nf_nat_used_tuple(tuple, ct)) |
5abd363f | 90 | continue; |
34ce3240 | 91 | if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL)) |
5abd363f | 92 | *rover = off; |
f43dc98b | 93 | return; |
937e0dfd | 94 | } |
937e0dfd | 95 | } |
c7232c99 | 96 | EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple); |
535b57c7 | 97 | |
24de3d37 | 98 | #if IS_ENABLED(CONFIG_NF_CT_NETLINK) |
c7232c99 PM |
99 | int nf_nat_l4proto_nlattr_to_range(struct nlattr *tb[], |
100 | struct nf_nat_range *range) | |
535b57c7 | 101 | { |
535b57c7 | 102 | if (tb[CTA_PROTONAT_PORT_MIN]) { |
c7232c99 PM |
103 | range->min_proto.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MIN]); |
104 | range->max_proto.all = range->min_proto.all; | |
cbc9f2f4 | 105 | range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
535b57c7 | 106 | } |
ca6a5074 | 107 | if (tb[CTA_PROTONAT_PORT_MAX]) { |
c7232c99 | 108 | range->max_proto.all = nla_get_be16(tb[CTA_PROTONAT_PORT_MAX]); |
cbc9f2f4 | 109 | range->flags |= NF_NAT_RANGE_PROTO_SPECIFIED; |
535b57c7 | 110 | } |
ca6a5074 | 111 | return 0; |
535b57c7 | 112 | } |
c7232c99 | 113 | EXPORT_SYMBOL_GPL(nf_nat_l4proto_nlattr_to_range); |
535b57c7 | 114 | #endif |