From 1905e3521e8401ad2ef912263265596d43e06a3c Mon Sep 17 00:00:00 2001
From: "/C=DE/ST=Berlin/L=Berlin/O=Netfilter
 Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org"
 </C=DE/ST=Berlin/L=Berlin/O=Netfilter Project/OU=Development/CN=kaber/emailAddress=kaber@netfilter.org>
Date: Sat, 24 Feb 2007 15:11:33 +0000
Subject: iptables: add random option to SNAT (Eric Leblond)

---
 extensions/libipt_MASQUERADE.man | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'extensions/libipt_MASQUERADE.man')

diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man
index e82063c..01dea51 100644
--- a/extensions/libipt_MASQUERADE.man
+++ b/extensions/libipt_MASQUERADE.man
@@ -14,9 +14,19 @@ any established connections are lost anyway).  It takes one option:
 .TP
 .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
 This specifies a range of source ports to use, overriding the default
+.TP
+.BR "--random"
+Randomize source port mapping
+.TP
 .B SNAT
 source port-selection heuristics (see above).  This is only valid
 if the rule also specifies
 .B "-p tcp"
 or
 .BR "-p udp" .
+If option
+.B "--random"
+is used then port mapping will be forcely randomized to avoid
+attacks based on port prediction (kernel >= 2.6.21).
+
+
-- 
cgit v1.2.3