From 3cefc136d13f426fd68808ddfd39ada0c90f23db Mon Sep 17 00:00:00 2001
From: Daniel Borkmann <dborkman@redhat.com>
Date: Sun, 22 Dec 2013 04:15:38 +0100
Subject: iptables: snat: add randomize-full support

This patch provides the userspace part for snat in order to make
randomize-full support available in {ip,nf}tables. It allows for
enabling full port randomization that was motivated in [1] and
introduced to the kernel in [2].

Joint work between Hannes Frederic Sowa and Daniel Borkmann.

 [1] https://sites.google.com/site/hayashulman/files/NIC-derandomisation.pdf
 [2] http://patchwork.ozlabs.org/patch/304306/

Signed-off-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Daniel Borkmann <dborkman@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 extensions/libxt_SNAT.man | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'extensions/libxt_SNAT.man')

diff --git a/extensions/libxt_SNAT.man b/extensions/libxt_SNAT.man
index f0620a21..8cd0b80e 100644
--- a/extensions/libxt_SNAT.man
+++ b/extensions/libxt_SNAT.man
@@ -29,7 +29,12 @@ anymore.
 \fB\-\-random\fP
 If option
 \fB\-\-random\fP
-is used then port mapping will be randomized (kernel >= 2.6.21).
+is used then port mapping will be randomized through a hash-based algorithm (kernel >= 2.6.21).
+.TP
+\fB\-\-random-fully\fP
+If option
+\fB\-\-random-fully\fP
+is used then port mapping will be fully randomized through a PRNG (kernel >= 3.14).
 .TP
 \fB\-\-persistent\fP
 Gives a client the same source-/destination-address for each connection.
-- 
cgit v1.2.3