From ef399a3033aa860ea1653b9c4306c0e78777e981 Mon Sep 17 00:00:00 2001
From: Patrick McHardy <kaber@trash.net>
Date: Tue, 29 May 2007 11:24:45 +0000
Subject: Add --random option to DNAT and REDIRECT targets and fix the manpage
 mess this option left behind.

---
 extensions/libipt_DNAT.c         | 22 ++++++++++++++++++++--
 extensions/libipt_DNAT.man       | 11 ++++++++---
 extensions/libipt_MASQUERADE.man | 14 ++++++--------
 extensions/libipt_REDIRECT.c     | 19 +++++++++++++++++++
 extensions/libipt_REDIRECT.man   |  7 +++++++
 extensions/libipt_SNAT.c         | 13 ++++++-------
 extensions/libipt_SNAT.man       | 17 ++++++++++-------
 7 files changed, 76 insertions(+), 27 deletions(-)

(limited to 'extensions')

diff --git a/extensions/libipt_DNAT.c b/extensions/libipt_DNAT.c
index 3cf839e6..b0def312 100644
--- a/extensions/libipt_DNAT.c
+++ b/extensions/libipt_DNAT.c
@@ -8,6 +8,9 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/nf_nat.h>
 
+#define IPT_DNAT_OPT_DEST 0x1
+#define IPT_DNAT_OPT_RANDOM 0x2
+
 /* Dest NAT data consists of a multi-range, indicating where to map
    to. */
 struct ipt_natinfo
@@ -24,12 +27,14 @@ help(void)
 "DNAT v%s options:\n"
 " --to-destination <ipaddr>[-<ipaddr>][:port-port]\n"
 "				Address to map destination to.\n"
-"				(You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
 IPTABLES_VERSION);
 }
 
 static struct option opts[] = {
 	{ "to-destination", 1, 0, '1' },
+	{ "random", 0, 0, '2' },
 	{ 0 }
 };
 
@@ -163,9 +168,18 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 					   "Multiple --to-destination not supported");
 		}
 		*target = parse_to(optarg, portok, info);
-		*flags = 1;
+		/* WTF do we need this for?? */
+		if (*flags & IPT_DNAT_OPT_RANDOM)
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_DNAT_OPT_DEST;
 		return 1;
 
+	case '2':
+		if (*flags & IPT_DNAT_OPT_DEST) {
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+			*flags |= IPT_DNAT_OPT_RANDOM;
+		} else
+			*flags |= IPT_DNAT_OPT_RANDOM;
 	default:
 		return 0;
 	}
@@ -212,6 +226,8 @@ print(const struct ipt_ip *ip,
 	for (i = 0; i < info->mr.rangesize; i++) {
 		print_range(&info->mr.range[i]);
 		printf(" ");
+		if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("random ");
 	}
 }
 
@@ -226,6 +242,8 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
 		printf("--to-destination ");
 		print_range(&info->mr.range[i]);
 		printf(" ");
+		if (info->mr.range[i].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("--random ");
 	}
 }
 
diff --git a/extensions/libipt_DNAT.man b/extensions/libipt_DNAT.man
index 366dcb77..f11f4e22 100644
--- a/extensions/libipt_DNAT.man
+++ b/extensions/libipt_DNAT.man
@@ -20,12 +20,17 @@ or
 If no port range is specified, then the destination port will never be
 modified. If no IP address is specified then only the destination port
 will be modified.
-.RS
-.PP
+
 In Kernels up to 2.6.10 you can add several --to-destination options.  For
 those kernels, if you specify more than one destination address, either via an
 address range or multiple --to-destination options, a simple round-robin (one
 after another in cycle) load balancing takes place between these addresses.
 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
 anymore.
-
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
diff --git a/extensions/libipt_MASQUERADE.man b/extensions/libipt_MASQUERADE.man
index 01dea51c..ea3c8de0 100644
--- a/extensions/libipt_MASQUERADE.man
+++ b/extensions/libipt_MASQUERADE.man
@@ -14,19 +14,17 @@ any established connections are lost anyway).  It takes one option:
 .TP
 .BR "--to-ports " "\fIport\fP[-\fIport\fP]"
 This specifies a range of source ports to use, overriding the default
-.TP
-.BR "--random"
-Randomize source port mapping
-.TP
 .B SNAT
 source port-selection heuristics (see above).  This is only valid
 if the rule also specifies
 .B "-p tcp"
 or
 .BR "-p udp" .
+.TP
+.BR "--random"
+Randomize source port mapping
 If option
 .B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-
-
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
diff --git a/extensions/libipt_REDIRECT.c b/extensions/libipt_REDIRECT.c
index c94bb592..6b387169 100644
--- a/extensions/libipt_REDIRECT.c
+++ b/extensions/libipt_REDIRECT.c
@@ -8,6 +8,9 @@
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter/nf_nat.h>
 
+#define IPT_REDIRECT_OPT_DEST	0x01
+#define IPT_REDIRECT_OPT_RANDOM	0x02
+
 /* Function which prints out usage message. */
 static void
 help(void)
@@ -21,6 +24,7 @@ IPTABLES_VERSION);
 
 static struct option opts[] = {
 	{ "to-ports", 1, 0, '1' },
+	{ "random", 1, 0, '2' },
 	{ 0 }
 };
 
@@ -101,6 +105,17 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 				   "Unexpected `!' after --to-ports");
 
 		parse_ports(optarg, mr);
+		if (*flags & IPT_REDIRECT_OPT_RANDOM)
+			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_REDIRECT_OPT_DEST;
+		return 1;
+
+	case '2':
+		if (*flags & IPT_REDIRECT_OPT_DEST) {
+			mr->range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+			*flags |= IPT_REDIRECT_OPT_RANDOM;
+		} else
+			*flags |= IPT_REDIRECT_OPT_RANDOM;
 		return 1;
 
 	default:
@@ -129,6 +144,8 @@ print(const struct ipt_ip *ip,
 		if (r->max.tcp.port != r->min.tcp.port)
 			printf("-%hu", ntohs(r->max.tcp.port));
 		printf(" ");
+		if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("random ");
 	}
 }
 
@@ -146,6 +163,8 @@ save(const struct ipt_ip *ip, const struct ipt_entry_target *target)
 		if (r->max.tcp.port != r->min.tcp.port)
 			printf("-%hu", ntohs(r->max.tcp.port));
 		printf(" ");
+		if (mr->range[0].flags & IP_NAT_RANGE_PROTO_RANDOM)
+			printf("--random ");
 	}
 }
 
diff --git a/extensions/libipt_REDIRECT.man b/extensions/libipt_REDIRECT.man
index aeca3cb7..93e29826 100644
--- a/extensions/libipt_REDIRECT.man
+++ b/extensions/libipt_REDIRECT.man
@@ -17,3 +17,10 @@ if the rule also specifies
 .B "-p tcp"
 or
 .BR "-p udp" .
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.22).
+.RS
+.PP
diff --git a/extensions/libipt_SNAT.c b/extensions/libipt_SNAT.c
index ed60ec2d..0a665a09 100644
--- a/extensions/libipt_SNAT.c
+++ b/extensions/libipt_SNAT.c
@@ -25,11 +25,10 @@ help(void)
 {
 	printf(
 "SNAT v%s options:\n"
-" --to-source <ipaddr>[-<ipaddr>][:port-port]"
-"[--random]"
-"\n"
+" --to-source <ipaddr>[-<ipaddr>][:port-port]\n"
 "				Address to map source to.\n"
-"				(You can use this more than once)\n\n",
+"[--random]\n"
+"\n",
 IPTABLES_VERSION);
 }
 
@@ -171,13 +170,13 @@ parse(int c, char **argv, int invert, unsigned int *flags,
 		*target = parse_to(optarg, portok, info);
 		/* WTF do we need this for?? */
 		if (*flags & IPT_SNAT_OPT_RANDOM)
-			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
-		*flags = IPT_SNAT_OPT_SOURCE;
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
+		*flags |= IPT_SNAT_OPT_SOURCE;
 		return 1;
 
 	case '2':
 		if (*flags & IPT_SNAT_OPT_SOURCE) {
-			info->mr.range[0].flags |=  IP_NAT_RANGE_PROTO_RANDOM;
+			info->mr.range[0].flags |= IP_NAT_RANGE_PROTO_RANDOM;
 			*flags |= IPT_SNAT_OPT_RANDOM;
 		} else
 			*flags |= IPT_SNAT_OPT_RANDOM;
diff --git a/extensions/libipt_SNAT.man b/extensions/libipt_SNAT.man
index daef78f1..7b34799a 100644
--- a/extensions/libipt_SNAT.man
+++ b/extensions/libipt_SNAT.man
@@ -7,7 +7,7 @@ modified (and all future packets in this connection will also be
 mangled), and rules should cease being examined.  It takes one type
 of option:
 .TP
-.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]" [ "--random" ]
+.BR "--to-source  " "\fIipaddr\fP[-\fIipaddr\fP][:\fIport\fP-\fIport\fP]"
 which can specify a single new source IP address, an inclusive range
 of IP addresses, and optionally, a port range (which is only valid if
 the rule also specifies
@@ -17,15 +17,18 @@ or
 If no port range is specified, then source ports below 512 will be
 mapped to other ports below 512: those between 512 and 1023 inclusive
 will be mapped to ports below 1024, and other ports will be mapped to
-1024 or above. Where possible, no port alteration will  If option
-.B "--random"
-is used then port mapping will be forcely randomized to avoid
-attacks based on port prediction (kernel >= 2.6.21).
-.RS
-.PP
+1024 or above. Where possible, no port alteration will
+
 In Kernels up to 2.6.10, you can add several --to-source options.  For those
 kernels, if you specify more than one source address, either via an address
 range or multiple --to-source options, a simple round-robin (one after another
 in cycle) takes place between these addresses.
 Later Kernels (>= 2.6.11-rc1) don't have the ability to NAT to multiple ranges
 anymore.
+.TP
+.BR "--random"
+If option
+.B "--random"
+is used then port mapping will be randomized (kernel >= 2.6.21).
+.RS
+.PP
-- 
cgit v1.2.3