1 #include <linux/types.h>
2 #include <linux/init.h>
3 #include <linux/netfilter.h>
7 #include <linux/netfilter_ipv4/ip_nat.h>
8 #include <linux/netfilter_ipv4/ip_nat_rule.h>
9 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
10 #include <linux/netfilter_ipv4/ip_nat_core.h>
13 tcp_in_range(const struct ip_conntrack_tuple *tuple,
14 enum ip_nat_manip_type maniptype,
15 const union ip_conntrack_manip_proto *min,
16 const union ip_conntrack_manip_proto *max)
20 if (maniptype == IP_NAT_MANIP_SRC)
21 port = tuple->src.u.tcp.port;
23 port = tuple->dst.u.tcp.port;
25 return ntohs(port) >= ntohs(min->tcp.port)
26 && ntohs(port) <= ntohs(max->tcp.port);
30 tcp_unique_tuple(struct ip_conntrack_tuple *tuple,
31 const struct ip_nat_range *range,
32 enum ip_nat_manip_type maniptype,
33 const struct ip_conntrack *conntrack)
35 static u_int16_t port, *portptr;
36 unsigned int range_size, min, i;
38 if (maniptype == IP_NAT_MANIP_SRC)
39 portptr = &tuple->src.u.tcp.port;
41 portptr = &tuple->dst.u.tcp.port;
43 /* If no range specified... */
44 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) {
45 /* If it's dst rewrite, can't change port */
46 if (maniptype == IP_NAT_MANIP_DST)
49 /* Map privileged onto privileged. */
50 if (ntohs(*portptr) < 1024) {
51 /* Loose convention: >> 512 is credential passing */
52 if (ntohs(*portptr)<512) {
54 range_size = 511 - min + 1;
57 range_size = 1023 - min + 1;
61 range_size = 65535 - 1024 + 1;
64 min = ntohs(range->min.tcp.port);
65 range_size = ntohs(range->max.tcp.port) - min + 1;
68 for (i = 0; i < range_size; i++, port++) {
69 *portptr = htons(min + port % range_size);
70 if (!ip_nat_used_tuple(tuple, conntrack)) {
78 tcp_manip_pkt(struct sk_buff **pskb,
80 const struct ip_conntrack_manip *manip,
81 enum ip_nat_manip_type maniptype)
85 u_int16_t *portptr, oldport;
86 int hdrsize = 8; /* TCP connection tracking guarantees this much */
88 /* this could be a inner header returned in icmp packet; in such
89 cases we cannot update the checksum field since it is outside of
90 the 8 bytes of transport layer headers we are guaranteed */
91 if ((*pskb)->len >= hdroff + sizeof(struct tcphdr))
92 hdrsize = sizeof(struct tcphdr);
94 if (!skb_ip_make_writable(pskb, hdroff + hdrsize))
97 hdr = (void *)(*pskb)->data + hdroff;
99 if (maniptype == IP_NAT_MANIP_SRC) {
100 /* Get rid of src ip and src pt */
101 oldip = (*pskb)->nh.iph->saddr;
102 portptr = &hdr->source;
104 /* Get rid of dst ip and dst pt */
105 oldip = (*pskb)->nh.iph->daddr;
106 portptr = &hdr->dest;
110 *portptr = manip->u.tcp.port;
112 if (hdrsize < sizeof(*hdr))
115 hdr->check = ip_nat_cheat_check(~oldip, manip->ip,
116 ip_nat_cheat_check(oldport ^ 0xFFFF,
123 tcp_print(char *buffer,
124 const struct ip_conntrack_tuple *match,
125 const struct ip_conntrack_tuple *mask)
127 unsigned int len = 0;
129 if (mask->src.u.tcp.port)
130 len += sprintf(buffer + len, "srcpt=%u ",
131 ntohs(match->src.u.tcp.port));
134 if (mask->dst.u.tcp.port)
135 len += sprintf(buffer + len, "dstpt=%u ",
136 ntohs(match->dst.u.tcp.port));
142 tcp_print_range(char *buffer, const struct ip_nat_range *range)
144 if (range->min.tcp.port != 0 || range->max.tcp.port != 0xFFFF) {
145 if (range->min.tcp.port == range->max.tcp.port)
146 return sprintf(buffer, "port %u ",
147 ntohs(range->min.tcp.port));
149 return sprintf(buffer, "ports %u-%u ",
150 ntohs(range->min.tcp.port),
151 ntohs(range->max.tcp.port));
156 struct ip_nat_protocol ip_nat_protocol_tcp
157 = { { NULL, NULL }, "TCP", IPPROTO_TCP,