-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 To follow up on the source port problem, I've committed the attached changes to ipfilter (i'll soon work on a new revision.) For those that can't install a new version or are using an older version, the attached patches should help.
The file port-random.patch patches ipfilter to use a random source port by default. The file arc4random.c will be needed where your kernel (ie. Solaris-anything) doesn't export a suitable random number interface. With a bit of coercion, the patch could be applied to 3.4.*, but I'm not 100% sure of that, given the parser changes. If you need a patch for 3.4.something, send me an email and I'll see what I can do. Darren -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEARECAAYFAkiIUN8ACgkQP7JIXtvLbFW43gCgks8Wu6wayfcmAm+/Cp8tBMBw Mx8AoJV4mavIFW0gMN7xL/7MTGvfxT75 =ZOkZ -----END PGP SIGNATURE-----
#ifdef NEED_LOCAL_RAND
/*-
* THE BEER-WARE LICENSE
*
* <[EMAIL PROTECTED]> wrote this file. As long as you retain this notice you
* can do whatever you want with this stuff. If we meet some day, and you
* think this stuff is worth it, you can buy me a beer in return.
*
* Dan Moschuk
*/
#include <sys/cdefs.h>
#include <sys/types.h>
#include <sys/param.h>
#ifdef __FreeBSD__
# include <sys/kernel.h>
#endif
#include <sys/random.h>
#ifdef __FreeBSD__
# include <sys/libkern.h>
#endif
#include <sys/lock.h>
#include <sys/mutex.h>
#include <sys/time.h>
#include <sys/socket.h>
#include <net/if.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include "netinet/ip_compat.h"
#include "md5.h"
#define ARC4_RESEED_BYTES 65536
#define ARC4_RESEED_SECONDS 300
#define ARC4_KEYBYTES (256 / 8)
static u_int8_t arc4_i, arc4_j;
static int arc4_numruns = 0;
static u_int8_t arc4_sbox[256];
static time_t arc4_t_reseed;
static ipfmutex_t arc4_mtx;
static MD5_CTX md5ctx;
static u_int8_t arc4_randbyte(void);
static int ipf_read_random(void *dest, int length);
static __inline void
arc4_swap(u_int8_t *a, u_int8_t *b)
{
u_int8_t c;
c = *a;
*a = *b;
*b = c;
}
/*
* Stir our S-box.
*/
static void
arc4_randomstir (void)
{
u_int8_t key[256];
int r, n;
struct timeval tv_now;
/*
* XXX read_random() returns unsafe numbers if the entropy
* device is not loaded -- MarkM.
*/
r = ipf_read_random(key, ARC4_KEYBYTES);
GETKTIME(&tv_now);
MUTEX_ENTER(&arc4_mtx);
/* If r == 0 || -1, just use what was on the stack. */
if (r > 0) {
for (n = r; n < sizeof(key); n++)
key[n] = key[n % r];
}
for (n = 0; n < 256; n++) {
arc4_j = (arc4_j + arc4_sbox[n] + key[n]) % 256;
arc4_swap(&arc4_sbox[n], &arc4_sbox[arc4_j]);
}
/* Reset for next reseed cycle. */
arc4_t_reseed = tv_now.tv_sec + ARC4_RESEED_SECONDS;
arc4_numruns = 0;
/*
* Throw away the first N words of output, as suggested in the
* paper "Weaknesses in the Key Scheduling Algorithm of RC4"
* by Fluher, Mantin, and Shamir. (N = 256 in our case.)
*/
for (n = 0; n < 256*4; n++)
arc4_randbyte();
MUTEX_EXIT(&arc4_mtx);
}
/*
* Initialize our S-box to its beginning defaults.
*/
static void
arc4_init(void)
{
int n;
MD5Init(&md5ctx);
MUTEX_INIT(&arc4_mtx, "arc4_mtx");
arc4_i = arc4_j = 0;
for (n = 0; n < 256; n++)
arc4_sbox[n] = (u_int8_t) n;
arc4_t_reseed = 0;
}
/*
* Generate a random byte.
*/
static u_int8_t
arc4_randbyte(void)
{
u_int8_t arc4_t;
arc4_i = (arc4_i + 1) % 256;
arc4_j = (arc4_j + arc4_sbox[arc4_i]) % 256;
arc4_swap(&arc4_sbox[arc4_i], &arc4_sbox[arc4_j]);
arc4_t = (arc4_sbox[arc4_i] + arc4_sbox[arc4_j]) % 256;
return arc4_sbox[arc4_t];
}
/*
* MPSAFE
*/
void
arc4rand(void *ptr, u_int len, int reseed)
{
u_int8_t *p;
struct timeval tv;
GETKTIME(&tv);
if (reseed ||
(arc4_numruns > ARC4_RESEED_BYTES) ||
(tv.tv_sec > arc4_t_reseed))
arc4_randomstir();
MUTEX_ENTER(&arc4_mtx);
arc4_numruns += len;
p = ptr;
while (len--)
*p++ = arc4_randbyte();
MUTEX_EXIT(&arc4_mtx);
}
uint32_t
ipf_random(void)
{
uint32_t ret;
arc4rand(&ret, sizeof ret, 0);
return ret;
}
static u_char pot[ARC4_RESEED_BYTES];
static u_char *pothead = pot, *pottail = pot;
static int inpot = 0;
/*
* This is not very strong, and this is understood, but the aim isn't to
* be cryptographically strong - it is just to make up something that is
* pseudo random.
*/
void
ipf_rand_push(void *src, int length)
{
static int arc4_inited = 0;
u_char *nsrc;
int mylen;
if (arc4_inited == 0) {
arc4_init();
arc4_inited = 1;
}
if (length < 64) {
MD5Update(&md5ctx, src, length);
return;
}
nsrc = src;
mylen = length;
while ((mylen > 64) && (sizeof(pot) - inpot > sizeof(md5ctx.buf))) {
MD5Update(&md5ctx, nsrc, 64);
mylen -= 64;
nsrc += 64;
MUTEX_ENTER(&arc4_mtx);
if (pottail + sizeof(md5ctx.buf) > pot + sizeof(pot)) {
int left, numbytes;
numbytes = pot + sizeof(pot) - pottail;
bcopy(md5ctx.buf, pottail, numbytes);
left -= numbytes;
pottail = pot;
bcopy(md5ctx.buf + length - left, pottail, left);
pottail += left;
} else {
bcopy(md5ctx.buf, pottail, sizeof(md5ctx.buf));
pottail += sizeof(md5ctx.buf);
}
inpot += 64;
MUTEX_EXIT(&arc4_mtx);
}
}
static int
ipf_read_random(void *dest, int length)
{
if (length > inpot)
return 0;
MUTEX_ENTER(&arc4_mtx);
if (pothead + length > pot + sizeof(pot)) {
int left, numbytes;
left = length;
numbytes = pot + sizeof(pot) - pothead;
bcopy(pothead, dest, numbytes);
left -= numbytes;
pothead = pot;
bcopy(pothead, dest + length - left, left);
pothead += left;
} else {
bcopy(pothead, dest, length);
pothead += length;
}
inpot -= length;
if (inpot == 0)
pothead = pottail = pot;
MUTEX_EXIT(&arc4_mtx);
return length;
}
#endif /* NEED_LOCAL_RAND */
Index: Makefile
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/Makefile,v
retrieving revision 1.2.2.8
diff -c -r1.2.2.8 Makefile
*** Makefile 16 Mar 2008 06:47:22 -0000 1.2.2.8
--- Makefile 24 Jul 2008 09:28:32 -0000
***************
*** 240,246 ****
exit 1; \
fi
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM'
"ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
! (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS);
cd ..)
openbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
--- 240,246 ----
exit 1; \
fi
(cd BSD/$(CPUDIR); make build TOP=../.. $(MFLAGS) 'DLKM=-D_LKM'
"ML=mln_ipl.c" LKMR= "MLR=mln_rule.o"; cd ..)
! # (cd BSD/$(CPUDIR); make -f Makefile.ipsend build TOP=../.. $(MFLAGS);
cd ..)
openbsd: include
make setup "TARGOS=BSD" "CPUDIR=$(CPUDIR)"
Index: ip_compat.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_compat.h,v
retrieving revision 1.2.2.19
diff -c -r1.2.2.19 ip_compat.h
*** ip_compat.h 9 Jun 2008 10:58:08 -0000 1.2.2.19
--- ip_compat.h 24 Jul 2008 09:28:35 -0000
***************
*** 206,211 ****
--- 206,213 ----
# define U_32_T 1
# ifdef _KERNEL
+ # define NEED_LOCAL_RAND 1
+ # define ipf_random arc4random
# define KRWLOCK_T krwlock_t
# define KMUTEX_T kmutex_t
***************
*** 336,341 ****
--- 338,344 ----
typedef struct uio uio_t;
# endif
typedef int ioctlcmd_t;
+ typedef uint8_t u_int8_t;
# define OS_RECOGNISED 1
***************
*** 566,571 ****
--- 569,576 ----
# endif
# ifdef _KERNEL
+ # define NEED_LOCAL_RAND 1
+ # define ipf_random arc4random
# define ATOMIC_INC(x) { MUTEX_ENTER(&ipf_rw); \
(x)++; MUTEX_EXIT(&ipf_rw); }
# define ATOMIC_DEC(x) { MUTEX_ENTER(&ipf_rw); \
***************
*** 662,667 ****
--- 667,674 ----
# include <sys/sysmacros.h>
# ifdef _KERNEL
+ # define NEED_LOCAL_RAND 1
+ # define ipf_random arc4random
# define KMUTEX_T simple_lock_data_t
# define KRWLOCK_T lock_data_t
# include <net/net_globals.h>
***************
*** 787,792 ****
--- 794,801 ----
typedef char * caddr_t;
# endif
+ # define ipf_random arc4random
+
# ifdef _KERNEL
# if (__NetBSD_Version__ >= 399001400)
# define KMALLOCS(a, b, c) (a) = (b)malloc((c), _M_IPF, M_NOWAIT)
***************
*** 829,834 ****
--- 838,848 ----
/* F R E E B S D */
/* ----------------------------------------------------------------------- */
#ifdef __FreeBSD__
+ # if (__FreeBSD_version < 400000)
+ # define NEED_LOCAL_RAND 1
+ # else
+ # define ipf_random arc4random
+ # endif
# if defined(_KERNEL)
# if (__FreeBSD_version >= 500000)
# include "opt_bpf.h"
Index: ip_fil.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_fil.c,v
retrieving revision 1.2.2.11
diff -c -r1.2.2.11 ip_fil.c
*** ip_fil.c 26 Oct 2007 05:33:53 -0000 1.2.2.11
--- ip_fil.c 24 Jul 2008 09:28:36 -0000
***************
*** 799,801 ****
--- 799,816 ----
{
return 0;
}
+
+
+ u_32_t ipf_random()
+ {
+ static int seeded = 0;
+
+ /*
+ * Choose a non-random seed so that "randomness" can be "tested."
+ */
+ if (seeded == 0) {
+ srand(0);
+ seeded = 1;
+ }
+ return rand();
+ }
Index: ip_fil.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_fil.h,v
retrieving revision 1.2.2.16
diff -c -r1.2.2.16 ip_fil.h
*** ip_fil.h 9 Apr 2008 10:54:35 -0000 1.2.2.16
--- ip_fil.h 24 Jul 2008 09:28:37 -0000
***************
*** 1522,1527 ****
--- 1522,1533 ----
extern int ipf_deltoken __P((int,int, void *));
extern int ipfsync __P((void));
extern int ipf_genericiter __P((void *, int, void *));
+ #ifndef ipf_random
+ extern u_32_t ipf_random __P((void));
+ #endif
+ #ifdef NEED_LOCAL_RAND
+ extern void ipf_rand_push __P((void *, int));
+ #endif
extern int fr_running;
extern u_long fr_frouteok[2];
Index: ip_nat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.c,v
retrieving revision 1.2.2.36
diff -c -r1.2.2.36 ip_nat.c
*** ip_nat.c 9 Jun 2008 10:58:09 -0000 1.2.2.36
--- ip_nat.c 24 Jul 2008 09:28:44 -0000
***************
*** 1675,1680 ****
--- 1675,1683 ----
if (logtype != 0 && nat_logging != 0)
nat_log(nat, logtype);
+ #if defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+ ipf_rand_push(nat, sizeof(*nat));
+ #endif
/*
* Take it as a general indication that all the pointers are set if
***************
*** 2025,2031 ****
/*
* Standard port translation. Select next port.
*/
! port = htons(np->in_pnext++);
if (np->in_pnext > ntohs(np->in_pmax)) {
np->in_pnext = ntohs(np->in_pmin);
--- 2028,2040 ----
/*
* Standard port translation. Select next port.
*/
! if (np->in_flags & IPN_SEQUENTIAL) {
! port = htons(np->in_pnext);
! } else {
! port = ipf_random() % (ntohs(np->in_pmax) -
! ntohs(np->in_pmin));
! }
! np->in_pnext++;
if (np->in_pnext > ntohs(np->in_pmax)) {
np->in_pnext = ntohs(np->in_pmin);
***************
*** 3789,3795 ****
READ_ENTER(&ipf_nat);
! if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
(nat = nat_icmperror(fin, &nflags, NAT_OUTBOUND)))
/*EMPTY*/;
else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
--- 3798,3804 ----
READ_ENTER(&ipf_nat);
! if (((fin->fin_flx & FI_ICMPERR) != 0) &&
(nat = nat_icmperror(fin, &nflags, NAT_OUTBOUND)))
/*EMPTY*/;
else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
***************
*** 4102,4108 ****
READ_ENTER(&ipf_nat);
! if ((fin->fin_p == IPPROTO_ICMP) && !(nflags & IPN_ICMPQUERY) &&
(nat = nat_icmperror(fin, &nflags, NAT_INBOUND)))
/*EMPTY*/;
else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
--- 4111,4117 ----
READ_ENTER(&ipf_nat);
! if (((fin->fin_flx & FI_ICMPERR) != 0) &&
(nat = nat_icmperror(fin, &nflags, NAT_INBOUND)))
/*EMPTY*/;
else if ((fin->fin_flx & FI_FRAG) && (nat = fr_nat_knownfrag(fin)))
Index: ip_nat.h
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_nat.h,v
retrieving revision 1.2.2.10
diff -c -r1.2.2.10 ip_nat.h
*** ip_nat.h 25 Sep 2007 08:29:31 -0000 1.2.2.10
--- ip_nat.h 24 Jul 2008 09:28:44 -0000
***************
*** 253,261 ****
#define IPN_FIXEDDPORT 0x200000
#define IPN_FINDFORWARD 0x400000
#define IPN_IN 0x800000
#define IPN_USERFLAGS
(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|\
! IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY)
/*
* Values for in_redir
--- 253,263 ----
#define IPN_FIXEDDPORT 0x200000
#define IPN_FINDFORWARD 0x400000
#define IPN_IN 0x800000
+ #define IPN_SEQUENTIAL 0x1000000
#define IPN_USERFLAGS
(IPN_TCPUDP|IPN_AUTOPORTMAP|IPN_IPRANGE|IPN_SPLIT|\
IPN_ROUNDR|IPN_FILTER|IPN_NOTSRC|IPN_NOTDST|\
! IPN_FRAG|IPN_STICKY|IPN_FIXEDDPORT|IPN_ICMPQUERY|\
! IPN_SEQUENTIAL)
/*
* Values for in_redir
Index: ip_state.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ip_state.c,v
retrieving revision 1.2.2.30
diff -c -r1.2.2.30 ip_state.c
*** ip_state.c 9 Jun 2008 10:58:09 -0000 1.2.2.30
--- ip_state.c 24 Jul 2008 09:28:49 -0000
***************
*** 199,204 ****
--- 199,207 ----
/* ------------------------------------------------------------------------ */
int fr_stateinit()
{
+ #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
+ struct timeval tv;
+ #endif
int i;
KMALLOCS(ips_table, ipstate_t **, fr_statesize * sizeof(ipstate_t *));
***************
*** 209,228 ****
KMALLOCS(ips_seed, u_long *, fr_statesize * sizeof(*ips_seed));
if (ips_seed == NULL)
return -2;
for (i = 0; i < fr_statesize; i++) {
/*
* XXX - ips_seed[X] should be a random number of sorts.
*/
! #if (__FreeBSD_version >= 400000)
ips_seed[i] = arc4random();
#else
ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
! ips_seed[i] ^= 0xa5a55a5a;
ips_seed[i] *= (u_long)ips_seed;
ips_seed[i] ^= 0x5a5aa5a5;
ips_seed[i] *= fr_statemax;
#endif
}
/* fill icmp reply type table */
for (i = 0; i <= ICMP_MAXTYPE; i++)
--- 212,238 ----
KMALLOCS(ips_seed, u_long *, fr_statesize * sizeof(*ips_seed));
if (ips_seed == NULL)
return -2;
+ #if defined(NEED_LOCAL_RAND) || !defined(_KERNEL)
+ tv.tv_sec = 0;
+ GETKTIME(&tv);
+ #endif
for (i = 0; i < fr_statesize; i++) {
/*
* XXX - ips_seed[X] should be a random number of sorts.
*/
! #if !defined(NEED_LOCAL_RAND) && defined(_KERNEL)
ips_seed[i] = arc4random();
#else
ips_seed[i] = ((u_long)ips_seed + i) * fr_statesize;
! ips_seed[i] += tv.tv_sec;
ips_seed[i] *= (u_long)ips_seed;
ips_seed[i] ^= 0x5a5aa5a5;
ips_seed[i] *= fr_statemax;
#endif
}
+ #if defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+ ipf_rand_push(ips_seed, fr_statesize * sizeof(*ips_seed));
+ #endif
/* fill icmp reply type table */
for (i = 0; i <= ICMP_MAXTYPE; i++)
***************
*** 3227,3232 ****
--- 3237,3246 ----
(void) fr_derefrule(&is->is_rule);
}
+ #if defined(NEED_LOCAL_RAND) && defined(_KERNEL)
+ ipf_rand_push(is, sizeof(*is));
+ #endif
+
MUTEX_DESTROY(&is->is_lock);
KFREE(is);
ips_num--;
Index: SunOS5/Makefile
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/SunOS5/Makefile,v
retrieving revision 1.2.2.7
diff -c -r1.2.2.7 Makefile
*** SunOS5/Makefile 25 Oct 2007 09:29:32 -0000 1.2.2.7
--- SunOS5/Makefile 24 Jul 2008 09:28:50 -0000
***************
*** 81,87 ****
MODOBJS=$(OBJ)/ip_fil.o $(OBJ)/fil.o $(OBJ)/solaris.o $(OBJ)/ip_state.o \
$(OBJ)/ip_frag.o $(OBJ)/ip_nat.o $(OBJ)/ip_proxy.o $(OBJ)/ip_auth.o \
$(OBJ)/ip_pool.o $(OBJ)/ip_htable.o $(OBJ)/ip_lookup.o $(OBJ)/ip_log.o \
! $(OBJ)/ip_scan.o $(OBJ)/ip_sync.o $(OBJ)/radix.o $(OBJ)/md5.o $(BPFILTER)
# $(OBJ)/ip_trafcon.o
IPF=$(OBJ)/ipf.o $(OBJ)/ipfcomp.o $(OBJ)/ipf_y.o $(OBJ)/ipf_l.o
IPT=$(OBJ)/ipftest.o $(OBJ)/ip_fil_u.o $(OBJ)/ip_state_u.o \
--- 81,88 ----
MODOBJS=$(OBJ)/ip_fil.o $(OBJ)/fil.o $(OBJ)/solaris.o $(OBJ)/ip_state.o \
$(OBJ)/ip_frag.o $(OBJ)/ip_nat.o $(OBJ)/ip_proxy.o $(OBJ)/ip_auth.o \
$(OBJ)/ip_pool.o $(OBJ)/ip_htable.o $(OBJ)/ip_lookup.o $(OBJ)/ip_log.o \
! $(OBJ)/ip_scan.o $(OBJ)/ip_sync.o $(OBJ)/radix.o $(OBJ)/md5.o \
! $(OBJ)/arc4random.o $(BPFILTER)
# $(OBJ)/ip_trafcon.o
IPF=$(OBJ)/ipf.o $(OBJ)/ipfcomp.o $(OBJ)/ipf_y.o $(OBJ)/ipf_l.o
IPT=$(OBJ)/ipftest.o $(OBJ)/ip_fil_u.o $(OBJ)/ip_state_u.o \
***************
*** 239,244 ****
--- 240,248 ----
$(OBJ)/md5.o: $(TOP)/md5.c $(TOP)/md5.h
$(CC) -I. -I$(TOP) $(DFLAGS) -c $(TOP)/md5.c -o $@
+ $(OBJ)/arc4random.o: $(TOP)/arc4random.c
+ $(CC) -I. -I$(TOP) $(DFLAGS) -DNEED_LOCAL_RAND=1 -c $(TOP)/arc4random.c
-o $@
+
$(OBJ)/radix.o: $(TOP)/md5.c $(TOP)/radix_ipf.h radix_ipf_local.h
$(CC) -I. -I$(TOP) $(DFLAGS) -c $(TOP)/radix.c -o $@
Index: ipsend/iptests.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ipsend/iptests.c,v
retrieving revision 1.2.2.8
diff -c -r1.2.2.8 iptests.c
*** ipsend/iptests.c 26 Oct 2007 05:33:55 -0000 1.2.2.8
--- ipsend/iptests.c 24 Jul 2008 09:28:52 -0000
***************
*** 22,27 ****
--- 22,28 ----
#if !defined(__osf__)
# ifdef __NetBSD__
# include <machine/lock.h>
+ # include <machine/mutex.h>
# endif
# define _KERNEL
# define KERNEL
Index: ipsend/sock.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/ipsend/sock.c,v
retrieving revision 1.2.2.8
diff -c -r1.2.2.8 sock.c
*** ipsend/sock.c 26 Oct 2007 05:33:56 -0000 1.2.2.8
--- ipsend/sock.c 24 Jul 2008 09:28:52 -0000
***************
*** 31,36 ****
--- 31,37 ----
#if !defined(__osf__)
# ifdef __NetBSD__
# include <machine/lock.h>
+ # include <machine/mutex.h>
# endif
# define _KERNEL
# define KERNEL
Index: lib/printnat.c
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/lib/printnat.c,v
retrieving revision 1.1.3.1.2.7
diff -c -r1.1.3.1.2.7 printnat.c
*** lib/printnat.c 26 Oct 2007 05:34:00 -0000 1.1.3.1.2.7
--- lib/printnat.c 24 Jul 2008 09:28:53 -0000
***************
*** 215,220 ****
--- 215,222 ----
putchar(' ');
printproto(pr, np->in_p, np);
}
+ if (np->in_flags & IPN_SEQUENTIAL)
+ printf(" sequential");
printf("\n");
if (opts & OPT_DEBUG) {
struct in_addr nip;
Index: test/regress/n12
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/n12,v
retrieving revision 1.1.5.1.2.2
diff -c -r1.1.5.1.2.2 n12
*** test/regress/n12 15 Jun 2006 18:00:59 -0000 1.1.5.1.2.2
--- test/regress/n12 24 Jul 2008 09:28:54 -0000
***************
*** 1 ****
! map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000
--- 1 ----
! map le0 192.168.126.0/24 -> 0/32 portmap tcp/udp 10000:20000 sequential
Index: test/regress/n2
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/n2,v
retrieving revision 1.1.1.1
diff -c -r1.1.1.1 n2
*** test/regress/n2 15 Jun 2006 16:06:55 -0000 1.1.1.1
--- test/regress/n2 24 Jul 2008 09:28:54 -0000
***************
*** 1,4 ****
! map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
! map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
--- 1,4 ----
! map zx0 10.1.1.1/32 -> 10.2.2.2/32 portmap tcp 10000:20000 sequential
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential
! map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential
Index: test/regress/n5
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/n5,v
retrieving revision 1.1.3.1
diff -c -r1.1.3.1 n5
*** test/regress/n5 15 Jun 2006 16:16:56 -0000 1.1.3.1
--- test/regress/n5 24 Jul 2008 09:28:54 -0000
***************
*** 1,6 ****
map zx0 10.1.1.1/32 -> 10.2.2.2/32
map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000
! map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001
--- 1,6 ----
map zx0 10.1.1.1/32 -> 10.2.2.2/32
map zx0 from 10.1.1.0/24 to 10.1.0.0/16 -> 10.3.4.5/32
map zx0 from 10.1.1.0/24 ! to 10.1.0.0/16 -> 10.3.4.0/24
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap udp 10000:20000 sequential
! map zx0 10.1.0.0/16 -> 10.3.4.0/24 portmap tcp/udp 10000:20000 sequential
! map zx0 10.1.1.0/24 -> 10.3.4.5/32 portmap tcp/udp 40000:40001 sequential
Index: test/regress/ni1.nat
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/ni1.nat,v
retrieving revision 1.1.3.1.2.3
diff -c -r1.1.3.1.2.3 ni1.nat
*** test/regress/ni1.nat 21 Aug 2007 15:22:19 -0000 1.1.3.1.2.3
--- test/regress/ni1.nat 24 Jul 2008 09:28:54 -0000
***************
*** 1,3 ****
! map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp
2000:2500
! map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp
20000:25000
map df0 from 2.2.2.2/32 to any -> 6.6.6.6/32
--- 1,3 ----
! map df0 from 2.2.2.2/32 port 20000 >< 25000 to any -> 6.6.6.8/32 portmap udp
2000:2500 sequential
! map df0 from 2.2.2.2/32 port 2000 >< 2500 to any -> 6.6.6.7/32 portmap udp
20000:25000 sequential
map df0 from 2.2.2.2/32 to any -> 6.6.6.6/32
Index: test/regress/ni2.nat
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/ni2.nat,v
retrieving revision 1.1.3.1
diff -c -r1.1.3.1 ni2.nat
*** test/regress/ni2.nat 15 Jun 2006 16:16:56 -0000 1.1.3.1
--- test/regress/ni2.nat 24 Jul 2008 09:28:54 -0000
***************
*** 1 ****
! map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000
--- 1 ----
! map xl0 10.0.0.0/8 -> 1.1.1.1/32 portmap tcp/udp 40000:60000 sequential
Index: test/regress/ni4.nat
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/test/regress/ni4.nat,v
retrieving revision 1.1.3.1
diff -c -r1.1.3.1 ni4.nat
*** test/regress/ni4.nat 15 Jun 2006 16:16:56 -0000 1.1.3.1
--- test/regress/ni4.nat 24 Jul 2008 09:28:54 -0000
***************
*** 1 ****
! map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000
--- 1 ----
! map df0 2.2.2.2/32 -> 6.6.6.6/32 portmap tcp/udp 40000:60000 sequential
Index: tools/ipnat_y.y
===================================================================
RCS file: /cvsroot/ipfilter/ipfilter/tools/ipnat_y.y,v
retrieving revision 1.1.3.1.2.7
diff -c -r1.1.3.1.2.7 ipnat_y.y
*** tools/ipnat_y.y 25 Oct 2007 09:29:36 -0000 1.1.3.1.2.7
--- tools/ipnat_y.y 24 Jul 2008 09:28:54 -0000
***************
*** 93,99 ****
%token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP
IPNY_ANY
%token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
%token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
! %token IPNY_TLATE
%type <port> portspec
%type <num> hexnumber compare range proto
%type <ipa> hostname ipv4
--- 93,99 ----
%token IPNY_MAP IPNY_BIMAP IPNY_FROM IPNY_TO IPNY_MASK IPNY_PORTMAP
IPNY_ANY
%token IPNY_ROUNDROBIN IPNY_FRAG IPNY_AGE IPNY_ICMPIDMAP IPNY_PROXY
%token IPNY_TCP IPNY_UDP IPNY_TCPUDP IPNY_STICKY IPNY_MSSCLAMP IPNY_TAG
! %token IPNY_TLATE IPNY_SEQUENTIAL
%type <port> portspec
%type <num> hexnumber compare range proto
%type <ipa> hostname ipv4
***************
*** 420,430 ****
;
mapport:
! IPNY_PORTMAP tcpudp portspec ':' portspec
{ nat->in_pmin = htons($3);
nat->in_pmax = htons($5);
}
! | IPNY_PORTMAP tcpudp IPNY_AUTO
{ nat->in_flags |= IPN_AUTOPORTMAP;
nat->in_pmin = htons(1024);
nat->in_pmax = htons(65535);
--- 420,430 ----
;
mapport:
! IPNY_PORTMAP tcpudp portspec ':' portspec randport
{ nat->in_pmin = htons($3);
nat->in_pmax = htons($5);
}
! | IPNY_PORTMAP tcpudp IPNY_AUTO randport
{ nat->in_flags |= IPN_AUTOPORTMAP;
nat->in_pmin = htons(1024);
nat->in_pmax = htons(65535);
***************
*** 444,449 ****
--- 444,453 ----
}
;
+ randport:
+ | IPNY_SEQUENTIAL { nat->in_flags |= IPN_SEQUENTIAL; }
+ ;
+
sobject:
saddr
| saddr port portstuff { nat->in_sport = $3.p1;
***************
*** 517,522 ****
--- 521,527 ----
nattag: | IPNY_TAG YY_STR { strncpy(nat->in_tag.ipt_tag,
$2,
sizeof(nat->in_tag.ipt_tag));
}
+
rr: | IPNY_ROUNDROBIN { nat->in_flags |= IPN_ROUNDR; }
;
***************
*** 645,650 ****
--- 650,656 ----
{ "range", IPNY_RANGE },
{ "rdr", IPNY_RDR },
{ "round-robin",IPNY_ROUNDROBIN },
+ { "sequential", IPNY_SEQUENTIAL },
{ "sticky", IPNY_STICKY },
{ "tag", IPNY_TAG },
{ "tcp", IPNY_TCP },
arc4random.c.sig
Description: Binary data
port-random.patch.sig
Description: Binary data
