netfilter: nf_nat: add full port randomization support

[~andy/linux] / net / netfilter / nf_nat_proto_common.c

diff --git a/net/netfilter/nf_nat_proto_common.c b/net/netfilter/nf_nat_proto_common.c
index 9baaf734c1421e4e1334a5aed777af7d8ee9d9d1..83a72a235cae7c6b9ee3c97dcabb8629fe6e7008 100644 (file)
--- a/net/netfilter/nf_nat_proto_common.c
+++ b/net/netfilter/nf_nat_proto_common.c
@@ -74,22 +74,24 @@ void nf_nat_l4proto_unique_tuple(const struct nf_nat_l3proto *l3proto,
                range_size = ntohs(range->max_proto.all) - min + 1;
        }
 
-       if (range->flags & NF_NAT_RANGE_PROTO_RANDOM)
+       if (range->flags & NF_NAT_RANGE_PROTO_RANDOM) {
                off = l3proto->secure_port(tuple, maniptype == NF_NAT_MANIP_SRC
                                                  ? tuple->dst.u.all
                                                  : tuple->src.u.all);
-       else
+       } else if (range->flags & NF_NAT_RANGE_PROTO_RANDOM_FULLY) {
+               off = prandom_u32();
+       } else {
                off = *rover;
+       }
 
        for (i = 0; ; ++off) {
                *portptr = htons(min + off % range_size);
                if (++i != range_size && nf_nat_used_tuple(tuple, ct))
                        continue;
-               if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM))
+               if (!(range->flags & NF_NAT_RANGE_PROTO_RANDOM_ALL))
                        *rover = off;
                return;
        }
-       return;
 }
 EXPORT_SYMBOL_GPL(nf_nat_l4proto_unique_tuple);