On Wed, Dec 20, 2017 at 01:28:09PM +0100, Thierry Du Tre wrote:
> This is a patch proposal to support shifted ranges in portmaps.
> (i.e. tcp/udp incoming port 5000-5100 on WAN redirected to LAN
> 192.168.1.5:2000-2100)
>
> Currently DNAT only works for single port or identical port ranges.
> (i.e. ports 5000-5100 on WAN interface redirected to a LAN host while
> original destination port is not altered)
> When different port ranges are configured, either 'random' mode should be
> used, or else all incoming connections are mapped onto the first port in the
> redirect range. (in described example WAN:5000-5100 will all be mapped to
> 192.168.1.5:2000)
This behaviour you describe above also applies to the current
portmapping we do, right?
One more comment below.
> This patch introduces a new mode indicated by flag NF_NAT_RANGE_PROTO_OFFSET
> which uses a base port value to calculate an offset with the destination
> port present in the incoming stream. That offset is then applied as index
> within the redirect port range (index modulo rangewidth to handle range
> overflow).
>
> In described example the base port would be 5000. An incoming stream with
> destination port 5004 would result in an offset value 4 which means that the
> NAT'ed stream will be using destination port 2004.
>
> Other possibilities include deterministic mapping of larger or multiple
> ranges to a smaller range : WAN:5000-5999 -> LAN:5000-5099 (maps WAN port
> 5*xx to port 51xx)
>
> This patch does not change any current behavior. It just adds new NAT proto
> range functionality which must be selected via the specific flag when
> intended to use.
>
> A patch for iptables (libipt_DNAT.c) will also be proposed which makes this
> functionality immediately available.
>
> Signed-off-by: Thierry Du Tre <thierry@xxxxxxxxxxxx>
>
> ---
> include/uapi/linux/netfilter/nf_nat.h | 5 ++++-
> net/netfilter/nf_nat_core.c | 7 ++++---
> net/netfilter/nf_nat_proto_common.c | 5 ++++-
> net/netfilter/xt_nat.c | 1 +
> 4 files changed, 13 insertions(+), 5 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_nat.h
> b/include/uapi/linux/netfilter/nf_nat.h
> index a33000d..5b3952b 100644
> --- a/include/uapi/linux/netfilter/nf_nat.h
> +++ b/include/uapi/linux/netfilter/nf_nat.h
> @@ -10,6 +10,7 @@
> #define NF_NAT_RANGE_PROTO_RANDOM (1 << 2)
> #define NF_NAT_RANGE_PERSISTENT (1 << 3)
> #define NF_NAT_RANGE_PROTO_RANDOM_FULLY (1 << 4)
> +#define NF_NAT_RANGE_PROTO_OFFSET (1 << 5)
>
> #define NF_NAT_RANGE_PROTO_RANDOM_ALL \
> (NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PROTO_RANDOM_FULLY)
> @@ -17,7 +18,7 @@
> #define NF_NAT_RANGE_MASK \
> (NF_NAT_RANGE_MAP_IPS | NF_NAT_RANGE_PROTO_SPECIFIED | \
> NF_NAT_RANGE_PROTO_RANDOM | NF_NAT_RANGE_PERSISTENT | \
> - NF_NAT_RANGE_PROTO_RANDOM_FULLY)
> + NF_NAT_RANGE_PROTO_RANDOM_FULLY | NF_NAT_RANGE_PROTO_OFFSET)
>
> struct nf_nat_ipv4_range {
> unsigned int flags;
> @@ -25,6 +26,7 @@ struct nf_nat_ipv4_range {
> __be32 max_ip;
> union nf_conntrack_man_proto min;
> union nf_conntrack_man_proto max;
> + union nf_conntrack_man_proto base;
> };
This one is exposed to userspace, therefore, this will break backward
compatibility in iptables.
You will need to add a revision in xt_nat, and some compat code all
over the place.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
