分类: LINUX
2006-12-19 22:25:30
294 unsigned int 295 ip_nat_setup_info(struct ip_conntrack *conntrack, 296 const struct ip_nat_range *range, 297 unsigned int hooknum) 298 { 299 struct ip_conntrack_tuple curr_tuple, new_tuple; 300 struct ip_nat_info *info = &conntrack->nat.info; 301 int have_to_hash = !(conntrack->status & IPS_NAT_DONE_MASK); 302 enum ip_nat_manip_type maniptype = HOOK2MANIP(hooknum); 303 304 IP_NF_ASSERT(hooknum == NF_IP_PRE_ROUTING 305 || hooknum == NF_IP_POST_ROUTING 306 || hooknum == NF_IP_LOCAL_IN 307 || hooknum == NF_IP_LOCAL_OUT); 308 BUG_ON(ip_nat_initialized(conntrack, maniptype)); 309 310 /* What we've got will look like inverse of reply. Normally 311 this is what is in the conntrack, except for prior 312 manipulations (future optimization: if num_manips == 0, 313 orig_tp = 314 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple) */ 315 invert_tuplepr(&curr_tuple, 316 &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple); 317 318 get_unique_tuple(&new_tuple, &curr_tuple, range, conntrack, maniptype); 319 |
246 static void 247 get_unique_tuple(struct ip_conntrack_tuple *tuple, 248 const struct ip_conntrack_tuple *orig_tuple, 249 const struct ip_nat_range *range, 250 struct ip_conntrack *conntrack, 251 enum ip_nat_manip_type maniptype) 252 { 253 struct ip_nat_protocol *proto; 254 255 /* 1) If this srcip/proto/src-proto-part is currently mapped, 256 and that same mapping gives a unique tuple within the given 257 range, use that. 258 259 This is only required for source (ie. NAT/masq) mappings. 260 So far, we don't do local source mappings, so multiple 261 manips not an issue. */ 262 if (maniptype == IP_NAT_MANIP_SRC) { 263 if (find_appropriate_src(orig_tuple, tuple, range)) { 264 DEBUGP("get_unique_tuple: Found current src map\n"); 265 if (!ip_nat_used_tuple(tuple, conntrack)) 266 return; 267 } 268 } |
269 270 /* 2) Select the least-used IP/proto combination in the given 271 range. */ 272 *tuple = *orig_tuple; 273 find_best_ips_proto(tuple, range, conntrack, maniptype); |
228 /* Hashing source and destination IPs gives a fairly even 229 * spread in practice (if there are a small number of IPs 230 * involved, there usually aren't that many connections 231 * anyway). The consistency means that servers see the same 232 * client coming from the same IP (some Internet Banking sites 233 * like this), even across reboots. */ 234 minip = ntohl(range->min_ip); 235 maxip = ntohl(range->max_ip); 236 j = jhash_2words(tuple->src.ip, tuple->dst.ip, 0); 237 *var_ipp = htonl(minip + j % (maxip - minip + 1)); |
274 275 /* 3) The per-protocol part of the manip is made to map into 276 the range to make a unique tuple. */ 277 278 proto = ip_nat_proto_find_get(orig_tuple->dst.protonum); 279 280 /* Only bother mapping if it's not already in range and unique */ 281 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) 282 || proto->in_range(tuple, maniptype, &range->min, &range->max)) 283 && !ip_nat_used_tuple(tuple, conntrack)) { 284 ip_nat_proto_put(proto); 285 return; 286 } 287 288 /* Last change: get protocol to try to obtain unique tuple. */ 289 proto->unique_tuple(tuple, range, maniptype, conntrack); 290 291 ip_nat_proto_put(proto); 292 } |
38 static int 39 udp_unique_tuple(struct ip_conntrack_tuple *tuple, 40 const struct ip_nat_range *range, 41 enum ip_nat_manip_type maniptype, 42 const struct ip_conntrack *conntrack) 43 { 44 static u_int16_t port; 45 u_int16_t *portptr; 46 unsigned int range_size, min, i; 47 48 if (maniptype == IP_NAT_MANIP_SRC) 49 portptr = &tuple->src.u.udp.port; 50 else 51 portptr = &tuple->dst.u.udp.port; 52 53 /* If no range specified... */ 54 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { 55 /* If it's dst rewrite, can't change port */ 56 if (maniptype == IP_NAT_MANIP_DST) 57 return 0; 58 59 if (ntohs(*portptr) < 1024) { 60 /* Loose convention: >> 512 is credential passing */ 61 if (ntohs(*portptr)<512) { 62 min = 1; 63 range_size = 511 - min + 1; 64 } else { 65 min = 600; 66 range_size = 1023 - min + 1; 67 } 68 } else { 69 min = 1024; 70 range_size = 65535 - 1024 + 1; 71 } 72 } else { 73 min = ntohs(range->min.udp.port); 74 range_size = ntohs(range->max.udp.port) - min + 1; 75 } 76 77 for (i = 0; i < range_size; i++, port++) { 78 *portptr = htons(min + port % range_size); 79 if (!ip_nat_used_tuple(tuple, conntrack)) 80 return 1; 81 } 82 return 0; 83 } |