From 151b083e5cf313232d16b5a6ff19221aa0c79234 Mon Sep 17 00:00:00 2001 From: Harnish Patel Date: Mon, 23 Mar 2026 14:43:49 -0700 Subject: [PATCH 1/3] RDKB-64200 : MAPT KP Fix - hashlimit approach Reason for change: Reduced the rate of new connections by modifying the existing SNAT rules to prevent internal kernel race condition, thereby eliminating the primary trigger for system crashes. Test Procedure: Deploy on repeat offenders and monitor for SYS_ERROR_NfConnTuple Risks: Medium Priority: P1 Signed-off-by: Harnish_Patel@comcast.com Change-Id: I621e8fdf51c00ff24315a52452d4ea8f50b62075 --- source/firewall/firewall.c | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 50538050..1fe9c2b8 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1314,9 +1314,23 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); #else - fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + if(i == a-1) + { + fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } + else if(i > a-4) + { + fprintf(nat_fp, "-A %s -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } + else + { + fprintf(nat_fp, "-A %s -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } + + fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); #endif //_HUB4_PRODUCT_REQ_NO_DPORT_ #endif //IVI_KERNEL_SUPPORT FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%u, finalPortValue=%u \n" COMMA initialPortValue COMMA finalPortValue); From 475c47144b1b5bcce530a8be4e4e9aa84b5b1302 Mon Sep 17 00:00:00 2001 From: Santosh Date: Wed, 8 Apr 2026 16:02:00 -0700 Subject: [PATCH 2/3] RDKB-64413, RDKB-64200 : Split MAPT postrouting chains by protocol Reason for change: Separate MAPT NAT postrouting rules into TCP, UDP, and ICMP chains to apply protocol-specific SNAT and hashlimit rules. This improves NAT46/MAPT handling and ensures proper rate limiting per protocol. Test Procedure: 1. Verify creation of postrouting_towan_tcp, postrouting_towan_udp, and postrouting_towan_icmp chains in iptables. 2. Confirm SNAT rules are applied correctly for TCP, UDP, and ICMP with expected port ranges and hashlimit behavior. 3. Validate connectivity for IPv4 clients behind MAPT/NAT46 setup. Change-Id: If42a964aa73e89e95928c0193e032c26f265dc4d Risks: low Signed-off-by: Santosh Nayak SantoshRamesh_Nayak@cable.comcast.com --- source/firewall/firewall.c | 62 +++++++++++++++++++++++++++++++++----- 1 file changed, 54 insertions(+), 8 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index 1fe9c2b8..ce292e09 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -473,6 +473,10 @@ char cellular_ifname[32]; #define SYSEVENT_MAPT_CONFIG_FLAG "mapt_config_flag" #define SYSEVENT_MAPT_IP_ADDRESS "mapt_ip_address" #define MAPT_NAT_IPV4_POST_ROUTING_TABLE "postrouting_towan" +#define MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP "postrouting_towan_tcp" +#define MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP "postrouting_towan_udp" +#define MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP "postrouting_towan_icmp" + #define SYSEVENT_MAPT_RATIO "mapt_ratio" #define SYSEVENT_MAPT_IPV6_ADDRESS "mapt_ipv6_address" #define SYSEVENT_MAPT_PSID_OFFSET "mapt_psid_offset" @@ -1187,7 +1191,11 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) #if defined(IVI_KERNEL_SUPPORT) fprintf(nat_fp, "-A POSTROUTING -o %s -j %s\n",get_current_wan_ifname(),MAPT_NAT_IPV4_POST_ROUTING_TABLE); #elif defined(NAT46_KERNEL_SUPPORT) || defined (FEATURE_SUPPORT_MAPT_NAT46) - fprintf(nat_fp, "-A POSTROUTING -o %s -j %s\n", NAT46_INTERFACE, MAPT_NAT_IPV4_POST_ROUTING_TABLE); + fprintf(nat_fp, "-A POSTROUTING -p tcp -m conntrack --ctstate NEW -o %s -j %s\n", NAT46_INTERFACE, MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP); + fprintf(nat_fp, "-A POSTROUTING -p udp -m conntrack --ctstate NEW -o %s -j %s\n", NAT46_INTERFACE, MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP); + + fprintf(nat_fp, "-A POSTROUTING -p icmp -o %s -j %s\n", NAT46_INTERFACE, MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP); + #endif #if defined(NAT46_KERNEL_SUPPORT) @@ -1292,6 +1300,40 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) /* Start of port range parameters. */ /* create rules */ +#if defined (_XB6_PRODUCT_REQ_) + + for(i = start_i; i < a; i++) + { + for(j=0; j<(contiguous_port); j++) + { + port = (i << block_shift) + (psid << m) + j; + + if(j == 0) + initialPortValue = port; + if( j == contiguous_port - 1 ) + finalPortValue = port; + } + + if(i == a-1) + { + fprintf(nat_fp, "-A %s -p tcp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, ipaddress_str, initialPortValue,finalPortValue); + } + else if(i > a-4) + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); + } + else + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); + } + + fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%d, finalPortValue=%d \n" COMMA initialPortValue COMMA finalPortValue); + } +#endif for(i = start_i; i < a; i++) { for(j=0; j<(contiguous_port); j++) @@ -1316,21 +1358,21 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) #else if(i == a-1) { - fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); } else if(i > a-4) { - fprintf(nat_fp, "-A %s -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); } else { - fprintf(nat_fp, "-A %s -p tcp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m conntrack --ctstate NEW -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, i, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); } - fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); #endif //_HUB4_PRODUCT_REQ_NO_DPORT_ #endif //IVI_KERNEL_SUPPORT FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%u, finalPortValue=%u \n" COMMA initialPortValue COMMA finalPortValue); @@ -12147,6 +12189,10 @@ static int prepare_subtables(FILE *raw_fp, FILE *mangle_fp, FILE *nat_fp, FILE * #endif fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan"); + fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_tcp"); + fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_udp"); + fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_towan_icmp"); + fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_tolan"); fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_plugins"); fprintf(nat_fp, ":%s - [0:0]\n", "postrouting_ephemeral"); From 702c86cb2d0cb8ce33d900cc8de28cd910e959f8 Mon Sep 17 00:00:00 2001 From: Sivaraj Sivalingam Date: Fri, 22 May 2026 17:53:51 -0400 Subject: [PATCH 3/3] Handle offset in MAPT SNAT rule generation Add an explicit check for `offset` when emitting MAPT SNAT rules and reorganize the per-index conditional branches. Under _XB6_PRODUCT_REQ_, the loop that builds port ranges and SNAT rules is now executed only when `offset != 0`, and ICMP connlimit printing was moved inside that loop. In the alternative branch the code now checks `if (offset == 0)` to print simple connlimit rules, otherwise it uses the previous i/a-based branching (a-1, >a-4, else) to emit hashlimit+connlimit or connlimit-only rules consistently. These changes prevent incorrect/duplicate rule emission when offset is zero and clean up branch structure and formatting. --- source/firewall/firewall.c | 83 +++++++++++++++++++++----------------- 1 file changed, 47 insertions(+), 36 deletions(-) diff --git a/source/firewall/firewall.c b/source/firewall/firewall.c index ce292e09..cd7c6175 100644 --- a/source/firewall/firewall.c +++ b/source/firewall/firewall.c @@ -1301,37 +1301,39 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) /* Start of port range parameters. */ /* create rules */ #if defined (_XB6_PRODUCT_REQ_) - - for(i = start_i; i < a; i++) + if (offset != 0) { - for(j=0; j<(contiguous_port); j++) - { - port = (i << block_shift) + (psid << m) + j; + for(i = start_i; i < a; i++) + { + for(j = 0; j < contiguous_port; j++) + { + port = (i << block_shift) + (psid << m) + j; - if(j == 0) - initialPortValue = port; - if( j == contiguous_port - 1 ) - finalPortValue = port; - } + if (j == 0) + initialPortValue = port; + if (j == contiguous_port - 1 ) + finalPortValue = port; + } - if(i == a-1) - { - fprintf(nat_fp, "-A %s -p tcp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, ipaddress_str, initialPortValue,finalPortValue); - } - else if(i > a-4) - { - fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); - } - else - { - fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); - } + if (i == a-1) + { + fprintf(nat_fp, "-A %s -p tcp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, ipaddress_str, initialPortValue,finalPortValue); + } + else if (i > a-4) + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); + } + else + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, ipaddress_str, initialPortValue,finalPortValue); + } - fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%d, finalPortValue=%d \n" COMMA initialPortValue COMMA finalPortValue); + fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%d, finalPortValue=%d \n" COMMA initialPortValue COMMA finalPortValue); + } } #endif for(i = start_i; i < a; i++) @@ -1356,23 +1358,32 @@ int do_mapt_rules_v4(FILE *nat_fp, FILE *filter_fp, FILE *mangle_fp) fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); #else - if(i == a-1) + if (offset == 0) { fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - } - else if(i > a-4) - { - fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); } else { - fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); - } + if (i == a-1) + { + fprintf(nat_fp, "-A %s -p tcp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } + else if(i > a-4) + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 45/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 100/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } + else + { + fprintf(nat_fp, "-A %s -p tcp -m hashlimit --hashlimit-name mapt_tcp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 30/second --hashlimit-burst 60 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_TCP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + fprintf(nat_fp, "-A %s -p udp -m hashlimit --hashlimit-name mapt_udp_%d --hashlimit-mode srcip,dstip,dstport --hashlimit-upto 60/second --hashlimit-burst 100 -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_UDP, i%5, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } fprintf(nat_fp, "-A %s -p icmp -m connlimit --connlimit-upto %d --connlimit-daddr-dport -j SNAT --to-source %s:%d-%d\n", MAPT_NAT_IPV4_POST_ROUTING_TABLE_ICMP, finalPortValue - initialPortValue + 1, ipaddress_str, initialPortValue,finalPortValue); + } #endif //_HUB4_PRODUCT_REQ_NO_DPORT_ #endif //IVI_KERNEL_SUPPORT FIREWALL_DEBUG("MAPT Rule: Port range is initialPortValue=%u, finalPortValue=%u \n" COMMA initialPortValue COMMA finalPortValue);