Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_TPROXY.c
Go to the documentation of this file.
1 /*
2  * Transparent proxy support for Linux/iptables
3  *
4  * Copyright (c) 2006-2010 BalaBit IT Ltd.
5  * Author: Balazs Scheidler, Krisztian Kovacs
6  *
7  * This program is free software; you can redistribute it and/or modify
8  * it under the terms of the GNU General Public License version 2 as
9  * published by the Free Software Foundation.
10  *
11  */
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <linux/ip.h>
16 #include <net/checksum.h>
17 #include <net/udp.h>
18 #include <net/inet_sock.h>
19 #include <linux/inetdevice.h>
20 #include <linux/netfilter/x_tables.h>
21 #include <linux/netfilter_ipv4/ip_tables.h>
22 
23 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
24 
25 #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
26 #define XT_TPROXY_HAVE_IPV6 1
27 #include <net/if_inet6.h>
28 #include <net/addrconf.h>
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
31 #endif
32 
33 #include <net/netfilter/nf_tproxy_core.h>
34 #include <linux/netfilter/xt_TPROXY.h>
35 
36 static bool tproxy_sk_is_transparent(struct sock *sk)
37 {
38  if (sk->sk_state != TCP_TIME_WAIT) {
39  if (inet_sk(sk)->transparent)
40  return true;
41  sock_put(sk);
42  } else {
43  if (inet_twsk(sk)->tw_transparent)
44  return true;
45  inet_twsk_put(inet_twsk(sk));
46  }
47  return false;
48 }
49 
50 static inline __be32
51 tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
52 {
53  struct in_device *indev;
54  __be32 laddr;
55 
56  if (user_laddr)
57  return user_laddr;
58 
59  laddr = 0;
60  rcu_read_lock();
61  indev = __in_dev_get_rcu(skb->dev);
62  for_primary_ifa(indev) {
63  laddr = ifa->ifa_local;
64  break;
65  } endfor_ifa(indev);
66  rcu_read_unlock();
67 
68  return laddr ? laddr : daddr;
69 }
70 
88 static struct sock *
89 tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport,
90  struct sock *sk)
91 {
92  const struct iphdr *iph = ip_hdr(skb);
93  struct tcphdr _hdr, *hp;
94 
95  hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
96  if (hp == NULL) {
97  inet_twsk_put(inet_twsk(sk));
98  return NULL;
99  }
100 
101  if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
102  /* SYN to a TIME_WAIT socket, we'd rather redirect it
103  * to a listener socket if there's one */
104  struct sock *sk2;
105 
106  sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
107  iph->saddr, laddr ? laddr : iph->daddr,
108  hp->source, lport ? lport : hp->dest,
109  skb->dev, NFT_LOOKUP_LISTENER);
110  if (sk2) {
111  inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
112  inet_twsk_put(inet_twsk(sk));
113  sk = sk2;
114  }
115  }
116 
117  return sk;
118 }
119 
120 static unsigned int
121 tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
122  u_int32_t mark_mask, u_int32_t mark_value)
123 {
124  const struct iphdr *iph = ip_hdr(skb);
125  struct udphdr _hdr, *hp;
126  struct sock *sk;
127 
128  hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
129  if (hp == NULL)
130  return NF_DROP;
131 
132  /* check if there's an ongoing connection on the packet
133  * addresses, this happens if the redirect already happened
134  * and the current packet belongs to an already established
135  * connection */
136  sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
137  iph->saddr, iph->daddr,
138  hp->source, hp->dest,
139  skb->dev, NFT_LOOKUP_ESTABLISHED);
140 
141  laddr = tproxy_laddr4(skb, laddr, iph->daddr);
142  if (!lport)
143  lport = hp->dest;
144 
145  /* UDP has no TCP_TIME_WAIT state, so we never enter here */
146  if (sk && sk->sk_state == TCP_TIME_WAIT)
147  /* reopening a TIME_WAIT connection needs special handling */
148  sk = tproxy_handle_time_wait4(skb, laddr, lport, sk);
149  else if (!sk)
150  /* no, there's no established connection, check if
151  * there's a listener on the redirected addr/port */
152  sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
153  iph->saddr, laddr,
154  hp->source, lport,
155  skb->dev, NFT_LOOKUP_LISTENER);
156 
157  /* NOTE: assign_sock consumes our sk reference */
158  if (sk && tproxy_sk_is_transparent(sk)) {
159  /* This should be in a separate target, but we don't do multiple
160  targets on the same rule yet */
161  skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
162 
163  pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
164  iph->protocol, &iph->daddr, ntohs(hp->dest),
165  &laddr, ntohs(lport), skb->mark);
166 
167  nf_tproxy_assign_sock(skb, sk);
168  return NF_ACCEPT;
169  }
170 
171  pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
172  iph->protocol, &iph->saddr, ntohs(hp->source),
173  &iph->daddr, ntohs(hp->dest), skb->mark);
174  return NF_DROP;
175 }
176 
177 static unsigned int
178 tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
179 {
180  const struct xt_tproxy_target_info *tgi = par->targinfo;
181 
182  return tproxy_tg4(skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
183 }
184 
185 static unsigned int
186 tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
187 {
188  const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
189 
190  return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
191 }
192 
193 #ifdef XT_TPROXY_HAVE_IPV6
194 
195 static inline const struct in6_addr *
196 tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
197  const struct in6_addr *daddr)
198 {
199  struct inet6_dev *indev;
200  struct inet6_ifaddr *ifa;
201  struct in6_addr *laddr;
202 
203  if (!ipv6_addr_any(user_laddr))
204  return user_laddr;
205  laddr = NULL;
206 
207  rcu_read_lock();
208  indev = __in6_dev_get(skb->dev);
209  if (indev)
210  list_for_each_entry(ifa, &indev->addr_list, if_list) {
211  if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED))
212  continue;
213 
214  laddr = &ifa->addr;
215  break;
216  }
217  rcu_read_unlock();
218 
219  return laddr ? laddr : daddr;
220 }
221 
240 static struct sock *
241 tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
242  const struct xt_action_param *par,
243  struct sock *sk)
244 {
245  const struct ipv6hdr *iph = ipv6_hdr(skb);
246  struct tcphdr _hdr, *hp;
247  const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
248 
249  hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
250  if (hp == NULL) {
251  inet_twsk_put(inet_twsk(sk));
252  return NULL;
253  }
254 
255  if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
256  /* SYN to a TIME_WAIT socket, we'd rather redirect it
257  * to a listener socket if there's one */
258  struct sock *sk2;
259 
260  sk2 = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
261  &iph->saddr,
262  tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr),
263  hp->source,
264  tgi->lport ? tgi->lport : hp->dest,
265  skb->dev, NFT_LOOKUP_LISTENER);
266  if (sk2) {
267  inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
268  inet_twsk_put(inet_twsk(sk));
269  sk = sk2;
270  }
271  }
272 
273  return sk;
274 }
275 
276 static unsigned int
277 tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
278 {
279  const struct ipv6hdr *iph = ipv6_hdr(skb);
280  const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
281  struct udphdr _hdr, *hp;
282  struct sock *sk;
283  const struct in6_addr *laddr;
284  __be16 lport;
285  int thoff = 0;
286  int tproto;
287 
288  tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
289  if (tproto < 0) {
290  pr_debug("unable to find transport header in IPv6 packet, dropping\n");
291  return NF_DROP;
292  }
293 
294  hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
295  if (hp == NULL) {
296  pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
297  return NF_DROP;
298  }
299 
300  /* check if there's an ongoing connection on the packet
301  * addresses, this happens if the redirect already happened
302  * and the current packet belongs to an already established
303  * connection */
304  sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
305  &iph->saddr, &iph->daddr,
306  hp->source, hp->dest,
307  par->in, NFT_LOOKUP_ESTABLISHED);
308 
309  laddr = tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
310  lport = tgi->lport ? tgi->lport : hp->dest;
311 
312  /* UDP has no TCP_TIME_WAIT state, so we never enter here */
313  if (sk && sk->sk_state == TCP_TIME_WAIT)
314  /* reopening a TIME_WAIT connection needs special handling */
315  sk = tproxy_handle_time_wait6(skb, tproto, thoff, par, sk);
316  else if (!sk)
317  /* no there's no established connection, check if
318  * there's a listener on the redirected addr/port */
319  sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
320  &iph->saddr, laddr,
321  hp->source, lport,
322  par->in, NFT_LOOKUP_LISTENER);
323 
324  /* NOTE: assign_sock consumes our sk reference */
325  if (sk && tproxy_sk_is_transparent(sk)) {
326  /* This should be in a separate target, but we don't do multiple
327  targets on the same rule yet */
328  skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
329 
330  pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
331  tproto, &iph->saddr, ntohs(hp->source),
332  laddr, ntohs(lport), skb->mark);
333 
334  nf_tproxy_assign_sock(skb, sk);
335  return NF_ACCEPT;
336  }
337 
338  pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
339  tproto, &iph->saddr, ntohs(hp->source),
340  &iph->daddr, ntohs(hp->dest), skb->mark);
341 
342  return NF_DROP;
343 }
344 
345 static int tproxy_tg6_check(const struct xt_tgchk_param *par)
346 {
347  const struct ip6t_ip6 *i = par->entryinfo;
348 
349  if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
350  && !(i->flags & IP6T_INV_PROTO))
351  return 0;
352 
353  pr_info("Can be used only in combination with "
354  "either -p tcp or -p udp\n");
355  return -EINVAL;
356 }
357 #endif
358 
359 static int tproxy_tg4_check(const struct xt_tgchk_param *par)
360 {
361  const struct ipt_ip *i = par->entryinfo;
362 
363  if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
364  && !(i->invflags & IPT_INV_PROTO))
365  return 0;
366 
367  pr_info("Can be used only in combination with "
368  "either -p tcp or -p udp\n");
369  return -EINVAL;
370 }
371 
372 static struct xt_target tproxy_tg_reg[] __read_mostly = {
373  {
374  .name = "TPROXY",
375  .family = NFPROTO_IPV4,
376  .table = "mangle",
377  .target = tproxy_tg4_v0,
378  .revision = 0,
379  .targetsize = sizeof(struct xt_tproxy_target_info),
380  .checkentry = tproxy_tg4_check,
381  .hooks = 1 << NF_INET_PRE_ROUTING,
382  .me = THIS_MODULE,
383  },
384  {
385  .name = "TPROXY",
386  .family = NFPROTO_IPV4,
387  .table = "mangle",
388  .target = tproxy_tg4_v1,
389  .revision = 1,
390  .targetsize = sizeof(struct xt_tproxy_target_info_v1),
391  .checkentry = tproxy_tg4_check,
392  .hooks = 1 << NF_INET_PRE_ROUTING,
393  .me = THIS_MODULE,
394  },
395 #ifdef XT_TPROXY_HAVE_IPV6
396  {
397  .name = "TPROXY",
398  .family = NFPROTO_IPV6,
399  .table = "mangle",
400  .target = tproxy_tg6_v1,
401  .revision = 1,
402  .targetsize = sizeof(struct xt_tproxy_target_info_v1),
403  .checkentry = tproxy_tg6_check,
404  .hooks = 1 << NF_INET_PRE_ROUTING,
405  .me = THIS_MODULE,
406  },
407 #endif
408 
409 };
410 
411 static int __init tproxy_tg_init(void)
412 {
413  nf_defrag_ipv4_enable();
414 #ifdef XT_TPROXY_HAVE_IPV6
415  nf_defrag_ipv6_enable();
416 #endif
417 
418  return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
419 }
420 
421 static void __exit tproxy_tg_exit(void)
422 {
423  xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
424 }
425 
426 module_init(tproxy_tg_init);
427 module_exit(tproxy_tg_exit);
428 MODULE_LICENSE("GPL");
429 MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
430 MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
431 MODULE_ALIAS("ipt_TPROXY");
432 MODULE_ALIAS("ip6t_TPROXY");
Generated on Thu Jan 10 2013 15:01:01 for Linux Kernel by   doxygen 1.8.2