netfilter: iptables tproxy core · tjh.dev/kernel@9ad2d74

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

netfilter: iptables tproxy core

The iptables tproxy core is a module that contains the common routines used by
various tproxy related modules (TPROXY target and socket match)

Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

authored by

KOVACS Krisztian and committed by

Patrick McHardy 17 years ago 9ad2d745 73e4022f

+146

4 changed files

expand all

include

net

netfilter

nf_tproxy_core.h

net

netfilter

Kconfig

Makefile

nf_tproxy_core.c

+32

include/net/netfilter/nf_tproxy_core.h

··· 1 + #ifndef _NF_TPROXY_CORE_H 2 + #define _NF_TPROXY_CORE_H 3 + 4 + #include <linux/types.h> 5 + #include <linux/in.h> 6 + #include <linux/skbuff.h> 7 + #include <net/sock.h> 8 + #include <net/inet_sock.h> 9 + #include <net/tcp.h> 10 + 11 + /* look up and get a reference to a matching socket */ 12 + extern struct sock * 13 + nf_tproxy_get_sock_v4(struct net *net, const u8 protocol, 14 + const __be32 saddr, const __be32 daddr, 15 + const __be16 sport, const __be16 dport, 16 + const struct net_device *in, bool listening); 17 + 18 + static inline void 19 + nf_tproxy_put_sock(struct sock *sk) 20 + { 21 + /* TIME_WAIT inet sockets have to be handled differently */ 22 + if ((sk->sk_protocol == IPPROTO_TCP) && (sk->sk_state == TCP_TIME_WAIT)) 23 + inet_twsk_put(inet_twsk(sk)); 24 + else 25 + sock_put(sk); 26 + } 27 + 28 + /* assign a socket to the skb -- consumes sk */ 29 + int 30 + nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk); 31 + 32 + #endif

+15

net/netfilter/Kconfig

··· 287 287 help 288 288 This option enables support for a netlink-based userspace interface 289 289 290 + # transparent proxy support 291 + config NETFILTER_TPROXY 292 + tristate "Transparent proxying support (EXPERIMENTAL)" 293 + depends on EXPERIMENTAL 294 + depends on IP_NF_MANGLE 295 + depends on NETFILTER_ADVANCED 296 + help 297 + This option enables transparent proxying support, that is, 298 + support for handling non-locally bound IPv4 TCP and UDP sockets. 299 + For it to work you will have to configure certain iptables rules 300 + and use policy routing. For more information on how to set it up 301 + see Documentation/networking/tproxy.txt. 302 + 303 + To compile it as a module, choose M here. If unsure, say N. 304 + 290 305 config NETFILTER_XTABLES 291 306 tristate "Netfilter Xtables support (required for ip_tables)" 292 307 default m if NETFILTER_ADVANCED=n

net/netfilter/Makefile

··· 34 34 obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o 35 35 obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o 36 36 37 + # transparent proxy support 38 + obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o 39 + 37 40 # generic X tables 38 41 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o 39 42

+96

net/netfilter/nf_tproxy_core.c

··· 1 + /* 2 + * Transparent proxy support for Linux/iptables 3 + * 4 + * Copyright (c) 2006-2007 BalaBit IT Ltd. 5 + * Author: Balazs Scheidler, Krisztian Kovacs 6 + * 7 + * This program is free software; you can redistribute it and/or modify 8 + * it under the terms of the GNU General Public License version 2 as 9 + * published by the Free Software Foundation. 10 + * 11 + */ 12 + 13 + #include <linux/version.h> 14 + #include <linux/module.h> 15 + 16 + #include <linux/net.h> 17 + #include <linux/if.h> 18 + #include <linux/netdevice.h> 19 + #include <net/udp.h> 20 + #include <net/netfilter/nf_tproxy_core.h> 21 + 22 + struct sock * 23 + nf_tproxy_get_sock_v4(struct net *net, const u8 protocol, 24 + const __be32 saddr, const __be32 daddr, 25 + const __be16 sport, const __be16 dport, 26 + const struct net_device *in, bool listening_only) 27 + { 28 + struct sock *sk; 29 + 30 + /* look up socket */ 31 + switch (protocol) { 32 + case IPPROTO_TCP: 33 + if (listening_only) 34 + sk = __inet_lookup_listener(net, &tcp_hashinfo, 35 + daddr, ntohs(dport), 36 + in->ifindex); 37 + else 38 + sk = __inet_lookup(net, &tcp_hashinfo, 39 + saddr, sport, daddr, dport, 40 + in->ifindex); 41 + break; 42 + case IPPROTO_UDP: 43 + sk = udp4_lib_lookup(net, saddr, sport, daddr, dport, 44 + in->ifindex); 45 + break; 46 + default: 47 + WARN_ON(1); 48 + sk = NULL; 49 + } 50 + 51 + pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, listener only: %d, sock %p\n", 52 + protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), listening_only, sk); 53 + 54 + return sk; 55 + } 56 + EXPORT_SYMBOL_GPL(nf_tproxy_get_sock_v4); 57 + 58 + static void 59 + nf_tproxy_destructor(struct sk_buff *skb) 60 + { 61 + struct sock *sk = skb->sk; 62 + 63 + skb->sk = NULL; 64 + skb->destructor = NULL; 65 + 66 + if (sk) 67 + nf_tproxy_put_sock(sk); 68 + } 69 + 70 + /* consumes sk */ 71 + int 72 + nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) 73 + { 74 + if (inet_sk(sk)->transparent) { 75 + skb->sk = sk; 76 + skb->destructor = nf_tproxy_destructor; 77 + return 1; 78 + } else 79 + nf_tproxy_put_sock(sk); 80 + 81 + return 0; 82 + } 83 + EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock); 84 + 85 + static int __init nf_tproxy_init(void) 86 + { 87 + pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n"); 88 + pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n"); 89 + return 0; 90 + } 91 + 92 + module_init(nf_tproxy_init); 93 + 94 + MODULE_LICENSE("GPL"); 95 + MODULE_AUTHOR("Krisztian Kovacs"); 96 + MODULE_DESCRIPTION("Transparent proxy support core routines");