99d20a461c
Pablo Neira Ayuso says:
====================
Netfilter/IPVS updates for net-next
The following patchset contains Netfilter/IPVS updates for your net-next
tree:
1) No need to set ttl from reject action for the bridge family, from
Taehee Yoo.
2) Use a fixed timeout for flow that are passed up from the flowtable
to conntrack, from Florian Westphal.
3) More preparation patches for tproxy support for nf_tables, from Mate
Eckl.
4) Remove unnecessary indirection in core IPv6 checksum function, from
Florian Westphal.
5) Use nf_ct_get_tuplepr() from openvswitch, instead of opencoding it.
From Florian Westphal.
6) socket match now selects socket infrastructure, instead of depending
on it. From Mate Eckl.
7) Patch series to simplify conntrack tuple building/parsing from packet
path and ctnetlink, from Florian Westphal.
8) Fetch timeout policy from protocol helpers, instead of doing it from
core, from Florian Westphal.
9) Merge IPv4 and IPv6 protocol trackers into conntrack core, from
Florian Westphal.
10) Depend on CONFIG_NF_TABLES_IPV6 and CONFIG_IP6_NF_IPTABLES
respectively, instead of IPV6. Patch from Mate Eckl.
11) Add specific function for garbage collection in conncount,
from Yi-Hung Wei.
12) Catch number of elements in the connlimit list, from Yi-Hung Wei.
13) Move locking to nf_conncount, from Yi-Hung Wei.
14) Series of patches to add lockless tree traversal in nf_conncount,
from Yi-Hung Wei.
15) Resolve clash in matching conntracks when race happens, from
Martynas Pumputis.
16) If connection entry times out, remove template entry from the
ip_vs_conn_tab table to improve behaviour under flood, from
Julian Anastasov.
17) Remove useless parameter from nf_ct_helper_ext_add(), from Gao feng.
18) Call abort from 2-phase commit protocol before requesting modules,
make sure this is done under the mutex, from Florian Westphal.
19) Grab module reference when starting transaction, also from Florian.
20) Dynamically allocate expression info array for pre-parsing, from
Florian.
21) Add per netns mutex for nf_tables, from Florian Westphal.
22) A couple of patches to simplify and refactor nf_osf code to prepare
for nft_osf support.
23) Break evaluation on missing socket, from Mate Eckl.
24) Allow to match socket mark from nft_socket, from Mate Eckl.
25) Remove dependency on nf_defrag_ipv6, now that IPv6 tracker is
built-in into nf_conntrack. From Florian Westphal.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
282 lines
8 KiB
C
282 lines
8 KiB
C
/*
|
|
* Transparent proxy support for Linux/iptables
|
|
*
|
|
* Copyright (c) 2006-2010 BalaBit IT Ltd.
|
|
* Author: Balazs Scheidler, Krisztian Kovacs
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
*/
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/module.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/ip.h>
|
|
#include <net/checksum.h>
|
|
#include <net/udp.h>
|
|
#include <net/tcp.h>
|
|
#include <net/inet_sock.h>
|
|
#include <net/inet_hashtables.h>
|
|
#include <linux/inetdevice.h>
|
|
#include <linux/netfilter/x_tables.h>
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
|
#define XT_TPROXY_HAVE_IPV6 1
|
|
#include <net/if_inet6.h>
|
|
#include <net/addrconf.h>
|
|
#include <net/inet6_hashtables.h>
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
|
|
#endif
|
|
|
|
#include <net/netfilter/nf_tproxy.h>
|
|
#include <linux/netfilter/xt_TPROXY.h>
|
|
|
|
static unsigned int
|
|
tproxy_tg4(struct net *net, struct sk_buff *skb, __be32 laddr, __be16 lport,
|
|
u_int32_t mark_mask, u_int32_t mark_value)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct udphdr _hdr, *hp;
|
|
struct sock *sk;
|
|
|
|
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
|
|
if (hp == NULL)
|
|
return NF_DROP;
|
|
|
|
/* check if there's an ongoing connection on the packet
|
|
* addresses, this happens if the redirect already happened
|
|
* and the current packet belongs to an already established
|
|
* connection */
|
|
sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
|
|
iph->saddr, iph->daddr,
|
|
hp->source, hp->dest,
|
|
skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
|
|
|
|
laddr = nf_tproxy_laddr4(skb, laddr, iph->daddr);
|
|
if (!lport)
|
|
lport = hp->dest;
|
|
|
|
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
|
|
if (sk && sk->sk_state == TCP_TIME_WAIT)
|
|
/* reopening a TIME_WAIT connection needs special handling */
|
|
sk = nf_tproxy_handle_time_wait4(net, skb, laddr, lport, sk);
|
|
else if (!sk)
|
|
/* no, there's no established connection, check if
|
|
* there's a listener on the redirected addr/port */
|
|
sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
|
|
iph->saddr, laddr,
|
|
hp->source, lport,
|
|
skb->dev, NF_TPROXY_LOOKUP_LISTENER);
|
|
|
|
/* NOTE: assign_sock consumes our sk reference */
|
|
if (sk && nf_tproxy_sk_is_transparent(sk)) {
|
|
/* This should be in a separate target, but we don't do multiple
|
|
targets on the same rule yet */
|
|
skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
|
|
|
|
pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
|
|
iph->protocol, &iph->daddr, ntohs(hp->dest),
|
|
&laddr, ntohs(lport), skb->mark);
|
|
|
|
nf_tproxy_assign_sock(skb, sk);
|
|
return NF_ACCEPT;
|
|
}
|
|
|
|
pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
|
|
iph->protocol, &iph->saddr, ntohs(hp->source),
|
|
&iph->daddr, ntohs(hp->dest), skb->mark);
|
|
return NF_DROP;
|
|
}
|
|
|
|
static unsigned int
|
|
tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct xt_tproxy_target_info *tgi = par->targinfo;
|
|
|
|
return tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,
|
|
tgi->mark_mask, tgi->mark_value);
|
|
}
|
|
|
|
static unsigned int
|
|
tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
|
|
return tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,
|
|
tgi->mark_mask, tgi->mark_value);
|
|
}
|
|
|
|
#ifdef XT_TPROXY_HAVE_IPV6
|
|
|
|
static unsigned int
|
|
tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
struct udphdr _hdr, *hp;
|
|
struct sock *sk;
|
|
const struct in6_addr *laddr;
|
|
__be16 lport;
|
|
int thoff = 0;
|
|
int tproto;
|
|
|
|
tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
|
|
if (tproto < 0) {
|
|
pr_debug("unable to find transport header in IPv6 packet, dropping\n");
|
|
return NF_DROP;
|
|
}
|
|
|
|
hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
|
|
if (hp == NULL) {
|
|
pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
|
|
return NF_DROP;
|
|
}
|
|
|
|
/* check if there's an ongoing connection on the packet
|
|
* addresses, this happens if the redirect already happened
|
|
* and the current packet belongs to an already established
|
|
* connection */
|
|
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, tproto,
|
|
&iph->saddr, &iph->daddr,
|
|
hp->source, hp->dest,
|
|
xt_in(par), NF_TPROXY_LOOKUP_ESTABLISHED);
|
|
|
|
laddr = nf_tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
|
|
lport = tgi->lport ? tgi->lport : hp->dest;
|
|
|
|
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
|
|
if (sk && sk->sk_state == TCP_TIME_WAIT) {
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
/* reopening a TIME_WAIT connection needs special handling */
|
|
sk = nf_tproxy_handle_time_wait6(skb, tproto, thoff,
|
|
xt_net(par),
|
|
&tgi->laddr.in6,
|
|
tgi->lport,
|
|
sk);
|
|
}
|
|
else if (!sk)
|
|
/* no there's no established connection, check if
|
|
* there's a listener on the redirected addr/port */
|
|
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff,
|
|
tproto, &iph->saddr, laddr,
|
|
hp->source, lport,
|
|
xt_in(par), NF_TPROXY_LOOKUP_LISTENER);
|
|
|
|
/* NOTE: assign_sock consumes our sk reference */
|
|
if (sk && nf_tproxy_sk_is_transparent(sk)) {
|
|
/* This should be in a separate target, but we don't do multiple
|
|
targets on the same rule yet */
|
|
skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
|
|
|
|
pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
|
|
tproto, &iph->saddr, ntohs(hp->source),
|
|
laddr, ntohs(lport), skb->mark);
|
|
|
|
nf_tproxy_assign_sock(skb, sk);
|
|
return NF_ACCEPT;
|
|
}
|
|
|
|
pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
|
|
tproto, &iph->saddr, ntohs(hp->source),
|
|
&iph->daddr, ntohs(hp->dest), skb->mark);
|
|
|
|
return NF_DROP;
|
|
}
|
|
|
|
static int tproxy_tg6_check(const struct xt_tgchk_param *par)
|
|
{
|
|
const struct ip6t_ip6 *i = par->entryinfo;
|
|
int err;
|
|
|
|
err = nf_defrag_ipv6_enable(par->net);
|
|
if (err)
|
|
return err;
|
|
|
|
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) &&
|
|
!(i->invflags & IP6T_INV_PROTO))
|
|
return 0;
|
|
|
|
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
|
return -EINVAL;
|
|
}
|
|
#endif
|
|
|
|
static int tproxy_tg4_check(const struct xt_tgchk_param *par)
|
|
{
|
|
const struct ipt_ip *i = par->entryinfo;
|
|
int err;
|
|
|
|
err = nf_defrag_ipv4_enable(par->net);
|
|
if (err)
|
|
return err;
|
|
|
|
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
|
|
&& !(i->invflags & IPT_INV_PROTO))
|
|
return 0;
|
|
|
|
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
static struct xt_target tproxy_tg_reg[] __read_mostly = {
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV4,
|
|
.table = "mangle",
|
|
.target = tproxy_tg4_v0,
|
|
.revision = 0,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info),
|
|
.checkentry = tproxy_tg4_check,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV4,
|
|
.table = "mangle",
|
|
.target = tproxy_tg4_v1,
|
|
.revision = 1,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info_v1),
|
|
.checkentry = tproxy_tg4_check,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
#ifdef XT_TPROXY_HAVE_IPV6
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV6,
|
|
.table = "mangle",
|
|
.target = tproxy_tg6_v1,
|
|
.revision = 1,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info_v1),
|
|
.checkentry = tproxy_tg6_check,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
#endif
|
|
|
|
};
|
|
|
|
static int __init tproxy_tg_init(void)
|
|
{
|
|
return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
|
|
}
|
|
|
|
static void __exit tproxy_tg_exit(void)
|
|
{
|
|
xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
|
|
}
|
|
|
|
module_init(tproxy_tg_init);
|
|
module_exit(tproxy_tg_exit);
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
|
|
MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
|
|
MODULE_ALIAS("ipt_TPROXY");
|
|
MODULE_ALIAS("ip6t_TPROXY");
|