1
2
3
4
5
6
7
8
9
10
11
12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13#include <linux/module.h>
14#include <linux/skbuff.h>
15#include <linux/ip.h>
16#include <net/checksum.h>
17#include <net/udp.h>
18#include <net/inet_sock.h>
19#include <linux/inetdevice.h>
20#include <linux/netfilter/x_tables.h>
21#include <linux/netfilter_ipv4/ip_tables.h>
22
23#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
24
25#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
26#define XT_TPROXY_HAVE_IPV6 1
27#include <net/if_inet6.h>
28#include <net/addrconf.h>
29#include <linux/netfilter_ipv6/ip6_tables.h>
30#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
31#endif
32
33#include <net/netfilter/nf_tproxy_core.h>
34#include <linux/netfilter/xt_TPROXY.h>
35
36static bool tproxy_sk_is_transparent(struct sock *sk)
37{
38 if (sk->sk_state != TCP_TIME_WAIT) {
39 if (inet_sk(sk)->transparent)
40 return true;
41 sock_put(sk);
42 } else {
43 if (inet_twsk(sk)->tw_transparent)
44 return true;
45 inet_twsk_put(inet_twsk(sk));
46 }
47 return false;
48}
49
50static inline __be32
51tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
52{
53 struct in_device *indev;
54 __be32 laddr;
55
56 if (user_laddr)
57 return user_laddr;
58
59 laddr = 0;
60 rcu_read_lock();
61 indev = __in_dev_get_rcu(skb->dev);
62 for_primary_ifa(indev) {
63 laddr = ifa->ifa_local;
64 break;
65 } endfor_ifa(indev);
66 rcu_read_unlock();
67
68 return laddr ? laddr : daddr;
69}
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88static struct sock *
89tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport,
90 struct sock *sk)
91{
92 const struct iphdr *iph = ip_hdr(skb);
93 struct tcphdr _hdr, *hp;
94
95 hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
96 if (hp == NULL) {
97 inet_twsk_put(inet_twsk(sk));
98 return NULL;
99 }
100
101 if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
102
103
104 struct sock *sk2;
105
106 sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
107 iph->saddr, laddr ? laddr : iph->daddr,
108 hp->source, lport ? lport : hp->dest,
109 skb->dev, NFT_LOOKUP_LISTENER);
110 if (sk2) {
111 inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
112 inet_twsk_put(inet_twsk(sk));
113 sk = sk2;
114 }
115 }
116
117 return sk;
118}
119
120static unsigned int
121tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
122 u_int32_t mark_mask, u_int32_t mark_value)
123{
124 const struct iphdr *iph = ip_hdr(skb);
125 struct udphdr _hdr, *hp;
126 struct sock *sk;
127
128 hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
129 if (hp == NULL)
130 return NF_DROP;
131
132
133
134
135
136 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
137 iph->saddr, iph->daddr,
138 hp->source, hp->dest,
139 skb->dev, NFT_LOOKUP_ESTABLISHED);
140
141 laddr = tproxy_laddr4(skb, laddr, iph->daddr);
142 if (!lport)
143 lport = hp->dest;
144
145
146 if (sk && sk->sk_state == TCP_TIME_WAIT)
147
148 sk = tproxy_handle_time_wait4(skb, laddr, lport, sk);
149 else if (!sk)
150
151
152 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
153 iph->saddr, laddr,
154 hp->source, lport,
155 skb->dev, NFT_LOOKUP_LISTENER);
156
157
158 if (sk && tproxy_sk_is_transparent(sk)) {
159
160
161 skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
162
163 pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
164 iph->protocol, &iph->daddr, ntohs(hp->dest),
165 &laddr, ntohs(lport), skb->mark);
166
167 nf_tproxy_assign_sock(skb, sk);
168 return NF_ACCEPT;
169 }
170
171 pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
172 iph->protocol, &iph->saddr, ntohs(hp->source),
173 &iph->daddr, ntohs(hp->dest), skb->mark);
174 return NF_DROP;
175}
176
177static unsigned int
178tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
179{
180 const struct xt_tproxy_target_info *tgi = par->targinfo;
181
182 return tproxy_tg4(skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
183}
184
185static unsigned int
186tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
187{
188 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
189
190 return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
191}
192
193#ifdef XT_TPROXY_HAVE_IPV6
194
195static inline const struct in6_addr *
196tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
197 const struct in6_addr *daddr)
198{
199 struct inet6_dev *indev;
200 struct inet6_ifaddr *ifa;
201 struct in6_addr *laddr;
202
203 if (!ipv6_addr_any(user_laddr))
204 return user_laddr;
205 laddr = NULL;
206
207 rcu_read_lock();
208 indev = __in6_dev_get(skb->dev);
209 if (indev)
210 list_for_each_entry(ifa, &indev->addr_list, if_list) {
211 if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED))
212 continue;
213
214 laddr = &ifa->addr;
215 break;
216 }
217 rcu_read_unlock();
218
219 return laddr ? laddr : daddr;
220}
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240static struct sock *
241tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
242 const struct xt_action_param *par,
243 struct sock *sk)
244{
245 const struct ipv6hdr *iph = ipv6_hdr(skb);
246 struct tcphdr _hdr, *hp;
247 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
248
249 hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
250 if (hp == NULL) {
251 inet_twsk_put(inet_twsk(sk));
252 return NULL;
253 }
254
255 if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
256
257
258 struct sock *sk2;
259
260 sk2 = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
261 &iph->saddr,
262 tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr),
263 hp->source,
264 tgi->lport ? tgi->lport : hp->dest,
265 skb->dev, NFT_LOOKUP_LISTENER);
266 if (sk2) {
267 inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
268 inet_twsk_put(inet_twsk(sk));
269 sk = sk2;
270 }
271 }
272
273 return sk;
274}
275
276static unsigned int
277tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
278{
279 const struct ipv6hdr *iph = ipv6_hdr(skb);
280 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
281 struct udphdr _hdr, *hp;
282 struct sock *sk;
283 const struct in6_addr *laddr;
284 __be16 lport;
285 int thoff;
286 int tproto;
287
288 tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
289 if (tproto < 0) {
290 pr_debug("unable to find transport header in IPv6 packet, dropping\n");
291 return NF_DROP;
292 }
293
294 hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
295 if (hp == NULL) {
296 pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
297 return NF_DROP;
298 }
299
300
301
302
303
304 sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
305 &iph->saddr, &iph->daddr,
306 hp->source, hp->dest,
307 par->in, NFT_LOOKUP_ESTABLISHED);
308
309 laddr = tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
310 lport = tgi->lport ? tgi->lport : hp->dest;
311
312
313 if (sk && sk->sk_state == TCP_TIME_WAIT)
314
315 sk = tproxy_handle_time_wait6(skb, tproto, thoff, par, sk);
316 else if (!sk)
317
318
319 sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
320 &iph->saddr, laddr,
321 hp->source, lport,
322 par->in, NFT_LOOKUP_LISTENER);
323
324
325 if (sk && tproxy_sk_is_transparent(sk)) {
326
327
328 skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
329
330 pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
331 tproto, &iph->saddr, ntohs(hp->source),
332 laddr, ntohs(lport), skb->mark);
333
334 nf_tproxy_assign_sock(skb, sk);
335 return NF_ACCEPT;
336 }
337
338 pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
339 tproto, &iph->saddr, ntohs(hp->source),
340 &iph->daddr, ntohs(hp->dest), skb->mark);
341
342 return NF_DROP;
343}
344
345static int tproxy_tg6_check(const struct xt_tgchk_param *par)
346{
347 const struct ip6t_ip6 *i = par->entryinfo;
348
349 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
350 && !(i->flags & IP6T_INV_PROTO))
351 return 0;
352
353 pr_info("Can be used only in combination with "
354 "either -p tcp or -p udp\n");
355 return -EINVAL;
356}
357#endif
358
359static int tproxy_tg4_check(const struct xt_tgchk_param *par)
360{
361 const struct ipt_ip *i = par->entryinfo;
362
363 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
364 && !(i->invflags & IPT_INV_PROTO))
365 return 0;
366
367 pr_info("Can be used only in combination with "
368 "either -p tcp or -p udp\n");
369 return -EINVAL;
370}
371
372static struct xt_target tproxy_tg_reg[] __read_mostly = {
373 {
374 .name = "TPROXY",
375 .family = NFPROTO_IPV4,
376 .table = "mangle",
377 .target = tproxy_tg4_v0,
378 .revision = 0,
379 .targetsize = sizeof(struct xt_tproxy_target_info),
380 .checkentry = tproxy_tg4_check,
381 .hooks = 1 << NF_INET_PRE_ROUTING,
382 .me = THIS_MODULE,
383 },
384 {
385 .name = "TPROXY",
386 .family = NFPROTO_IPV4,
387 .table = "mangle",
388 .target = tproxy_tg4_v1,
389 .revision = 1,
390 .targetsize = sizeof(struct xt_tproxy_target_info_v1),
391 .checkentry = tproxy_tg4_check,
392 .hooks = 1 << NF_INET_PRE_ROUTING,
393 .me = THIS_MODULE,
394 },
395#ifdef XT_TPROXY_HAVE_IPV6
396 {
397 .name = "TPROXY",
398 .family = NFPROTO_IPV6,
399 .table = "mangle",
400 .target = tproxy_tg6_v1,
401 .revision = 1,
402 .targetsize = sizeof(struct xt_tproxy_target_info_v1),
403 .checkentry = tproxy_tg6_check,
404 .hooks = 1 << NF_INET_PRE_ROUTING,
405 .me = THIS_MODULE,
406 },
407#endif
408
409};
410
411static int __init tproxy_tg_init(void)
412{
413 nf_defrag_ipv4_enable();
414#ifdef XT_TPROXY_HAVE_IPV6
415 nf_defrag_ipv6_enable();
416#endif
417
418 return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
419}
420
421static void __exit tproxy_tg_exit(void)
422{
423 xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
424}
425
426module_init(tproxy_tg_init);
427module_exit(tproxy_tg_exit);
428MODULE_LICENSE("GPL");
429MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
430MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
431MODULE_ALIAS("ipt_TPROXY");
432MODULE_ALIAS("ip6t_TPROXY");
433