linux/net/netfilter/xt_TPROXY.c
<<
>>
Prefs
   1/*
   2 * Transparent proxy support for Linux/iptables
   3 *
   4 * Copyright (c) 2006-2010 BalaBit IT Ltd.
   5 * Author: Balazs Scheidler, Krisztian Kovacs
   6 *
   7 * This program is free software; you can redistribute it and/or modify
   8 * it under the terms of the GNU General Public License version 2 as
   9 * published by the Free Software Foundation.
  10 *
  11 */
  12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  13#include <linux/module.h>
  14#include <linux/skbuff.h>
  15#include <linux/ip.h>
  16#include <net/checksum.h>
  17#include <net/udp.h>
  18#include <net/inet_sock.h>
  19#include <linux/inetdevice.h>
  20#include <linux/netfilter/x_tables.h>
  21#include <linux/netfilter_ipv4/ip_tables.h>
  22
  23#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
  24
  25#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
  26#define XT_TPROXY_HAVE_IPV6 1
  27#include <net/if_inet6.h>
  28#include <net/addrconf.h>
  29#include <linux/netfilter_ipv6/ip6_tables.h>
  30#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
  31#endif
  32
  33#include <net/netfilter/nf_tproxy_core.h>
  34#include <linux/netfilter/xt_TPROXY.h>
  35
  36static bool tproxy_sk_is_transparent(struct sock *sk)
  37{
  38        if (sk->sk_state != TCP_TIME_WAIT) {
  39                if (inet_sk(sk)->transparent)
  40                        return true;
  41                sock_put(sk);
  42        } else {
  43                if (inet_twsk(sk)->tw_transparent)
  44                        return true;
  45                inet_twsk_put(inet_twsk(sk));
  46        }
  47        return false;
  48}
  49
  50static inline __be32
  51tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
  52{
  53        struct in_device *indev;
  54        __be32 laddr;
  55
  56        if (user_laddr)
  57                return user_laddr;
  58
  59        laddr = 0;
  60        rcu_read_lock();
  61        indev = __in_dev_get_rcu(skb->dev);
  62        for_primary_ifa(indev) {
  63                laddr = ifa->ifa_local;
  64                break;
  65        } endfor_ifa(indev);
  66        rcu_read_unlock();
  67
  68        return laddr ? laddr : daddr;
  69}
  70
  71/**
  72 * tproxy_handle_time_wait4() - handle IPv4 TCP TIME_WAIT reopen redirections
  73 * @skb:        The skb being processed.
  74 * @laddr:      IPv4 address to redirect to or zero.
  75 * @lport:      TCP port to redirect to or zero.
  76 * @sk:         The TIME_WAIT TCP socket found by the lookup.
  77 *
  78 * We have to handle SYN packets arriving to TIME_WAIT sockets
  79 * differently: instead of reopening the connection we should rather
  80 * redirect the new connection to the proxy if there's a listener
  81 * socket present.
  82 *
  83 * tproxy_handle_time_wait4() consumes the socket reference passed in.
  84 *
  85 * Returns the listener socket if there's one, the TIME_WAIT socket if
  86 * no such listener is found, or NULL if the TCP header is incomplete.
  87 */
  88static struct sock *
  89tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport,
  90                        struct sock *sk)
  91{
  92        const struct iphdr *iph = ip_hdr(skb);
  93        struct tcphdr _hdr, *hp;
  94
  95        hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
  96        if (hp == NULL) {
  97                inet_twsk_put(inet_twsk(sk));
  98                return NULL;
  99        }
 100
 101        if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
 102                /* SYN to a TIME_WAIT socket, we'd rather redirect it
 103                 * to a listener socket if there's one */
 104                struct sock *sk2;
 105
 106                sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
 107                                            iph->saddr, laddr ? laddr : iph->daddr,
 108                                            hp->source, lport ? lport : hp->dest,
 109                                            skb->dev, NFT_LOOKUP_LISTENER);
 110                if (sk2) {
 111                        inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
 112                        inet_twsk_put(inet_twsk(sk));
 113                        sk = sk2;
 114                }
 115        }
 116
 117        return sk;
 118}
 119
 120static unsigned int
 121tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
 122           u_int32_t mark_mask, u_int32_t mark_value)
 123{
 124        const struct iphdr *iph = ip_hdr(skb);
 125        struct udphdr _hdr, *hp;
 126        struct sock *sk;
 127
 128        hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
 129        if (hp == NULL)
 130                return NF_DROP;
 131
 132        /* check if there's an ongoing connection on the packet
 133         * addresses, this happens if the redirect already happened
 134         * and the current packet belongs to an already established
 135         * connection */
 136        sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
 137                                   iph->saddr, iph->daddr,
 138                                   hp->source, hp->dest,
 139                                   skb->dev, NFT_LOOKUP_ESTABLISHED);
 140
 141        laddr = tproxy_laddr4(skb, laddr, iph->daddr);
 142        if (!lport)
 143                lport = hp->dest;
 144
 145        /* UDP has no TCP_TIME_WAIT state, so we never enter here */
 146        if (sk && sk->sk_state == TCP_TIME_WAIT)
 147                /* reopening a TIME_WAIT connection needs special handling */
 148                sk = tproxy_handle_time_wait4(skb, laddr, lport, sk);
 149        else if (!sk)
 150                /* no, there's no established connection, check if
 151                 * there's a listener on the redirected addr/port */
 152                sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
 153                                           iph->saddr, laddr,
 154                                           hp->source, lport,
 155                                           skb->dev, NFT_LOOKUP_LISTENER);
 156
 157        /* NOTE: assign_sock consumes our sk reference */
 158        if (sk && tproxy_sk_is_transparent(sk)) {
 159                /* This should be in a separate target, but we don't do multiple
 160                   targets on the same rule yet */
 161                skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
 162
 163                pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
 164                         iph->protocol, &iph->daddr, ntohs(hp->dest),
 165                         &laddr, ntohs(lport), skb->mark);
 166
 167                nf_tproxy_assign_sock(skb, sk);
 168                return NF_ACCEPT;
 169        }
 170
 171        pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
 172                 iph->protocol, &iph->saddr, ntohs(hp->source),
 173                 &iph->daddr, ntohs(hp->dest), skb->mark);
 174        return NF_DROP;
 175}
 176
 177static unsigned int
 178tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
 179{
 180        const struct xt_tproxy_target_info *tgi = par->targinfo;
 181
 182        return tproxy_tg4(skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
 183}
 184
 185static unsigned int
 186tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
 187{
 188        const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
 189
 190        return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
 191}
 192
 193#ifdef XT_TPROXY_HAVE_IPV6
 194
 195static inline const struct in6_addr *
 196tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
 197              const struct in6_addr *daddr)
 198{
 199        struct inet6_dev *indev;
 200        struct inet6_ifaddr *ifa;
 201        struct in6_addr *laddr;
 202
 203        if (!ipv6_addr_any(user_laddr))
 204                return user_laddr;
 205        laddr = NULL;
 206
 207        rcu_read_lock();
 208        indev = __in6_dev_get(skb->dev);
 209        if (indev)
 210                list_for_each_entry(ifa, &indev->addr_list, if_list) {
 211                        if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED))
 212                                continue;
 213
 214                        laddr = &ifa->addr;
 215                        break;
 216                }
 217        rcu_read_unlock();
 218
 219        return laddr ? laddr : daddr;
 220}
 221
 222/**
 223 * tproxy_handle_time_wait6() - handle IPv6 TCP TIME_WAIT reopen redirections
 224 * @skb:        The skb being processed.
 225 * @tproto:     Transport protocol.
 226 * @thoff:      Transport protocol header offset.
 227 * @par:        Iptables target parameters.
 228 * @sk:         The TIME_WAIT TCP socket found by the lookup.
 229 *
 230 * We have to handle SYN packets arriving to TIME_WAIT sockets
 231 * differently: instead of reopening the connection we should rather
 232 * redirect the new connection to the proxy if there's a listener
 233 * socket present.
 234 *
 235 * tproxy_handle_time_wait6() consumes the socket reference passed in.
 236 *
 237 * Returns the listener socket if there's one, the TIME_WAIT socket if
 238 * no such listener is found, or NULL if the TCP header is incomplete.
 239 */
 240static struct sock *
 241tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
 242                         const struct xt_action_param *par,
 243                         struct sock *sk)
 244{
 245        const struct ipv6hdr *iph = ipv6_hdr(skb);
 246        struct tcphdr _hdr, *hp;
 247        const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
 248
 249        hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
 250        if (hp == NULL) {
 251                inet_twsk_put(inet_twsk(sk));
 252                return NULL;
 253        }
 254
 255        if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
 256                /* SYN to a TIME_WAIT socket, we'd rather redirect it
 257                 * to a listener socket if there's one */
 258                struct sock *sk2;
 259
 260                sk2 = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
 261                                            &iph->saddr,
 262                                            tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr),
 263                                            hp->source,
 264                                            tgi->lport ? tgi->lport : hp->dest,
 265                                            skb->dev, NFT_LOOKUP_LISTENER);
 266                if (sk2) {
 267                        inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
 268                        inet_twsk_put(inet_twsk(sk));
 269                        sk = sk2;
 270                }
 271        }
 272
 273        return sk;
 274}
 275
 276static unsigned int
 277tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
 278{
 279        const struct ipv6hdr *iph = ipv6_hdr(skb);
 280        const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
 281        struct udphdr _hdr, *hp;
 282        struct sock *sk;
 283        const struct in6_addr *laddr;
 284        __be16 lport;
 285        int thoff;
 286        int tproto;
 287
 288        tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
 289        if (tproto < 0) {
 290                pr_debug("unable to find transport header in IPv6 packet, dropping\n");
 291                return NF_DROP;
 292        }
 293
 294        hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
 295        if (hp == NULL) {
 296                pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
 297                return NF_DROP;
 298        }
 299
 300        /* check if there's an ongoing connection on the packet
 301         * addresses, this happens if the redirect already happened
 302         * and the current packet belongs to an already established
 303         * connection */
 304        sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
 305                                   &iph->saddr, &iph->daddr,
 306                                   hp->source, hp->dest,
 307                                   par->in, NFT_LOOKUP_ESTABLISHED);
 308
 309        laddr = tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
 310        lport = tgi->lport ? tgi->lport : hp->dest;
 311
 312        /* UDP has no TCP_TIME_WAIT state, so we never enter here */
 313        if (sk && sk->sk_state == TCP_TIME_WAIT)
 314                /* reopening a TIME_WAIT connection needs special handling */
 315                sk = tproxy_handle_time_wait6(skb, tproto, thoff, par, sk);
 316        else if (!sk)
 317                /* no there's no established connection, check if
 318                 * there's a listener on the redirected addr/port */
 319                sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
 320                                           &iph->saddr, laddr,
 321                                           hp->source, lport,
 322                                           par->in, NFT_LOOKUP_LISTENER);
 323
 324        /* NOTE: assign_sock consumes our sk reference */
 325        if (sk && tproxy_sk_is_transparent(sk)) {
 326                /* This should be in a separate target, but we don't do multiple
 327                   targets on the same rule yet */
 328                skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
 329
 330                pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
 331                         tproto, &iph->saddr, ntohs(hp->source),
 332                         laddr, ntohs(lport), skb->mark);
 333
 334                nf_tproxy_assign_sock(skb, sk);
 335                return NF_ACCEPT;
 336        }
 337
 338        pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
 339                 tproto, &iph->saddr, ntohs(hp->source),
 340                 &iph->daddr, ntohs(hp->dest), skb->mark);
 341
 342        return NF_DROP;
 343}
 344
 345static int tproxy_tg6_check(const struct xt_tgchk_param *par)
 346{
 347        const struct ip6t_ip6 *i = par->entryinfo;
 348
 349        if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
 350            && !(i->flags & IP6T_INV_PROTO))
 351                return 0;
 352
 353        pr_info("Can be used only in combination with "
 354                "either -p tcp or -p udp\n");
 355        return -EINVAL;
 356}
 357#endif
 358
 359static int tproxy_tg4_check(const struct xt_tgchk_param *par)
 360{
 361        const struct ipt_ip *i = par->entryinfo;
 362
 363        if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
 364            && !(i->invflags & IPT_INV_PROTO))
 365                return 0;
 366
 367        pr_info("Can be used only in combination with "
 368                "either -p tcp or -p udp\n");
 369        return -EINVAL;
 370}
 371
 372static struct xt_target tproxy_tg_reg[] __read_mostly = {
 373        {
 374                .name           = "TPROXY",
 375                .family         = NFPROTO_IPV4,
 376                .table          = "mangle",
 377                .target         = tproxy_tg4_v0,
 378                .revision       = 0,
 379                .targetsize     = sizeof(struct xt_tproxy_target_info),
 380                .checkentry     = tproxy_tg4_check,
 381                .hooks          = 1 << NF_INET_PRE_ROUTING,
 382                .me             = THIS_MODULE,
 383        },
 384        {
 385                .name           = "TPROXY",
 386                .family         = NFPROTO_IPV4,
 387                .table          = "mangle",
 388                .target         = tproxy_tg4_v1,
 389                .revision       = 1,
 390                .targetsize     = sizeof(struct xt_tproxy_target_info_v1),
 391                .checkentry     = tproxy_tg4_check,
 392                .hooks          = 1 << NF_INET_PRE_ROUTING,
 393                .me             = THIS_MODULE,
 394        },
 395#ifdef XT_TPROXY_HAVE_IPV6
 396        {
 397                .name           = "TPROXY",
 398                .family         = NFPROTO_IPV6,
 399                .table          = "mangle",
 400                .target         = tproxy_tg6_v1,
 401                .revision       = 1,
 402                .targetsize     = sizeof(struct xt_tproxy_target_info_v1),
 403                .checkentry     = tproxy_tg6_check,
 404                .hooks          = 1 << NF_INET_PRE_ROUTING,
 405                .me             = THIS_MODULE,
 406        },
 407#endif
 408
 409};
 410
 411static int __init tproxy_tg_init(void)
 412{
 413        nf_defrag_ipv4_enable();
 414#ifdef XT_TPROXY_HAVE_IPV6
 415        nf_defrag_ipv6_enable();
 416#endif
 417
 418        return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
 419}
 420
 421static void __exit tproxy_tg_exit(void)
 422{
 423        xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
 424}
 425
 426module_init(tproxy_tg_init);
 427module_exit(tproxy_tg_exit);
 428MODULE_LICENSE("GPL");
 429MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
 430MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
 431MODULE_ALIAS("ipt_TPROXY");
 432MODULE_ALIAS("ip6t_TPROXY");
 433