linux/include/net/netfilter/nf_tproxy.h
<<
>>
Prefs 
   1#ifndef _NF_TPROXY_H_
   2#define _NF_TPROXY_H_
   3
   4#include <net/tcp.h>
   5
   6enum nf_tproxy_lookup_t {
   7         NF_TPROXY_LOOKUP_LISTENER,
   8         NF_TPROXY_LOOKUP_ESTABLISHED,
   9};
  10
  11static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)
  12{
  13        if (inet_sk_transparent(sk))
  14                return true;
  15
  16        sock_gen_put(sk);
  17        return false;
  18}
  19
  20/* assign a socket to the skb -- consumes sk */
  21static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
  22{
  23        skb_orphan(skb);
  24        skb->sk = sk;
  25        skb->destructor = sock_edemux;
  26}
  27
  28__be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);
  29
  30/**
  31 * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections
  32 * @skb:        The skb being processed.
  33 * @laddr:      IPv4 address to redirect to or zero.
  34 * @lport:      TCP port to redirect to or zero.
  35 * @sk:         The TIME_WAIT TCP socket found by the lookup.
  36 *
  37 * We have to handle SYN packets arriving to TIME_WAIT sockets
  38 * differently: instead of reopening the connection we should rather
  39 * redirect the new connection to the proxy if there's a listener
  40 * socket present.
  41 *
  42 * nf_tproxy_handle_time_wait4() consumes the socket reference passed in.
  43 *
  44 * Returns the listener socket if there's one, the TIME_WAIT socket if
  45 * no such listener is found, or NULL if the TCP header is incomplete.
  46 */
  47struct sock *
  48nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
  49                            __be32 laddr, __be16 lport, struct sock *sk);
  50
  51/*
  52 * This is used when the user wants to intercept a connection matching
  53 * an explicit iptables rule. In this case the sockets are assumed
  54 * matching in preference order:
  55 *
  56 *   - match: if there's a fully established connection matching the
  57 *     _packet_ tuple, it is returned, assuming the redirection
  58 *     already took place and we process a packet belonging to an
  59 *     established connection
  60 *
  61 *   - match: if there's a listening socket matching the redirection
  62 *     (e.g. on-port & on-ip of the connection), it is returned,
  63 *     regardless if it was bound to 0.0.0.0 or an explicit
  64 *     address. The reasoning is that if there's an explicit rule, it
  65 *     does not really matter if the listener is bound to an interface
  66 *     or to 0. The user already stated that he wants redirection
  67 *     (since he added the rule).
  68 *
  69 * Please note that there's an overlap between what a TPROXY target
  70 * and a socket match will match. Normally if you have both rules the
  71 * "socket" match will be the first one, effectively all packets
  72 * belonging to established connections going through that one.
  73 */
  74struct sock *
  75nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
  76                      const u8 protocol,
  77                      const __be32 saddr, const __be32 daddr,
  78                      const __be16 sport, const __be16 dport,
  79                      const struct net_device *in,
  80                      const enum nf_tproxy_lookup_t lookup_type);
  81
  82const struct in6_addr *
  83nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
  84                 const struct in6_addr *daddr);
  85
  86/**
  87 * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections
  88 * @skb:        The skb being processed.
  89 * @tproto:     Transport protocol.
  90 * @thoff:      Transport protocol header offset.
  91 * @net:        Network namespace.
  92 * @laddr:      IPv6 address to redirect to.
  93 * @lport:      TCP port to redirect to or zero.
  94 * @sk:         The TIME_WAIT TCP socket found by the lookup.
  95 *
  96 * We have to handle SYN packets arriving to TIME_WAIT sockets
  97 * differently: instead of reopening the connection we should rather
  98 * redirect the new connection to the proxy if there's a listener
  99 * socket present.
 100 *
 101 * nf_tproxy_handle_time_wait6() consumes the socket reference passed in.
 102 *
 103 * Returns the listener socket if there's one, the TIME_WAIT socket if
 104 * no such listener is found, or NULL if the TCP header is incomplete.
 105 */
 106struct sock *
 107nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
 108                            struct net *net,
 109                            const struct in6_addr *laddr,
 110                            const __be16 lport,
 111                            struct sock *sk);
 112
 113struct sock *
 114nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
 115                      const u8 protocol,
 116                      const struct in6_addr *saddr, const struct in6_addr *daddr,
 117                      const __be16 sport, const __be16 dport,
 118                      const struct net_device *in,
 119                      const enum nf_tproxy_lookup_t lookup_type);
 120
 121#endif /* _NF_TPROXY_H_ */
 122
Hosted by Missing Link Electronics. The original LXR software by the LXR community, this experimental version by lxr@linux.no.