netfilter: iptables tproxy core

The iptables tproxy core is a module that contains the common routines used by various tproxy related modules (TPROXY target and socket match) Signed-off-by: KOVACS Krisztian <hidden@sch.bme.hu> Signed-off-by: Patrick McHardy <kaber@trash.net>
author: KOVACS Krisztian <hidden@sch.bme.hu> 2008-10-08 05:35:12 -0400
committer: Patrick McHardy <kaber@trash.net> 2008-10-08 05:35:12 -0400
commit: 9ad2d745a23853927a19789b034d9eb2e62d78ee (patch)
tree: 6ae36961fcd9c8273f2868d3ca16d9d5f8a8ba5e
parent: 73e4022f78acdbe420e8c24a7afbd90f4c8f5077 (diff)
4 files changed, 146 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h
new file mode 100644
index 000000000000..208b46f4d6d2
--- /dev/null
+++ b/include/net/netfilter/nf_tproxy_core.h
@@ -0,0 +1,32 @@
+#ifndef _NF_TPROXY_CORE_H
+#define _NF_TPROXY_CORE_H
+#include <linux/types.h>
+#include <linux/in.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+#include <net/inet_sock.h>
+#include <net/tcp.h>
+/* look up and get a reference to a matching socket */
+extern struct sock *
+nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
+                      const __be32 saddr, const __be32 daddr,
+                      const __be16 sport, const __be16 dport,
+                      const struct net_device *in, bool listening);
+static inline void
+nf_tproxy_put_sock(struct sock *sk)
+{
+        /* TIME_WAIT inet sockets have to be handled differently */
+        if ((sk->sk_protocol == IPPROTO_TCP) && (sk->sk_state == TCP_TIME_WAIT))
+                inet_twsk_put(inet_twsk(sk));
+        else
+                sock_put(sk);
+}
+/* assign a socket to the skb -- consumes sk */
+int
+nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk);
+#endif
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 4a464857f216..ed1dcfb61e12 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -287,6 +287,21 @@ config NF_CT_NETLINK
        help
          This option enables support for a netlink-based userspace interface
+# transparent proxy support
+config NETFILTER_TPROXY
+        tristate "Transparent proxying support (EXPERIMENTAL)"
+        depends on EXPERIMENTAL
+        depends on IP_NF_MANGLE
+        depends on NETFILTER_ADVANCED
+        help
+          This option enables transparent proxying support, that is,
+          support for handling non-locally bound IPv4 TCP and UDP sockets.
+          For it to work you will have to configure certain iptables rules
+          and use policy routing. For more information on how to set it up
+          see Documentation/networking/tproxy.txt.
+          To compile it as a module, choose M here.  If unsure, say N.
 config NETFILTER_XTABLES
        tristate "Netfilter Xtables support (required for ip_tables)"
        default m if NETFILTER_ADVANCED=n
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index f101cf61e6f8..fc8bbb48d383 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -34,6 +34,9 @@ obj-$(CONFIG_NF_CONNTRACK_SANE) += nf_conntrack_sane.o
 obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o
 obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o
+# transparent proxy support
+obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
 # generic X tables 
 obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c
new file mode 100644
index 000000000000..fe34f4bf74cc
--- /dev/null
+++ b/net/netfilter/nf_tproxy_core.c
@@ -0,0 +1,96 @@
+/*
+ * Transparent proxy support for Linux/iptables
+ *
+ * Copyright (c) 2006-2007 BalaBit IT Ltd.
+ * Author: Balazs Scheidler, Krisztian Kovacs
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/version.h>
+#include <linux/module.h>
+#include <linux/net.h>
+#include <linux/if.h>
+#include <linux/netdevice.h>
+#include <net/udp.h>
+#include <net/netfilter/nf_tproxy_core.h>
+struct sock *
+nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
+                      const __be32 saddr, const __be32 daddr,
+                      const __be16 sport, const __be16 dport,
+                      const struct net_device *in, bool listening_only)
+{
+        struct sock *sk;
+        /* look up socket */
+        switch (protocol) {
+        case IPPROTO_TCP:
+                if (listening_only)
+                        sk = __inet_lookup_listener(net, &tcp_hashinfo,
+                                                    daddr, ntohs(dport),
+                                                    in->ifindex);
+                else
+                        sk = __inet_lookup(net, &tcp_hashinfo,
+                                           saddr, sport, daddr, dport,
+                                           in->ifindex);
+                break;
+        case IPPROTO_UDP:
+                sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
+                                     in->ifindex);
+                break;
+        default:
+                WARN_ON(1);
+                sk = NULL;
+        }
+        pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, listener only: %d, sock %p\n",
+                 protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), listening_only, sk);
+        return sk;
+}
+EXPORT_SYMBOL_GPL(nf_tproxy_get_sock_v4);
+static void
+nf_tproxy_destructor(struct sk_buff *skb)
+{
+        struct sock *sk = skb->sk;
+        skb->sk = NULL;
+        skb->destructor = NULL;
+        if (sk)
+                nf_tproxy_put_sock(sk);
+}
+/* consumes sk */
+int
+nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
+{
+        if (inet_sk(sk)->transparent) {
+                skb->sk = sk;
+                skb->destructor = nf_tproxy_destructor;
+                return 1;
+        } else
+                nf_tproxy_put_sock(sk);
+        return 0;
+}
+EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock);
+static int __init nf_tproxy_init(void)
+{
+        pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n");
+        pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n");
+        return 0;
+}
+module_init(nf_tproxy_init);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Krisztian Kovacs");
+MODULE_DESCRIPTION("Transparent proxy support core routines");
author	KOVACS Krisztian <hidden@sch.bme.hu>	2008-10-08 05:35:12 -0400
committer	Patrick McHardy <kaber@trash.net>	2008-10-08 05:35:12 -0400
commit	9ad2d745a23853927a19789b034d9eb2e62d78ee (patch)
tree	6ae36961fcd9c8273f2868d3ca16d9d5f8a8ba5e
parent	73e4022f78acdbe420e8c24a7afbd90f4c8f5077 (diff)

diff --git a/include/net/netfilter/nf_tproxy_core.h b/include/net/netfilter/nf_tproxy_core.h new file mode 100644 index 000000000000..208b46f4d6d2 --- /dev/null +++ b/include/net/netfilter/nf_tproxy_core.h
@@ -0,0 +1,32 @@
		1	#ifndef _NF_TPROXY_CORE_H
		2	#define _NF_TPROXY_CORE_H
		3
		4	#include <linux/types.h>
		5	#include <linux/in.h>
		6	#include <linux/skbuff.h>
		7	#include <net/sock.h>
		8	#include <net/inet_sock.h>
		9	#include <net/tcp.h>
		10
		11	/* look up and get a reference to a matching socket */
		12	extern struct sock *
		13	nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
		14	const __be32 saddr, const __be32 daddr,
		15	const __be16 sport, const __be16 dport,
		16	const struct net_device *in, bool listening);
		17
		18	static inline void
		19	nf_tproxy_put_sock(struct sock *sk)
		20	{
		21	/* TIME_WAIT inet sockets have to be handled differently */
		22	if ((sk->sk_protocol == IPPROTO_TCP) && (sk->sk_state == TCP_TIME_WAIT))
		23	inet_twsk_put(inet_twsk(sk));
		24	else
		25	sock_put(sk);
		26	}
		27
		28	/* assign a socket to the skb -- consumes sk */
		29	int
		30	nf_tproxy_assign_sock(struct sk_buff skb, struct sock sk);
		31
		32	#endif


diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 4a464857f216..ed1dcfb61e12 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -287,6 +287,21 @@ config NF_CT_NETLINK
287	help	287	help
288	This option enables support for a netlink-based userspace interface	288	This option enables support for a netlink-based userspace interface
289		289
		290	# transparent proxy support
		291	config NETFILTER_TPROXY
		292	tristate "Transparent proxying support (EXPERIMENTAL)"
		293	depends on EXPERIMENTAL
		294	depends on IP_NF_MANGLE
		295	depends on NETFILTER_ADVANCED
		296	help
		297	This option enables transparent proxying support, that is,
		298	support for handling non-locally bound IPv4 TCP and UDP sockets.
		299	For it to work you will have to configure certain iptables rules
		300	and use policy routing. For more information on how to set it up
		301	see Documentation/networking/tproxy.txt.
		302
		303	To compile it as a module, choose M here. If unsure, say N.
		304
290	config NETFILTER_XTABLES	305	config NETFILTER_XTABLES
291	tristate "Netfilter Xtables support (required for ip_tables)"	306	tristate "Netfilter Xtables support (required for ip_tables)"
292	default m if NETFILTER_ADVANCED=n	307	default m if NETFILTER_ADVANCED=n


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index f101cf61e6f8..fc8bbb48d383 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -34,6 +34,9 @@ obj-$(CONFIG_NF_CONNTRACK_SANE) += nf_conntrack_sane.o
34	obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o	34	obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o
35	obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o	35	obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o
36		36
		37	# transparent proxy support
		38	obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
		39
37	# generic X tables	40	# generic X tables
38	obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o	41	obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
39		42


diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c new file mode 100644 index 000000000000..fe34f4bf74cc --- /dev/null +++ b/net/netfilter/nf_tproxy_core.c
@@ -0,0 +1,96 @@
		1	/*
		2	* Transparent proxy support for Linux/iptables
		3	*
		4	* Copyright (c) 2006-2007 BalaBit IT Ltd.
		5	* Author: Balazs Scheidler, Krisztian Kovacs
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License version 2 as
		9	* published by the Free Software Foundation.
		10	*
		11	*/
		12
		13	#include <linux/version.h>
		14	#include <linux/module.h>
		15
		16	#include <linux/net.h>
		17	#include <linux/if.h>
		18	#include <linux/netdevice.h>
		19	#include <net/udp.h>
		20	#include <net/netfilter/nf_tproxy_core.h>
		21
		22	struct sock *
		23	nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
		24	const __be32 saddr, const __be32 daddr,
		25	const __be16 sport, const __be16 dport,
		26	const struct net_device *in, bool listening_only)
		27	{
		28	struct sock *sk;
		29
		30	/* look up socket */
		31	switch (protocol) {
		32	case IPPROTO_TCP:
		33	if (listening_only)
		34	sk = __inet_lookup_listener(net, &tcp_hashinfo,
		35	daddr, ntohs(dport),
		36	in->ifindex);
		37	else
		38	sk = __inet_lookup(net, &tcp_hashinfo,
		39	saddr, sport, daddr, dport,
		40	in->ifindex);
		41	break;
		42	case IPPROTO_UDP:
		43	sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
		44	in->ifindex);
		45	break;
		46	default:
		47	WARN_ON(1);
		48	sk = NULL;
		49	}
		50
		51	pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, listener only: %d, sock %p\n",
		52	protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), listening_only, sk);
		53
		54	return sk;
		55	}
		56	EXPORT_SYMBOL_GPL(nf_tproxy_get_sock_v4);
		57
		58	static void
		59	nf_tproxy_destructor(struct sk_buff *skb)
		60	{
		61	struct sock *sk = skb->sk;
		62
		63	skb->sk = NULL;
		64	skb->destructor = NULL;
		65
		66	if (sk)
		67	nf_tproxy_put_sock(sk);
		68	}
		69
		70	/* consumes sk */
		71	int
		72	nf_tproxy_assign_sock(struct sk_buff skb, struct sock sk)
		73	{
		74	if (inet_sk(sk)->transparent) {
		75	skb->sk = sk;
		76	skb->destructor = nf_tproxy_destructor;
		77	return 1;
		78	} else
		79	nf_tproxy_put_sock(sk);
		80
		81	return 0;
		82	}
		83	EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock);
		84
		85	static int __init nf_tproxy_init(void)
		86	{
		87	pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n");
		88	pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n");
		89	return 0;
		90	}
		91
		92	module_init(nf_tproxy_init);
		93
		94	MODULE_LICENSE("GPL");
		95	MODULE_AUTHOR("Krisztian Kovacs");
		96	MODULE_DESCRIPTION("Transparent proxy support core routines");