diff options
author | Florian Westphal <fw@strlen.de> | 2013-07-29 09:41:52 -0400 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-07-31 10:39:40 -0400 |
commit | fd158d79d33d3c8b693e3e2d8c0e3068d529c2dc (patch) | |
tree | 3dce8e6eb4f057fc2924da1535ef5ac10c78be5c /net/netfilter | |
parent | 957bec36855f97cc5797fbaaf68b11ac7454df2d (diff) |
netfilter: tproxy: remove nf_tproxy_core, keep tw sk assigned to skb
The module was "permanent", due to the special tproxy skb->destructor.
Nowadays we have tcp early demux and its sock_edemux destructor in
networking core which can be used instead.
Thanks to early demux changes the input path now also handles
"skb->sk is tw socket" correctly, so this no longer needs the special
handling introduced with commit d503b30bd648b3cb4e5f50b65d27e389960cc6d9
(netfilter: tproxy: do not assign timewait sockets to skb->sk).
Thus:
- move assign_sock function to where its needed
- don't prevent timewait sockets from being assigned to the skb
- remove nf_tproxy_core.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r-- | net/netfilter/Kconfig | 22 | ||||
-rw-r--r-- | net/netfilter/Makefile | 3 | ||||
-rw-r--r-- | net/netfilter/nf_tproxy_core.c | 62 | ||||
-rw-r--r-- | net/netfilter/xt_TPROXY.c | 9 |
4 files changed, 14 insertions, 82 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 56d22cae5906..c45fc1a60e0d 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig | |||
@@ -410,20 +410,6 @@ config NF_NAT_TFTP | |||
410 | 410 | ||
411 | endif # NF_CONNTRACK | 411 | endif # NF_CONNTRACK |
412 | 412 | ||
413 | # transparent proxy support | ||
414 | config NETFILTER_TPROXY | ||
415 | tristate "Transparent proxying support" | ||
416 | depends on IP_NF_MANGLE | ||
417 | depends on NETFILTER_ADVANCED | ||
418 | help | ||
419 | This option enables transparent proxying support, that is, | ||
420 | support for handling non-locally bound IPv4 TCP and UDP sockets. | ||
421 | For it to work you will have to configure certain iptables rules | ||
422 | and use policy routing. For more information on how to set it up | ||
423 | see Documentation/networking/tproxy.txt. | ||
424 | |||
425 | To compile it as a module, choose M here. If unsure, say N. | ||
426 | |||
427 | config NETFILTER_XTABLES | 413 | config NETFILTER_XTABLES |
428 | tristate "Netfilter Xtables support (required for ip_tables)" | 414 | tristate "Netfilter Xtables support (required for ip_tables)" |
429 | default m if NETFILTER_ADVANCED=n | 415 | default m if NETFILTER_ADVANCED=n |
@@ -720,10 +706,10 @@ config NETFILTER_XT_TARGET_TEE | |||
720 | this clone be rerouted to another nexthop. | 706 | this clone be rerouted to another nexthop. |
721 | 707 | ||
722 | config NETFILTER_XT_TARGET_TPROXY | 708 | config NETFILTER_XT_TARGET_TPROXY |
723 | tristate '"TPROXY" target support' | 709 | tristate '"TPROXY" target transparent proxying support' |
724 | depends on NETFILTER_TPROXY | ||
725 | depends on NETFILTER_XTABLES | 710 | depends on NETFILTER_XTABLES |
726 | depends on NETFILTER_ADVANCED | 711 | depends on NETFILTER_ADVANCED |
712 | depends on IP_NF_MANGLE | ||
727 | select NF_DEFRAG_IPV4 | 713 | select NF_DEFRAG_IPV4 |
728 | select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES | 714 | select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES |
729 | help | 715 | help |
@@ -731,6 +717,9 @@ config NETFILTER_XT_TARGET_TPROXY | |||
731 | REDIRECT. It can only be used in the mangle table and is useful | 717 | REDIRECT. It can only be used in the mangle table and is useful |
732 | to redirect traffic to a transparent proxy. It does _not_ depend | 718 | to redirect traffic to a transparent proxy. It does _not_ depend |
733 | on Netfilter connection tracking and NAT, unlike REDIRECT. | 719 | on Netfilter connection tracking and NAT, unlike REDIRECT. |
720 | For it to work you will have to configure certain iptables rules | ||
721 | and use policy routing. For more information on how to set it up | ||
722 | see Documentation/networking/tproxy.txt. | ||
734 | 723 | ||
735 | To compile it as a module, choose M here. If unsure, say N. | 724 | To compile it as a module, choose M here. If unsure, say N. |
736 | 725 | ||
@@ -1180,7 +1169,6 @@ config NETFILTER_XT_MATCH_SCTP | |||
1180 | 1169 | ||
1181 | config NETFILTER_XT_MATCH_SOCKET | 1170 | config NETFILTER_XT_MATCH_SOCKET |
1182 | tristate '"socket" match support' | 1171 | tristate '"socket" match support' |
1183 | depends on NETFILTER_TPROXY | ||
1184 | depends on NETFILTER_XTABLES | 1172 | depends on NETFILTER_XTABLES |
1185 | depends on NETFILTER_ADVANCED | 1173 | depends on NETFILTER_ADVANCED |
1186 | depends on !NF_CONNTRACK || NF_CONNTRACK | 1174 | depends on !NF_CONNTRACK || NF_CONNTRACK |
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index a1abf87d43bf..ebfa7dc747cd 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile | |||
@@ -61,9 +61,6 @@ obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o | |||
61 | obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o | 61 | obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o |
62 | obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o | 62 | obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o |
63 | 63 | ||
64 | # transparent proxy support | ||
65 | obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o | ||
66 | |||
67 | # generic X tables | 64 | # generic X tables |
68 | obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o | 65 | obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o |
69 | 66 | ||
diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c deleted file mode 100644 index 474d621cbc2e..000000000000 --- a/net/netfilter/nf_tproxy_core.c +++ /dev/null | |||
@@ -1,62 +0,0 @@ | |||
1 | /* | ||
2 | * Transparent proxy support for Linux/iptables | ||
3 | * | ||
4 | * Copyright (c) 2006-2007 BalaBit IT Ltd. | ||
5 | * Author: Balazs Scheidler, Krisztian Kovacs | ||
6 | * | ||
7 | * This program is free software; you can redistribute it and/or modify | ||
8 | * it under the terms of the GNU General Public License version 2 as | ||
9 | * published by the Free Software Foundation. | ||
10 | * | ||
11 | */ | ||
12 | |||
13 | #include <linux/module.h> | ||
14 | |||
15 | #include <linux/net.h> | ||
16 | #include <linux/if.h> | ||
17 | #include <linux/netdevice.h> | ||
18 | #include <net/udp.h> | ||
19 | #include <net/netfilter/nf_tproxy_core.h> | ||
20 | |||
21 | |||
22 | static void | ||
23 | nf_tproxy_destructor(struct sk_buff *skb) | ||
24 | { | ||
25 | struct sock *sk = skb->sk; | ||
26 | |||
27 | skb->sk = NULL; | ||
28 | skb->destructor = NULL; | ||
29 | |||
30 | if (sk) | ||
31 | sock_put(sk); | ||
32 | } | ||
33 | |||
34 | /* consumes sk */ | ||
35 | void | ||
36 | nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) | ||
37 | { | ||
38 | /* assigning tw sockets complicates things; most | ||
39 | * skb->sk->X checks would have to test sk->sk_state first */ | ||
40 | if (sk->sk_state == TCP_TIME_WAIT) { | ||
41 | inet_twsk_put(inet_twsk(sk)); | ||
42 | return; | ||
43 | } | ||
44 | |||
45 | skb_orphan(skb); | ||
46 | skb->sk = sk; | ||
47 | skb->destructor = nf_tproxy_destructor; | ||
48 | } | ||
49 | EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock); | ||
50 | |||
51 | static int __init nf_tproxy_init(void) | ||
52 | { | ||
53 | pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n"); | ||
54 | pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n"); | ||
55 | return 0; | ||
56 | } | ||
57 | |||
58 | module_init(nf_tproxy_init); | ||
59 | |||
60 | MODULE_LICENSE("GPL"); | ||
61 | MODULE_AUTHOR("Krisztian Kovacs"); | ||
62 | MODULE_DESCRIPTION("Transparent proxy support core routines"); | ||
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c index d7f195388f66..17c40deafa4f 100644 --- a/net/netfilter/xt_TPROXY.c +++ b/net/netfilter/xt_TPROXY.c | |||
@@ -117,6 +117,15 @@ tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport, | |||
117 | return sk; | 117 | return sk; |
118 | } | 118 | } |
119 | 119 | ||
120 | /* assign a socket to the skb -- consumes sk */ | ||
121 | static void | ||
122 | nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) | ||
123 | { | ||
124 | skb_orphan(skb); | ||
125 | skb->sk = sk; | ||
126 | skb->destructor = sock_edemux; | ||
127 | } | ||
128 | |||
120 | static unsigned int | 129 | static unsigned int |
121 | tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport, | 130 | tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport, |
122 | u_int32_t mark_mask, u_int32_t mark_value) | 131 | u_int32_t mark_mask, u_int32_t mark_value) |