aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2013-07-29 09:41:52 -0400
committerPablo Neira Ayuso <pablo@netfilter.org>2013-07-31 10:39:40 -0400
commitfd158d79d33d3c8b693e3e2d8c0e3068d529c2dc (patch)
tree3dce8e6eb4f057fc2924da1535ef5ac10c78be5c /net/netfilter
parent957bec36855f97cc5797fbaaf68b11ac7454df2d (diff)
netfilter: tproxy: remove nf_tproxy_core, keep tw sk assigned to skb
The module was "permanent", due to the special tproxy skb->destructor. Nowadays we have tcp early demux and its sock_edemux destructor in networking core which can be used instead. Thanks to early demux changes the input path now also handles "skb->sk is tw socket" correctly, so this no longer needs the special handling introduced with commit d503b30bd648b3cb4e5f50b65d27e389960cc6d9 (netfilter: tproxy: do not assign timewait sockets to skb->sk). Thus: - move assign_sock function to where its needed - don't prevent timewait sockets from being assigned to the skb - remove nf_tproxy_core. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/Kconfig22
-rw-r--r--net/netfilter/Makefile3
-rw-r--r--net/netfilter/nf_tproxy_core.c62
-rw-r--r--net/netfilter/xt_TPROXY.c9
4 files changed, 14 insertions, 82 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 56d22cae5906..c45fc1a60e0d 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -410,20 +410,6 @@ config NF_NAT_TFTP
410 410
411endif # NF_CONNTRACK 411endif # NF_CONNTRACK
412 412
413# transparent proxy support
414config NETFILTER_TPROXY
415 tristate "Transparent proxying support"
416 depends on IP_NF_MANGLE
417 depends on NETFILTER_ADVANCED
418 help
419 This option enables transparent proxying support, that is,
420 support for handling non-locally bound IPv4 TCP and UDP sockets.
421 For it to work you will have to configure certain iptables rules
422 and use policy routing. For more information on how to set it up
423 see Documentation/networking/tproxy.txt.
424
425 To compile it as a module, choose M here. If unsure, say N.
426
427config NETFILTER_XTABLES 413config NETFILTER_XTABLES
428 tristate "Netfilter Xtables support (required for ip_tables)" 414 tristate "Netfilter Xtables support (required for ip_tables)"
429 default m if NETFILTER_ADVANCED=n 415 default m if NETFILTER_ADVANCED=n
@@ -720,10 +706,10 @@ config NETFILTER_XT_TARGET_TEE
720 this clone be rerouted to another nexthop. 706 this clone be rerouted to another nexthop.
721 707
722config NETFILTER_XT_TARGET_TPROXY 708config NETFILTER_XT_TARGET_TPROXY
723 tristate '"TPROXY" target support' 709 tristate '"TPROXY" target transparent proxying support'
724 depends on NETFILTER_TPROXY
725 depends on NETFILTER_XTABLES 710 depends on NETFILTER_XTABLES
726 depends on NETFILTER_ADVANCED 711 depends on NETFILTER_ADVANCED
712 depends on IP_NF_MANGLE
727 select NF_DEFRAG_IPV4 713 select NF_DEFRAG_IPV4
728 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES 714 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES
729 help 715 help
@@ -731,6 +717,9 @@ config NETFILTER_XT_TARGET_TPROXY
731 REDIRECT. It can only be used in the mangle table and is useful 717 REDIRECT. It can only be used in the mangle table and is useful
732 to redirect traffic to a transparent proxy. It does _not_ depend 718 to redirect traffic to a transparent proxy. It does _not_ depend
733 on Netfilter connection tracking and NAT, unlike REDIRECT. 719 on Netfilter connection tracking and NAT, unlike REDIRECT.
720 For it to work you will have to configure certain iptables rules
721 and use policy routing. For more information on how to set it up
722 see Documentation/networking/tproxy.txt.
734 723
735 To compile it as a module, choose M here. If unsure, say N. 724 To compile it as a module, choose M here. If unsure, say N.
736 725
@@ -1180,7 +1169,6 @@ config NETFILTER_XT_MATCH_SCTP
1180 1169
1181config NETFILTER_XT_MATCH_SOCKET 1170config NETFILTER_XT_MATCH_SOCKET
1182 tristate '"socket" match support' 1171 tristate '"socket" match support'
1183 depends on NETFILTER_TPROXY
1184 depends on NETFILTER_XTABLES 1172 depends on NETFILTER_XTABLES
1185 depends on NETFILTER_ADVANCED 1173 depends on NETFILTER_ADVANCED
1186 depends on !NF_CONNTRACK || NF_CONNTRACK 1174 depends on !NF_CONNTRACK || NF_CONNTRACK
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index a1abf87d43bf..ebfa7dc747cd 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -61,9 +61,6 @@ obj-$(CONFIG_NF_NAT_IRC) += nf_nat_irc.o
61obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o 61obj-$(CONFIG_NF_NAT_SIP) += nf_nat_sip.o
62obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o 62obj-$(CONFIG_NF_NAT_TFTP) += nf_nat_tftp.o
63 63
64# transparent proxy support
65obj-$(CONFIG_NETFILTER_TPROXY) += nf_tproxy_core.o
66
67# generic X tables 64# generic X tables
68obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o 65obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
69 66
diff --git a/net/netfilter/nf_tproxy_core.c b/net/netfilter/nf_tproxy_core.c
deleted file mode 100644
index 474d621cbc2e..000000000000
--- a/net/netfilter/nf_tproxy_core.c
+++ /dev/null
@@ -1,62 +0,0 @@
1/*
2 * Transparent proxy support for Linux/iptables
3 *
4 * Copyright (c) 2006-2007 BalaBit IT Ltd.
5 * Author: Balazs Scheidler, Krisztian Kovacs
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 *
11 */
12
13#include <linux/module.h>
14
15#include <linux/net.h>
16#include <linux/if.h>
17#include <linux/netdevice.h>
18#include <net/udp.h>
19#include <net/netfilter/nf_tproxy_core.h>
20
21
22static void
23nf_tproxy_destructor(struct sk_buff *skb)
24{
25 struct sock *sk = skb->sk;
26
27 skb->sk = NULL;
28 skb->destructor = NULL;
29
30 if (sk)
31 sock_put(sk);
32}
33
34/* consumes sk */
35void
36nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
37{
38 /* assigning tw sockets complicates things; most
39 * skb->sk->X checks would have to test sk->sk_state first */
40 if (sk->sk_state == TCP_TIME_WAIT) {
41 inet_twsk_put(inet_twsk(sk));
42 return;
43 }
44
45 skb_orphan(skb);
46 skb->sk = sk;
47 skb->destructor = nf_tproxy_destructor;
48}
49EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock);
50
51static int __init nf_tproxy_init(void)
52{
53 pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n");
54 pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n");
55 return 0;
56}
57
58module_init(nf_tproxy_init);
59
60MODULE_LICENSE("GPL");
61MODULE_AUTHOR("Krisztian Kovacs");
62MODULE_DESCRIPTION("Transparent proxy support core routines");
diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
index d7f195388f66..17c40deafa4f 100644
--- a/net/netfilter/xt_TPROXY.c
+++ b/net/netfilter/xt_TPROXY.c
@@ -117,6 +117,15 @@ tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport,
117 return sk; 117 return sk;
118} 118}
119 119
120/* assign a socket to the skb -- consumes sk */
121static void
122nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
123{
124 skb_orphan(skb);
125 skb->sk = sk;
126 skb->destructor = sock_edemux;
127}
128
120static unsigned int 129static unsigned int
121tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport, 130tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
122 u_int32_t mark_mask, u_int32_t mark_value) 131 u_int32_t mark_mask, u_int32_t mark_value)