Warning: This file is not a C or C++ file. It does not have highlighting.
| 1 | #ifndef _NF_TPROXY_H_ |
|---|---|
| 2 | #define _NF_TPROXY_H_ |
| 3 | |
| 4 | #include <net/tcp.h> |
| 5 | |
| 6 | enum nf_tproxy_lookup_t { |
| 7 | NF_TPROXY_LOOKUP_LISTENER, |
| 8 | NF_TPROXY_LOOKUP_ESTABLISHED, |
| 9 | }; |
| 10 | |
| 11 | static inline bool nf_tproxy_sk_is_transparent(struct sock *sk) |
| 12 | { |
| 13 | if (inet_sk_transparent(sk)) |
| 14 | return true; |
| 15 | |
| 16 | sock_gen_put(sk); |
| 17 | return false; |
| 18 | } |
| 19 | |
| 20 | static inline void nf_tproxy_twsk_deschedule_put(struct inet_timewait_sock *tw) |
| 21 | { |
| 22 | local_bh_disable(); |
| 23 | inet_twsk_deschedule_put(tw); |
| 24 | local_bh_enable(); |
| 25 | } |
| 26 | |
| 27 | /* assign a socket to the skb -- consumes sk */ |
| 28 | static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) |
| 29 | { |
| 30 | skb_orphan(skb); |
| 31 | skb->sk = sk; |
| 32 | skb->destructor = sock_edemux; |
| 33 | } |
| 34 | |
| 35 | __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr); |
| 36 | |
| 37 | /** |
| 38 | * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections |
| 39 | * @skb: The skb being processed. |
| 40 | * @laddr: IPv4 address to redirect to or zero. |
| 41 | * @lport: TCP port to redirect to or zero. |
| 42 | * @sk: The TIME_WAIT TCP socket found by the lookup. |
| 43 | * |
| 44 | * We have to handle SYN packets arriving to TIME_WAIT sockets |
| 45 | * differently: instead of reopening the connection we should rather |
| 46 | * redirect the new connection to the proxy if there's a listener |
| 47 | * socket present. |
| 48 | * |
| 49 | * nf_tproxy_handle_time_wait4() consumes the socket reference passed in. |
| 50 | * |
| 51 | * Returns the listener socket if there's one, the TIME_WAIT socket if |
| 52 | * no such listener is found, or NULL if the TCP header is incomplete. |
| 53 | */ |
| 54 | struct sock * |
| 55 | nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, |
| 56 | __be32 laddr, __be16 lport, struct sock *sk); |
| 57 | |
| 58 | /* |
| 59 | * This is used when the user wants to intercept a connection matching |
| 60 | * an explicit iptables rule. In this case the sockets are assumed |
| 61 | * matching in preference order: |
| 62 | * |
| 63 | * - match: if there's a fully established connection matching the |
| 64 | * _packet_ tuple, it is returned, assuming the redirection |
| 65 | * already took place and we process a packet belonging to an |
| 66 | * established connection |
| 67 | * |
| 68 | * - match: if there's a listening socket matching the redirection |
| 69 | * (e.g. on-port & on-ip of the connection), it is returned, |
| 70 | * regardless if it was bound to 0.0.0.0 or an explicit |
| 71 | * address. The reasoning is that if there's an explicit rule, it |
| 72 | * does not really matter if the listener is bound to an interface |
| 73 | * or to 0. The user already stated that he wants redirection |
| 74 | * (since he added the rule). |
| 75 | * |
| 76 | * Please note that there's an overlap between what a TPROXY target |
| 77 | * and a socket match will match. Normally if you have both rules the |
| 78 | * "socket" match will be the first one, effectively all packets |
| 79 | * belonging to established connections going through that one. |
| 80 | */ |
| 81 | struct sock * |
| 82 | nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, |
| 83 | const u8 protocol, |
| 84 | const __be32 saddr, const __be32 daddr, |
| 85 | const __be16 sport, const __be16 dport, |
| 86 | const struct net_device *in, |
| 87 | const enum nf_tproxy_lookup_t lookup_type); |
| 88 | |
| 89 | const struct in6_addr * |
| 90 | nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, |
| 91 | const struct in6_addr *daddr); |
| 92 | |
| 93 | /** |
| 94 | * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections |
| 95 | * @skb: The skb being processed. |
| 96 | * @tproto: Transport protocol. |
| 97 | * @thoff: Transport protocol header offset. |
| 98 | * @net: Network namespace. |
| 99 | * @laddr: IPv6 address to redirect to. |
| 100 | * @lport: TCP port to redirect to or zero. |
| 101 | * @sk: The TIME_WAIT TCP socket found by the lookup. |
| 102 | * |
| 103 | * We have to handle SYN packets arriving to TIME_WAIT sockets |
| 104 | * differently: instead of reopening the connection we should rather |
| 105 | * redirect the new connection to the proxy if there's a listener |
| 106 | * socket present. |
| 107 | * |
| 108 | * nf_tproxy_handle_time_wait6() consumes the socket reference passed in. |
| 109 | * |
| 110 | * Returns the listener socket if there's one, the TIME_WAIT socket if |
| 111 | * no such listener is found, or NULL if the TCP header is incomplete. |
| 112 | */ |
| 113 | struct sock * |
| 114 | nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, |
| 115 | struct net *net, |
| 116 | const struct in6_addr *laddr, |
| 117 | const __be16 lport, |
| 118 | struct sock *sk); |
| 119 | |
| 120 | struct sock * |
| 121 | nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, |
| 122 | const u8 protocol, |
| 123 | const struct in6_addr *saddr, const struct in6_addr *daddr, |
| 124 | const __be16 sport, const __be16 dport, |
| 125 | const struct net_device *in, |
| 126 | const enum nf_tproxy_lookup_t lookup_type); |
| 127 | |
| 128 | #endif /* _NF_TPROXY_H_ */ |
| 129 |
Warning: This file is not a C or C++ file. It does not have highlighting.