]>
Commit | Line | Data |
---|---|---|
136cdc71 KK |
1 | /* |
2 | * Transparent proxy support for Linux/iptables | |
3 | * | |
4 | * Copyright (C) 2007-2008 BalaBit IT Ltd. | |
5 | * Author: Krisztian Kovacs | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License version 2 as | |
9 | * published by the Free Software Foundation. | |
10 | * | |
11 | */ | |
ff67e4e4 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
136cdc71 KK |
13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | |
15 | #include <linux/netfilter/x_tables.h> | |
16 | #include <linux/netfilter_ipv4/ip_tables.h> | |
17 | #include <net/tcp.h> | |
18 | #include <net/udp.h> | |
19 | #include <net/icmp.h> | |
20 | #include <net/sock.h> | |
21 | #include <net/inet_sock.h> | |
136cdc71 | 22 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> |
f6318e55 | 23 | |
c0cd1156 | 24 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
f6318e55 | 25 | #include <linux/netfilter_ipv6/ip6_tables.h> |
93742cf8 | 26 | #include <net/inet6_hashtables.h> |
b64c9256 | 27 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> |
f6318e55 | 28 | #endif |
136cdc71 | 29 | |
8db4c5be | 30 | #include <net/netfilter/nf_socket.h> |
a31e1ffd LAT |
31 | #include <linux/netfilter/xt_socket.h> |
32 | ||
93742cf8 FW |
33 | /* "socket" match based redirection (no specific rule) |
34 | * =================================================== | |
35 | * | |
36 | * There are connections with dynamic endpoints (e.g. FTP data | |
37 | * connection) that the user is unable to add explicit rules | |
38 | * for. These are taken care of by a generic "socket" rule. It is | |
39 | * assumed that the proxy application is trusted to open such | |
40 | * connections without explicit iptables rule (except of course the | |
41 | * generic 'socket' rule). In this case the following sockets are | |
42 | * matched in preference order: | |
43 | * | |
44 | * - match: if there's a fully established connection matching the | |
45 | * _packet_ tuple | |
46 | * | |
47 | * - match: if there's a non-zero bound listener (possibly with a | |
48 | * non-local address) We don't accept zero-bound listeners, since | |
49 | * then local services could intercept traffic going through the | |
50 | * box. | |
51 | */ | |
d64d80a2 DB |
52 | static bool |
53 | socket_match(const struct sk_buff *skb, struct xt_action_param *par, | |
54 | const struct xt_socket_mtinfo1 *info) | |
55 | { | |
01555e74 | 56 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
57 | struct sock *sk = skb->sk; |
58 | ||
00028aa3 | 59 | if (!sk) |
613dbd95 | 60 | sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par)); |
00028aa3 | 61 | if (sk) { |
a31e1ffd LAT |
62 | bool wildcard; |
63 | bool transparent = true; | |
64 | ||
681f130f ED |
65 | /* Ignore sockets listening on INADDR_ANY, |
66 | * unless XT_SOCKET_NOWILDCARD is set | |
67 | */ | |
68 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 69 | sk_fullsock(sk) && |
c720c7e8 | 70 | inet_sk(sk)->inet_rcv_saddr == 0); |
a31e1ffd LAT |
71 | |
72 | /* Ignore non-transparent sockets, | |
a9407000 ED |
73 | * if XT_SOCKET_TRANSPARENT is used |
74 | */ | |
baf60efa | 75 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8db4c5be | 76 | transparent = nf_sk_is_transparent(sk); |
136cdc71 | 77 | |
01555e74 HH |
78 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
79 | transparent) | |
80 | pskb->mark = sk->sk_mark; | |
81 | ||
00028aa3 | 82 | if (sk != skb->sk) |
1a8bf6ee | 83 | sock_gen_put(sk); |
a31e1ffd LAT |
84 | |
85 | if (wildcard || !transparent) | |
136cdc71 KK |
86 | sk = NULL; |
87 | } | |
88 | ||
d64d80a2 | 89 | return sk != NULL; |
136cdc71 KK |
90 | } |
91 | ||
a31e1ffd | 92 | static bool |
b64c9256 | 93 | socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd | 94 | { |
baf60efa ED |
95 | static struct xt_socket_mtinfo1 xt_info_v0 = { |
96 | .flags = 0, | |
97 | }; | |
98 | ||
99 | return socket_match(skb, par, &xt_info_v0); | |
a31e1ffd LAT |
100 | } |
101 | ||
102 | static bool | |
01555e74 | 103 | socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd LAT |
104 | { |
105 | return socket_match(skb, par, par->matchinfo); | |
106 | } | |
107 | ||
8db4c5be | 108 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
d64d80a2 | 109 | static bool |
01555e74 | 110 | socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
d64d80a2 DB |
111 | { |
112 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
01555e74 | 113 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
114 | struct sock *sk = skb->sk; |
115 | ||
00028aa3 | 116 | if (!sk) |
613dbd95 | 117 | sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par)); |
00028aa3 | 118 | if (sk) { |
b64c9256 BS |
119 | bool wildcard; |
120 | bool transparent = true; | |
121 | ||
681f130f ED |
122 | /* Ignore sockets listening on INADDR_ANY |
123 | * unless XT_SOCKET_NOWILDCARD is set | |
124 | */ | |
125 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 126 | sk_fullsock(sk) && |
efe4208f | 127 | ipv6_addr_any(&sk->sk_v6_rcv_saddr)); |
b64c9256 BS |
128 | |
129 | /* Ignore non-transparent sockets, | |
a9407000 ED |
130 | * if XT_SOCKET_TRANSPARENT is used |
131 | */ | |
baf60efa | 132 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8db4c5be | 133 | transparent = nf_sk_is_transparent(sk); |
b64c9256 | 134 | |
01555e74 HH |
135 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
136 | transparent) | |
137 | pskb->mark = sk->sk_mark; | |
138 | ||
00028aa3 | 139 | if (sk != skb->sk) |
1a8bf6ee | 140 | sock_gen_put(sk); |
b64c9256 BS |
141 | |
142 | if (wildcard || !transparent) | |
143 | sk = NULL; | |
144 | } | |
145 | ||
d64d80a2 | 146 | return sk != NULL; |
b64c9256 BS |
147 | } |
148 | #endif | |
149 | ||
834184b1 FW |
150 | static int socket_mt_enable_defrag(struct net *net, int family) |
151 | { | |
152 | switch (family) { | |
153 | case NFPROTO_IPV4: | |
154 | return nf_defrag_ipv4_enable(net); | |
155 | #ifdef XT_SOCKET_HAVE_IPV6 | |
156 | case NFPROTO_IPV6: | |
157 | return nf_defrag_ipv6_enable(net); | |
158 | #endif | |
159 | } | |
160 | WARN_ONCE(1, "Unknown family %d\n", family); | |
161 | return 0; | |
162 | } | |
163 | ||
681f130f ED |
164 | static int socket_mt_v1_check(const struct xt_mtchk_param *par) |
165 | { | |
166 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
834184b1 FW |
167 | int err; |
168 | ||
169 | err = socket_mt_enable_defrag(par->net, par->family); | |
170 | if (err) | |
171 | return err; | |
681f130f ED |
172 | |
173 | if (info->flags & ~XT_SOCKET_FLAGS_V1) { | |
174 | pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); | |
175 | return -EINVAL; | |
176 | } | |
177 | return 0; | |
178 | } | |
179 | ||
180 | static int socket_mt_v2_check(const struct xt_mtchk_param *par) | |
181 | { | |
182 | const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo; | |
834184b1 FW |
183 | int err; |
184 | ||
185 | err = socket_mt_enable_defrag(par->net, par->family); | |
186 | if (err) | |
187 | return err; | |
681f130f ED |
188 | |
189 | if (info->flags & ~XT_SOCKET_FLAGS_V2) { | |
190 | pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); | |
191 | return -EINVAL; | |
192 | } | |
193 | return 0; | |
194 | } | |
195 | ||
01555e74 HH |
196 | static int socket_mt_v3_check(const struct xt_mtchk_param *par) |
197 | { | |
198 | const struct xt_socket_mtinfo3 *info = | |
199 | (struct xt_socket_mtinfo3 *)par->matchinfo; | |
834184b1 | 200 | int err; |
01555e74 | 201 | |
834184b1 FW |
202 | err = socket_mt_enable_defrag(par->net, par->family); |
203 | if (err) | |
204 | return err; | |
01555e74 HH |
205 | if (info->flags & ~XT_SOCKET_FLAGS_V3) { |
206 | pr_info("unknown flags 0x%x\n", | |
207 | info->flags & ~XT_SOCKET_FLAGS_V3); | |
208 | return -EINVAL; | |
209 | } | |
210 | return 0; | |
211 | } | |
212 | ||
a31e1ffd LAT |
213 | static struct xt_match socket_mt_reg[] __read_mostly = { |
214 | { | |
215 | .name = "socket", | |
216 | .revision = 0, | |
217 | .family = NFPROTO_IPV4, | |
b64c9256 | 218 | .match = socket_mt4_v0, |
aa3c487f JE |
219 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
220 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
221 | .me = THIS_MODULE, |
222 | }, | |
223 | { | |
224 | .name = "socket", | |
225 | .revision = 1, | |
226 | .family = NFPROTO_IPV4, | |
01555e74 | 227 | .match = socket_mt4_v1_v2_v3, |
681f130f | 228 | .checkentry = socket_mt_v1_check, |
a31e1ffd | 229 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
aa3c487f JE |
230 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
231 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
232 | .me = THIS_MODULE, |
233 | }, | |
8db4c5be | 234 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
b64c9256 BS |
235 | { |
236 | .name = "socket", | |
237 | .revision = 1, | |
238 | .family = NFPROTO_IPV6, | |
01555e74 | 239 | .match = socket_mt6_v1_v2_v3, |
681f130f ED |
240 | .checkentry = socket_mt_v1_check, |
241 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
242 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
243 | (1 << NF_INET_LOCAL_IN), | |
244 | .me = THIS_MODULE, | |
245 | }, | |
246 | #endif | |
247 | { | |
248 | .name = "socket", | |
249 | .revision = 2, | |
250 | .family = NFPROTO_IPV4, | |
01555e74 | 251 | .match = socket_mt4_v1_v2_v3, |
681f130f ED |
252 | .checkentry = socket_mt_v2_check, |
253 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
254 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
255 | (1 << NF_INET_LOCAL_IN), | |
256 | .me = THIS_MODULE, | |
257 | }, | |
8db4c5be | 258 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
681f130f ED |
259 | { |
260 | .name = "socket", | |
261 | .revision = 2, | |
262 | .family = NFPROTO_IPV6, | |
01555e74 | 263 | .match = socket_mt6_v1_v2_v3, |
681f130f | 264 | .checkentry = socket_mt_v2_check, |
b64c9256 BS |
265 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
266 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
267 | (1 << NF_INET_LOCAL_IN), | |
268 | .me = THIS_MODULE, | |
269 | }, | |
01555e74 HH |
270 | #endif |
271 | { | |
272 | .name = "socket", | |
273 | .revision = 3, | |
274 | .family = NFPROTO_IPV4, | |
275 | .match = socket_mt4_v1_v2_v3, | |
276 | .checkentry = socket_mt_v3_check, | |
277 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
278 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
279 | (1 << NF_INET_LOCAL_IN), | |
280 | .me = THIS_MODULE, | |
281 | }, | |
8db4c5be | 282 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
01555e74 HH |
283 | { |
284 | .name = "socket", | |
285 | .revision = 3, | |
286 | .family = NFPROTO_IPV6, | |
287 | .match = socket_mt6_v1_v2_v3, | |
288 | .checkentry = socket_mt_v3_check, | |
289 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
290 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
291 | (1 << NF_INET_LOCAL_IN), | |
292 | .me = THIS_MODULE, | |
293 | }, | |
b64c9256 | 294 | #endif |
136cdc71 KK |
295 | }; |
296 | ||
297 | static int __init socket_mt_init(void) | |
298 | { | |
a31e1ffd | 299 | return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
300 | } |
301 | ||
302 | static void __exit socket_mt_exit(void) | |
303 | { | |
a31e1ffd | 304 | xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
305 | } |
306 | ||
307 | module_init(socket_mt_init); | |
308 | module_exit(socket_mt_exit); | |
309 | ||
310 | MODULE_LICENSE("GPL"); | |
311 | MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler"); | |
312 | MODULE_DESCRIPTION("x_tables socket match module"); | |
313 | MODULE_ALIAS("ipt_socket"); | |
b64c9256 | 314 | MODULE_ALIAS("ip6t_socket"); |