]>
Commit | Line | Data |
---|---|---|
136cdc71 KK |
1 | /* |
2 | * Transparent proxy support for Linux/iptables | |
3 | * | |
4 | * Copyright (C) 2007-2008 BalaBit IT Ltd. | |
5 | * Author: Krisztian Kovacs | |
6 | * | |
7 | * This program is free software; you can redistribute it and/or modify | |
8 | * it under the terms of the GNU General Public License version 2 as | |
9 | * published by the Free Software Foundation. | |
10 | * | |
11 | */ | |
ff67e4e4 | 12 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
136cdc71 KK |
13 | #include <linux/module.h> |
14 | #include <linux/skbuff.h> | |
15 | #include <linux/netfilter/x_tables.h> | |
16 | #include <linux/netfilter_ipv4/ip_tables.h> | |
17 | #include <net/tcp.h> | |
18 | #include <net/udp.h> | |
19 | #include <net/icmp.h> | |
20 | #include <net/sock.h> | |
21 | #include <net/inet_sock.h> | |
136cdc71 | 22 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> |
f6318e55 | 23 | |
c0cd1156 | 24 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
f6318e55 | 25 | #include <linux/netfilter_ipv6/ip6_tables.h> |
93742cf8 | 26 | #include <net/inet6_hashtables.h> |
b64c9256 | 27 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> |
f6318e55 | 28 | #endif |
136cdc71 | 29 | |
8db4c5be | 30 | #include <net/netfilter/nf_socket.h> |
a31e1ffd LAT |
31 | #include <linux/netfilter/xt_socket.h> |
32 | ||
93742cf8 FW |
33 | /* "socket" match based redirection (no specific rule) |
34 | * =================================================== | |
35 | * | |
36 | * There are connections with dynamic endpoints (e.g. FTP data | |
37 | * connection) that the user is unable to add explicit rules | |
38 | * for. These are taken care of by a generic "socket" rule. It is | |
39 | * assumed that the proxy application is trusted to open such | |
40 | * connections without explicit iptables rule (except of course the | |
41 | * generic 'socket' rule). In this case the following sockets are | |
42 | * matched in preference order: | |
43 | * | |
44 | * - match: if there's a fully established connection matching the | |
45 | * _packet_ tuple | |
46 | * | |
47 | * - match: if there's a non-zero bound listener (possibly with a | |
48 | * non-local address) We don't accept zero-bound listeners, since | |
49 | * then local services could intercept traffic going through the | |
50 | * box. | |
51 | */ | |
d64d80a2 DB |
52 | static bool |
53 | socket_match(const struct sk_buff *skb, struct xt_action_param *par, | |
54 | const struct xt_socket_mtinfo1 *info) | |
55 | { | |
01555e74 | 56 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
57 | struct sock *sk = skb->sk; |
58 | ||
00028aa3 | 59 | if (!sk) |
613dbd95 | 60 | sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par)); |
00028aa3 | 61 | if (sk) { |
a31e1ffd LAT |
62 | bool wildcard; |
63 | bool transparent = true; | |
64 | ||
681f130f ED |
65 | /* Ignore sockets listening on INADDR_ANY, |
66 | * unless XT_SOCKET_NOWILDCARD is set | |
67 | */ | |
68 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 69 | sk_fullsock(sk) && |
c720c7e8 | 70 | inet_sk(sk)->inet_rcv_saddr == 0); |
a31e1ffd LAT |
71 | |
72 | /* Ignore non-transparent sockets, | |
a9407000 ED |
73 | * if XT_SOCKET_TRANSPARENT is used |
74 | */ | |
baf60efa | 75 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8db4c5be | 76 | transparent = nf_sk_is_transparent(sk); |
136cdc71 | 77 | |
01555e74 HH |
78 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
79 | transparent) | |
80 | pskb->mark = sk->sk_mark; | |
81 | ||
00028aa3 | 82 | if (sk != skb->sk) |
1a8bf6ee | 83 | sock_gen_put(sk); |
a31e1ffd LAT |
84 | |
85 | if (wildcard || !transparent) | |
136cdc71 KK |
86 | sk = NULL; |
87 | } | |
88 | ||
d64d80a2 | 89 | return sk != NULL; |
136cdc71 KK |
90 | } |
91 | ||
a31e1ffd | 92 | static bool |
b64c9256 | 93 | socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd | 94 | { |
baf60efa ED |
95 | static struct xt_socket_mtinfo1 xt_info_v0 = { |
96 | .flags = 0, | |
97 | }; | |
98 | ||
99 | return socket_match(skb, par, &xt_info_v0); | |
a31e1ffd LAT |
100 | } |
101 | ||
102 | static bool | |
01555e74 | 103 | socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd LAT |
104 | { |
105 | return socket_match(skb, par, par->matchinfo); | |
106 | } | |
107 | ||
8db4c5be | 108 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
d64d80a2 | 109 | static bool |
01555e74 | 110 | socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
d64d80a2 DB |
111 | { |
112 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
01555e74 | 113 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
114 | struct sock *sk = skb->sk; |
115 | ||
00028aa3 | 116 | if (!sk) |
613dbd95 | 117 | sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par)); |
00028aa3 | 118 | if (sk) { |
b64c9256 BS |
119 | bool wildcard; |
120 | bool transparent = true; | |
121 | ||
681f130f ED |
122 | /* Ignore sockets listening on INADDR_ANY |
123 | * unless XT_SOCKET_NOWILDCARD is set | |
124 | */ | |
125 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 126 | sk_fullsock(sk) && |
efe4208f | 127 | ipv6_addr_any(&sk->sk_v6_rcv_saddr)); |
b64c9256 BS |
128 | |
129 | /* Ignore non-transparent sockets, | |
a9407000 ED |
130 | * if XT_SOCKET_TRANSPARENT is used |
131 | */ | |
baf60efa | 132 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8db4c5be | 133 | transparent = nf_sk_is_transparent(sk); |
b64c9256 | 134 | |
01555e74 HH |
135 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
136 | transparent) | |
137 | pskb->mark = sk->sk_mark; | |
138 | ||
00028aa3 | 139 | if (sk != skb->sk) |
1a8bf6ee | 140 | sock_gen_put(sk); |
b64c9256 BS |
141 | |
142 | if (wildcard || !transparent) | |
143 | sk = NULL; | |
144 | } | |
145 | ||
d64d80a2 | 146 | return sk != NULL; |
b64c9256 BS |
147 | } |
148 | #endif | |
149 | ||
681f130f ED |
150 | static int socket_mt_v1_check(const struct xt_mtchk_param *par) |
151 | { | |
152 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
153 | ||
154 | if (info->flags & ~XT_SOCKET_FLAGS_V1) { | |
155 | pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1); | |
156 | return -EINVAL; | |
157 | } | |
158 | return 0; | |
159 | } | |
160 | ||
161 | static int socket_mt_v2_check(const struct xt_mtchk_param *par) | |
162 | { | |
163 | const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo; | |
164 | ||
165 | if (info->flags & ~XT_SOCKET_FLAGS_V2) { | |
166 | pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2); | |
167 | return -EINVAL; | |
168 | } | |
169 | return 0; | |
170 | } | |
171 | ||
01555e74 HH |
172 | static int socket_mt_v3_check(const struct xt_mtchk_param *par) |
173 | { | |
174 | const struct xt_socket_mtinfo3 *info = | |
175 | (struct xt_socket_mtinfo3 *)par->matchinfo; | |
176 | ||
177 | if (info->flags & ~XT_SOCKET_FLAGS_V3) { | |
178 | pr_info("unknown flags 0x%x\n", | |
179 | info->flags & ~XT_SOCKET_FLAGS_V3); | |
180 | return -EINVAL; | |
181 | } | |
182 | return 0; | |
183 | } | |
184 | ||
a31e1ffd LAT |
185 | static struct xt_match socket_mt_reg[] __read_mostly = { |
186 | { | |
187 | .name = "socket", | |
188 | .revision = 0, | |
189 | .family = NFPROTO_IPV4, | |
b64c9256 | 190 | .match = socket_mt4_v0, |
aa3c487f JE |
191 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
192 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
193 | .me = THIS_MODULE, |
194 | }, | |
195 | { | |
196 | .name = "socket", | |
197 | .revision = 1, | |
198 | .family = NFPROTO_IPV4, | |
01555e74 | 199 | .match = socket_mt4_v1_v2_v3, |
681f130f | 200 | .checkentry = socket_mt_v1_check, |
a31e1ffd | 201 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
aa3c487f JE |
202 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
203 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
204 | .me = THIS_MODULE, |
205 | }, | |
8db4c5be | 206 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
b64c9256 BS |
207 | { |
208 | .name = "socket", | |
209 | .revision = 1, | |
210 | .family = NFPROTO_IPV6, | |
01555e74 | 211 | .match = socket_mt6_v1_v2_v3, |
681f130f ED |
212 | .checkentry = socket_mt_v1_check, |
213 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
214 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
215 | (1 << NF_INET_LOCAL_IN), | |
216 | .me = THIS_MODULE, | |
217 | }, | |
218 | #endif | |
219 | { | |
220 | .name = "socket", | |
221 | .revision = 2, | |
222 | .family = NFPROTO_IPV4, | |
01555e74 | 223 | .match = socket_mt4_v1_v2_v3, |
681f130f ED |
224 | .checkentry = socket_mt_v2_check, |
225 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
226 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
227 | (1 << NF_INET_LOCAL_IN), | |
228 | .me = THIS_MODULE, | |
229 | }, | |
8db4c5be | 230 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
681f130f ED |
231 | { |
232 | .name = "socket", | |
233 | .revision = 2, | |
234 | .family = NFPROTO_IPV6, | |
01555e74 | 235 | .match = socket_mt6_v1_v2_v3, |
681f130f | 236 | .checkentry = socket_mt_v2_check, |
b64c9256 BS |
237 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
238 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
239 | (1 << NF_INET_LOCAL_IN), | |
240 | .me = THIS_MODULE, | |
241 | }, | |
01555e74 HH |
242 | #endif |
243 | { | |
244 | .name = "socket", | |
245 | .revision = 3, | |
246 | .family = NFPROTO_IPV4, | |
247 | .match = socket_mt4_v1_v2_v3, | |
248 | .checkentry = socket_mt_v3_check, | |
249 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
250 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
251 | (1 << NF_INET_LOCAL_IN), | |
252 | .me = THIS_MODULE, | |
253 | }, | |
8db4c5be | 254 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
01555e74 HH |
255 | { |
256 | .name = "socket", | |
257 | .revision = 3, | |
258 | .family = NFPROTO_IPV6, | |
259 | .match = socket_mt6_v1_v2_v3, | |
260 | .checkentry = socket_mt_v3_check, | |
261 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
262 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
263 | (1 << NF_INET_LOCAL_IN), | |
264 | .me = THIS_MODULE, | |
265 | }, | |
b64c9256 | 266 | #endif |
136cdc71 KK |
267 | }; |
268 | ||
269 | static int __init socket_mt_init(void) | |
270 | { | |
271 | nf_defrag_ipv4_enable(); | |
8db4c5be | 272 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
b64c9256 BS |
273 | nf_defrag_ipv6_enable(); |
274 | #endif | |
275 | ||
a31e1ffd | 276 | return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
277 | } |
278 | ||
279 | static void __exit socket_mt_exit(void) | |
280 | { | |
a31e1ffd | 281 | xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
282 | } |
283 | ||
284 | module_init(socket_mt_init); | |
285 | module_exit(socket_mt_exit); | |
286 | ||
287 | MODULE_LICENSE("GPL"); | |
288 | MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler"); | |
289 | MODULE_DESCRIPTION("x_tables socket match module"); | |
290 | MODULE_ALIAS("ipt_socket"); | |
b64c9256 | 291 | MODULE_ALIAS("ip6t_socket"); |