]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blame - net/netfilter/xt_socket.c
projects / mirror_ubuntu-jammy-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: conntrack: add nf_conntrack_default_on sysctl
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / xt_socket.c
CommitLineData
136cdc71
KK		 1/*
2 * Transparent proxy support for Linux/iptables
3 *
4 * Copyright (C) 2007-2008 BalaBit IT Ltd.
5 * Author: Krisztian Kovacs
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 *
11 */
ff67e4e4 12#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
136cdc71
KK		 13#include <linux/module.h>
14#include <linux/skbuff.h>
15#include <linux/netfilter/x_tables.h>
16#include <linux/netfilter_ipv4/ip_tables.h>
17#include <net/tcp.h>
18#include <net/udp.h>
19#include <net/icmp.h>
20#include <net/sock.h>
21#include <net/inet_sock.h>
136cdc71 22#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
f6318e55 23
c0cd1156 24#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
f6318e55 25#include <linux/netfilter_ipv6/ip6_tables.h>
93742cf8 26#include <net/inet6_hashtables.h>
b64c9256 27#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
f6318e55 28#endif
136cdc71 29
8db4c5be 30#include <net/netfilter/nf_socket.h>
a31e1ffd
LAT		 31#include <linux/netfilter/xt_socket.h>
32
93742cf8
FW		 33/* "socket" match based redirection (no specific rule)
34 * ===================================================
35 *
36 * There are connections with dynamic endpoints (e.g. FTP data
37 * connection) that the user is unable to add explicit rules
38 * for. These are taken care of by a generic "socket" rule. It is
39 * assumed that the proxy application is trusted to open such
40 * connections without explicit iptables rule (except of course the
41 * generic 'socket' rule). In this case the following sockets are
42 * matched in preference order:
43 *
44 * - match: if there's a fully established connection matching the
45 * _packet_ tuple
46 *
47 * - match: if there's a non-zero bound listener (possibly with a
48 * non-local address) We don't accept zero-bound listeners, since
49 * then local services could intercept traffic going through the
50 * box.
51 */
d64d80a2
DB		 52static bool
53socket_match(const struct sk_buff *skb, struct xt_action_param *par,
54 const struct xt_socket_mtinfo1 *info)
55{
01555e74 56 struct sk_buff *pskb = (struct sk_buff *)skb;
d64d80a2
DB		 57 struct sock *sk = skb->sk;
58
00028aa3 59 if (!sk)
613dbd95 60 sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));
00028aa3 61 if (sk) {
a31e1ffd
LAT		 62 bool wildcard;
63 bool transparent = true;
64
681f130f
ED		 65 /* Ignore sockets listening on INADDR_ANY,
66 * unless XT_SOCKET_NOWILDCARD is set
67 */
68 wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
a9407000 69 sk_fullsock(sk) &&
c720c7e8 70 inet_sk(sk)->inet_rcv_saddr == 0);
a31e1ffd
LAT		 71
72 /* Ignore non-transparent sockets,
a9407000
ED		 73 * if XT_SOCKET_TRANSPARENT is used
74 */
baf60efa 75 if (info->flags & XT_SOCKET_TRANSPARENT)
8db4c5be 76 transparent = nf_sk_is_transparent(sk);
136cdc71 77
01555e74
HH		 78 if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
79 transparent)
80 pskb->mark = sk->sk_mark;
81
00028aa3 82 if (sk != skb->sk)
1a8bf6ee 83 sock_gen_put(sk);
a31e1ffd
LAT		 84
85 if (wildcard || !transparent)
136cdc71
KK		 86 sk = NULL;
87 }
88
d64d80a2 89 return sk != NULL;
136cdc71
KK		 90}
91
a31e1ffd 92static bool
b64c9256 93socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par)
a31e1ffd 94{
baf60efa
ED		 95 static struct xt_socket_mtinfo1 xt_info_v0 = {
96 .flags = 0,
97 };
98
99 return socket_match(skb, par, &xt_info_v0);
a31e1ffd
LAT		 100}
101
102static bool
01555e74 103socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
a31e1ffd
LAT		 104{
105 return socket_match(skb, par, par->matchinfo);
106}
107
8db4c5be 108#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
d64d80a2 109static bool
01555e74 110socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
d64d80a2
DB		 111{
112 const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
01555e74 113 struct sk_buff *pskb = (struct sk_buff *)skb;
d64d80a2
DB		 114 struct sock *sk = skb->sk;
115
00028aa3 116 if (!sk)
613dbd95 117 sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));
00028aa3 118 if (sk) {
b64c9256
BS		 119 bool wildcard;
120 bool transparent = true;
121
681f130f
ED		 122 /* Ignore sockets listening on INADDR_ANY
123 * unless XT_SOCKET_NOWILDCARD is set
124 */
125 wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
a9407000 126 sk_fullsock(sk) &&
efe4208f 127 ipv6_addr_any(&sk->sk_v6_rcv_saddr));
b64c9256
BS		 128
129 /* Ignore non-transparent sockets,
a9407000
ED		 130 * if XT_SOCKET_TRANSPARENT is used
131 */
baf60efa 132 if (info->flags & XT_SOCKET_TRANSPARENT)
8db4c5be 133 transparent = nf_sk_is_transparent(sk);
b64c9256 134
01555e74
HH		 135 if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
136 transparent)
137 pskb->mark = sk->sk_mark;
138
00028aa3 139 if (sk != skb->sk)
1a8bf6ee 140 sock_gen_put(sk);
b64c9256
BS		 141
142 if (wildcard || !transparent)
143 sk = NULL;
144 }
145
d64d80a2 146 return sk != NULL;
b64c9256
BS		 147}
148#endif
149
681f130f
ED		 150static int socket_mt_v1_check(const struct xt_mtchk_param *par)
151{
152 const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
153
154 if (info->flags & ~XT_SOCKET_FLAGS_V1) {
155 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V1);
156 return -EINVAL;
157 }
158 return 0;
159}
160
161static int socket_mt_v2_check(const struct xt_mtchk_param *par)
162{
163 const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
164
165 if (info->flags & ~XT_SOCKET_FLAGS_V2) {
166 pr_info("unknown flags 0x%x\n", info->flags & ~XT_SOCKET_FLAGS_V2);
167 return -EINVAL;
168 }
169 return 0;
170}
171
01555e74
HH		 172static int socket_mt_v3_check(const struct xt_mtchk_param *par)
173{
174 const struct xt_socket_mtinfo3 *info =
175 (struct xt_socket_mtinfo3 *)par->matchinfo;
176
177 if (info->flags & ~XT_SOCKET_FLAGS_V3) {
178 pr_info("unknown flags 0x%x\n",
179 info->flags & ~XT_SOCKET_FLAGS_V3);
180 return -EINVAL;
181 }
182 return 0;
183}
184
a31e1ffd
LAT		 185static struct xt_match socket_mt_reg[] __read_mostly = {
186 {
187 .name = "socket",
188 .revision = 0,
189 .family = NFPROTO_IPV4,
b64c9256 190 .match = socket_mt4_v0,
aa3c487f
JE		 191 .hooks = (1 << NF_INET_PRE_ROUTING) |
192 (1 << NF_INET_LOCAL_IN),
a31e1ffd
LAT		 193 .me = THIS_MODULE,
194 },
195 {
196 .name = "socket",
197 .revision = 1,
198 .family = NFPROTO_IPV4,
01555e74 199 .match = socket_mt4_v1_v2_v3,
681f130f 200 .checkentry = socket_mt_v1_check,
a31e1ffd 201 .matchsize = sizeof(struct xt_socket_mtinfo1),
aa3c487f
JE		 202 .hooks = (1 << NF_INET_PRE_ROUTING) |
203 (1 << NF_INET_LOCAL_IN),
a31e1ffd
LAT		 204 .me = THIS_MODULE,
205 },
8db4c5be 206#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
b64c9256
BS		 207 {
208 .name = "socket",
209 .revision = 1,
210 .family = NFPROTO_IPV6,
01555e74 211 .match = socket_mt6_v1_v2_v3,
681f130f
ED		 212 .checkentry = socket_mt_v1_check,
213 .matchsize = sizeof(struct xt_socket_mtinfo1),
214 .hooks = (1 << NF_INET_PRE_ROUTING) |
215 (1 << NF_INET_LOCAL_IN),
216 .me = THIS_MODULE,
217 },
218#endif
219 {
220 .name = "socket",
221 .revision = 2,
222 .family = NFPROTO_IPV4,
01555e74 223 .match = socket_mt4_v1_v2_v3,
681f130f
ED		 224 .checkentry = socket_mt_v2_check,
225 .matchsize = sizeof(struct xt_socket_mtinfo1),
226 .hooks = (1 << NF_INET_PRE_ROUTING) |
227 (1 << NF_INET_LOCAL_IN),
228 .me = THIS_MODULE,
229 },
8db4c5be 230#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
681f130f
ED		 231 {
232 .name = "socket",
233 .revision = 2,
234 .family = NFPROTO_IPV6,
01555e74 235 .match = socket_mt6_v1_v2_v3,
681f130f 236 .checkentry = socket_mt_v2_check,
b64c9256
BS		 237 .matchsize = sizeof(struct xt_socket_mtinfo1),
238 .hooks = (1 << NF_INET_PRE_ROUTING) |
239 (1 << NF_INET_LOCAL_IN),
240 .me = THIS_MODULE,
241 },
01555e74
HH		 242#endif
243 {
244 .name = "socket",
245 .revision = 3,
246 .family = NFPROTO_IPV4,
247 .match = socket_mt4_v1_v2_v3,
248 .checkentry = socket_mt_v3_check,
249 .matchsize = sizeof(struct xt_socket_mtinfo1),
250 .hooks = (1 << NF_INET_PRE_ROUTING) |
251 (1 << NF_INET_LOCAL_IN),
252 .me = THIS_MODULE,
253 },
8db4c5be 254#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
01555e74
HH		 255 {
256 .name = "socket",
257 .revision = 3,
258 .family = NFPROTO_IPV6,
259 .match = socket_mt6_v1_v2_v3,
260 .checkentry = socket_mt_v3_check,
261 .matchsize = sizeof(struct xt_socket_mtinfo1),
262 .hooks = (1 << NF_INET_PRE_ROUTING) |
263 (1 << NF_INET_LOCAL_IN),
264 .me = THIS_MODULE,
265 },
b64c9256 266#endif
136cdc71
KK		 267};
268
269static int __init socket_mt_init(void)
270{
271 nf_defrag_ipv4_enable();
8db4c5be 272#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
b64c9256
BS		 273 nf_defrag_ipv6_enable();
274#endif
275
a31e1ffd 276 return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
136cdc71
KK		 277}
278
279static void __exit socket_mt_exit(void)
280{
a31e1ffd 281 xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
136cdc71
KK		 282}
283
284module_init(socket_mt_init);
285module_exit(socket_mt_exit);
286
287MODULE_LICENSE("GPL");
288MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler");
289MODULE_DESCRIPTION("x_tables socket match module");
290MODULE_ALIAS("ipt_socket");
b64c9256 291MODULE_ALIAS("ip6t_socket");
Ubuntu Jammy Linux kernel mirror