Commit | Line | Data |
---|---|---|
45ca4e0c ME |
1 | #ifndef _NF_TPROXY_H_ |
2 | #define _NF_TPROXY_H_ | |
3 | ||
4 | #include <net/tcp.h> | |
5 | ||
6 | enum nf_tproxy_lookup_t { | |
7 | NF_TPROXY_LOOKUP_LISTENER, | |
8 | NF_TPROXY_LOOKUP_ESTABLISHED, | |
9 | }; | |
10 | ||
11 | static inline bool nf_tproxy_sk_is_transparent(struct sock *sk) | |
12 | { | |
13 | if (inet_sk_transparent(sk)) | |
14 | return true; | |
15 | ||
16 | sock_gen_put(sk); | |
17 | return false; | |
18 | } | |
19 | ||
f286586d ME |
20 | /* assign a socket to the skb -- consumes sk */ |
21 | static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) | |
22 | { | |
23 | skb_orphan(skb); | |
24 | skb->sk = sk; | |
25 | skb->destructor = sock_edemux; | |
26 | } | |
27 | ||
45ca4e0c ME |
28 | __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr); |
29 | ||
30 | /** | |
31 | * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections | |
32 | * @skb: The skb being processed. | |
33 | * @laddr: IPv4 address to redirect to or zero. | |
34 | * @lport: TCP port to redirect to or zero. | |
35 | * @sk: The TIME_WAIT TCP socket found by the lookup. | |
36 | * | |
37 | * We have to handle SYN packets arriving to TIME_WAIT sockets | |
38 | * differently: instead of reopening the connection we should rather | |
39 | * redirect the new connection to the proxy if there's a listener | |
40 | * socket present. | |
41 | * | |
42 | * nf_tproxy_handle_time_wait4() consumes the socket reference passed in. | |
43 | * | |
44 | * Returns the listener socket if there's one, the TIME_WAIT socket if | |
45 | * no such listener is found, or NULL if the TCP header is incomplete. | |
46 | */ | |
47 | struct sock * | |
48 | nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, | |
49 | __be32 laddr, __be16 lport, struct sock *sk); | |
50 | ||
51 | /* | |
52 | * This is used when the user wants to intercept a connection matching | |
53 | * an explicit iptables rule. In this case the sockets are assumed | |
54 | * matching in preference order: | |
55 | * | |
56 | * - match: if there's a fully established connection matching the | |
57 | * _packet_ tuple, it is returned, assuming the redirection | |
58 | * already took place and we process a packet belonging to an | |
59 | * established connection | |
60 | * | |
61 | * - match: if there's a listening socket matching the redirection | |
62 | * (e.g. on-port & on-ip of the connection), it is returned, | |
63 | * regardless if it was bound to 0.0.0.0 or an explicit | |
64 | * address. The reasoning is that if there's an explicit rule, it | |
65 | * does not really matter if the listener is bound to an interface | |
66 | * or to 0. The user already stated that he wants redirection | |
67 | * (since he added the rule). | |
68 | * | |
69 | * Please note that there's an overlap between what a TPROXY target | |
70 | * and a socket match will match. Normally if you have both rules the | |
71 | * "socket" match will be the first one, effectively all packets | |
72 | * belonging to established connections going through that one. | |
73 | */ | |
74 | struct sock * | |
5711b4e8 | 75 | nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, |
45ca4e0c ME |
76 | const u8 protocol, |
77 | const __be32 saddr, const __be32 daddr, | |
78 | const __be16 sport, const __be16 dport, | |
79 | const struct net_device *in, | |
80 | const enum nf_tproxy_lookup_t lookup_type); | |
81 | ||
82 | const struct in6_addr * | |
83 | nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, | |
84 | const struct in6_addr *daddr); | |
85 | ||
86 | /** | |
87 | * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections | |
88 | * @skb: The skb being processed. | |
89 | * @tproto: Transport protocol. | |
90 | * @thoff: Transport protocol header offset. | |
91 | * @net: Network namespace. | |
92 | * @laddr: IPv6 address to redirect to. | |
93 | * @lport: TCP port to redirect to or zero. | |
94 | * @sk: The TIME_WAIT TCP socket found by the lookup. | |
95 | * | |
96 | * We have to handle SYN packets arriving to TIME_WAIT sockets | |
97 | * differently: instead of reopening the connection we should rather | |
98 | * redirect the new connection to the proxy if there's a listener | |
99 | * socket present. | |
100 | * | |
101 | * nf_tproxy_handle_time_wait6() consumes the socket reference passed in. | |
102 | * | |
103 | * Returns the listener socket if there's one, the TIME_WAIT socket if | |
104 | * no such listener is found, or NULL if the TCP header is incomplete. | |
105 | */ | |
106 | struct sock * | |
107 | nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, | |
108 | struct net *net, | |
109 | const struct in6_addr *laddr, | |
110 | const __be16 lport, | |
111 | struct sock *sk); | |
112 | ||
113 | struct sock * | |
5711b4e8 | 114 | nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, |
45ca4e0c ME |
115 | const u8 protocol, |
116 | const struct in6_addr *saddr, const struct in6_addr *daddr, | |
117 | const __be16 sport, const __be16 dport, | |
118 | const struct net_device *in, | |
119 | const enum nf_tproxy_lookup_t lookup_type); | |
120 | ||
121 | #endif /* _NF_TPROXY_H_ */ |