Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
136cdc71 KK |
2 | /* |
3 | * Transparent proxy support for Linux/iptables | |
4 | * | |
5 | * Copyright (C) 2007-2008 BalaBit IT Ltd. | |
6 | * Author: Krisztian Kovacs | |
136cdc71 | 7 | */ |
ff67e4e4 | 8 | #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt |
136cdc71 KK |
9 | #include <linux/module.h> |
10 | #include <linux/skbuff.h> | |
11 | #include <linux/netfilter/x_tables.h> | |
12 | #include <linux/netfilter_ipv4/ip_tables.h> | |
13 | #include <net/tcp.h> | |
14 | #include <net/udp.h> | |
15 | #include <net/icmp.h> | |
16 | #include <net/sock.h> | |
17 | #include <net/inet_sock.h> | |
136cdc71 | 18 | #include <net/netfilter/ipv4/nf_defrag_ipv4.h> |
f6318e55 | 19 | |
c0cd1156 | 20 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
f6318e55 | 21 | #include <linux/netfilter_ipv6/ip6_tables.h> |
93742cf8 | 22 | #include <net/inet6_hashtables.h> |
b64c9256 | 23 | #include <net/netfilter/ipv6/nf_defrag_ipv6.h> |
f6318e55 | 24 | #endif |
136cdc71 | 25 | |
8db4c5be | 26 | #include <net/netfilter/nf_socket.h> |
a31e1ffd LAT |
27 | #include <linux/netfilter/xt_socket.h> |
28 | ||
93742cf8 FW |
29 | /* "socket" match based redirection (no specific rule) |
30 | * =================================================== | |
31 | * | |
32 | * There are connections with dynamic endpoints (e.g. FTP data | |
33 | * connection) that the user is unable to add explicit rules | |
34 | * for. These are taken care of by a generic "socket" rule. It is | |
35 | * assumed that the proxy application is trusted to open such | |
36 | * connections without explicit iptables rule (except of course the | |
37 | * generic 'socket' rule). In this case the following sockets are | |
38 | * matched in preference order: | |
39 | * | |
40 | * - match: if there's a fully established connection matching the | |
41 | * _packet_ tuple | |
42 | * | |
43 | * - match: if there's a non-zero bound listener (possibly with a | |
44 | * non-local address) We don't accept zero-bound listeners, since | |
45 | * then local services could intercept traffic going through the | |
46 | * box. | |
47 | */ | |
d64d80a2 DB |
48 | static bool |
49 | socket_match(const struct sk_buff *skb, struct xt_action_param *par, | |
50 | const struct xt_socket_mtinfo1 *info) | |
51 | { | |
01555e74 | 52 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
53 | struct sock *sk = skb->sk; |
54 | ||
40e4f26e | 55 | if (sk && !net_eq(xt_net(par), sock_net(sk))) |
f5646501 FL |
56 | sk = NULL; |
57 | ||
00028aa3 | 58 | if (!sk) |
613dbd95 | 59 | sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par)); |
f5646501 | 60 | |
00028aa3 | 61 | if (sk) { |
a31e1ffd LAT |
62 | bool wildcard; |
63 | bool transparent = true; | |
64 | ||
681f130f ED |
65 | /* Ignore sockets listening on INADDR_ANY, |
66 | * unless XT_SOCKET_NOWILDCARD is set | |
67 | */ | |
68 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 69 | sk_fullsock(sk) && |
c720c7e8 | 70 | inet_sk(sk)->inet_rcv_saddr == 0); |
a31e1ffd LAT |
71 | |
72 | /* Ignore non-transparent sockets, | |
a9407000 ED |
73 | * if XT_SOCKET_TRANSPARENT is used |
74 | */ | |
baf60efa | 75 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8d6e5557 | 76 | transparent = inet_sk_transparent(sk); |
136cdc71 | 77 | |
01555e74 | 78 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
89fcbb56 | 79 | transparent && sk_fullsock(sk)) |
01555e74 HH |
80 | pskb->mark = sk->sk_mark; |
81 | ||
00028aa3 | 82 | if (sk != skb->sk) |
1a8bf6ee | 83 | sock_gen_put(sk); |
a31e1ffd LAT |
84 | |
85 | if (wildcard || !transparent) | |
136cdc71 KK |
86 | sk = NULL; |
87 | } | |
88 | ||
d64d80a2 | 89 | return sk != NULL; |
136cdc71 KK |
90 | } |
91 | ||
a31e1ffd | 92 | static bool |
b64c9256 | 93 | socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd | 94 | { |
baf60efa ED |
95 | static struct xt_socket_mtinfo1 xt_info_v0 = { |
96 | .flags = 0, | |
97 | }; | |
98 | ||
99 | return socket_match(skb, par, &xt_info_v0); | |
a31e1ffd LAT |
100 | } |
101 | ||
102 | static bool | |
01555e74 | 103 | socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
a31e1ffd LAT |
104 | { |
105 | return socket_match(skb, par, par->matchinfo); | |
106 | } | |
107 | ||
8db4c5be | 108 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
d64d80a2 | 109 | static bool |
01555e74 | 110 | socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par) |
d64d80a2 DB |
111 | { |
112 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
01555e74 | 113 | struct sk_buff *pskb = (struct sk_buff *)skb; |
d64d80a2 DB |
114 | struct sock *sk = skb->sk; |
115 | ||
40e4f26e | 116 | if (sk && !net_eq(xt_net(par), sock_net(sk))) |
f5646501 FL |
117 | sk = NULL; |
118 | ||
00028aa3 | 119 | if (!sk) |
613dbd95 | 120 | sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par)); |
f5646501 | 121 | |
00028aa3 | 122 | if (sk) { |
b64c9256 BS |
123 | bool wildcard; |
124 | bool transparent = true; | |
125 | ||
681f130f ED |
126 | /* Ignore sockets listening on INADDR_ANY |
127 | * unless XT_SOCKET_NOWILDCARD is set | |
128 | */ | |
129 | wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && | |
a9407000 | 130 | sk_fullsock(sk) && |
efe4208f | 131 | ipv6_addr_any(&sk->sk_v6_rcv_saddr)); |
b64c9256 BS |
132 | |
133 | /* Ignore non-transparent sockets, | |
a9407000 ED |
134 | * if XT_SOCKET_TRANSPARENT is used |
135 | */ | |
baf60efa | 136 | if (info->flags & XT_SOCKET_TRANSPARENT) |
8d6e5557 | 137 | transparent = inet_sk_transparent(sk); |
b64c9256 | 138 | |
01555e74 | 139 | if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard && |
89fcbb56 | 140 | transparent && sk_fullsock(sk)) |
01555e74 HH |
141 | pskb->mark = sk->sk_mark; |
142 | ||
00028aa3 | 143 | if (sk != skb->sk) |
1a8bf6ee | 144 | sock_gen_put(sk); |
b64c9256 BS |
145 | |
146 | if (wildcard || !transparent) | |
147 | sk = NULL; | |
148 | } | |
149 | ||
d64d80a2 | 150 | return sk != NULL; |
b64c9256 BS |
151 | } |
152 | #endif | |
153 | ||
834184b1 FW |
154 | static int socket_mt_enable_defrag(struct net *net, int family) |
155 | { | |
156 | switch (family) { | |
157 | case NFPROTO_IPV4: | |
158 | return nf_defrag_ipv4_enable(net); | |
6bd3d192 | 159 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
834184b1 FW |
160 | case NFPROTO_IPV6: |
161 | return nf_defrag_ipv6_enable(net); | |
162 | #endif | |
163 | } | |
164 | WARN_ONCE(1, "Unknown family %d\n", family); | |
165 | return 0; | |
166 | } | |
167 | ||
681f130f ED |
168 | static int socket_mt_v1_check(const struct xt_mtchk_param *par) |
169 | { | |
170 | const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; | |
834184b1 FW |
171 | int err; |
172 | ||
173 | err = socket_mt_enable_defrag(par->net, par->family); | |
174 | if (err) | |
175 | return err; | |
681f130f ED |
176 | |
177 | if (info->flags & ~XT_SOCKET_FLAGS_V1) { | |
b2606644 FW |
178 | pr_info_ratelimited("unknown flags 0x%x\n", |
179 | info->flags & ~XT_SOCKET_FLAGS_V1); | |
681f130f ED |
180 | return -EINVAL; |
181 | } | |
182 | return 0; | |
183 | } | |
184 | ||
185 | static int socket_mt_v2_check(const struct xt_mtchk_param *par) | |
186 | { | |
187 | const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo; | |
834184b1 FW |
188 | int err; |
189 | ||
190 | err = socket_mt_enable_defrag(par->net, par->family); | |
191 | if (err) | |
192 | return err; | |
681f130f ED |
193 | |
194 | if (info->flags & ~XT_SOCKET_FLAGS_V2) { | |
b2606644 FW |
195 | pr_info_ratelimited("unknown flags 0x%x\n", |
196 | info->flags & ~XT_SOCKET_FLAGS_V2); | |
681f130f ED |
197 | return -EINVAL; |
198 | } | |
199 | return 0; | |
200 | } | |
201 | ||
01555e74 HH |
202 | static int socket_mt_v3_check(const struct xt_mtchk_param *par) |
203 | { | |
204 | const struct xt_socket_mtinfo3 *info = | |
205 | (struct xt_socket_mtinfo3 *)par->matchinfo; | |
834184b1 | 206 | int err; |
01555e74 | 207 | |
834184b1 FW |
208 | err = socket_mt_enable_defrag(par->net, par->family); |
209 | if (err) | |
210 | return err; | |
01555e74 | 211 | if (info->flags & ~XT_SOCKET_FLAGS_V3) { |
b2606644 FW |
212 | pr_info_ratelimited("unknown flags 0x%x\n", |
213 | info->flags & ~XT_SOCKET_FLAGS_V3); | |
01555e74 HH |
214 | return -EINVAL; |
215 | } | |
216 | return 0; | |
217 | } | |
218 | ||
a31e1ffd LAT |
219 | static struct xt_match socket_mt_reg[] __read_mostly = { |
220 | { | |
221 | .name = "socket", | |
222 | .revision = 0, | |
223 | .family = NFPROTO_IPV4, | |
b64c9256 | 224 | .match = socket_mt4_v0, |
aa3c487f JE |
225 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
226 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
227 | .me = THIS_MODULE, |
228 | }, | |
229 | { | |
230 | .name = "socket", | |
231 | .revision = 1, | |
232 | .family = NFPROTO_IPV4, | |
01555e74 | 233 | .match = socket_mt4_v1_v2_v3, |
681f130f | 234 | .checkentry = socket_mt_v1_check, |
a31e1ffd | 235 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
aa3c487f JE |
236 | .hooks = (1 << NF_INET_PRE_ROUTING) | |
237 | (1 << NF_INET_LOCAL_IN), | |
a31e1ffd LAT |
238 | .me = THIS_MODULE, |
239 | }, | |
8db4c5be | 240 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
b64c9256 BS |
241 | { |
242 | .name = "socket", | |
243 | .revision = 1, | |
244 | .family = NFPROTO_IPV6, | |
01555e74 | 245 | .match = socket_mt6_v1_v2_v3, |
681f130f ED |
246 | .checkentry = socket_mt_v1_check, |
247 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
248 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
249 | (1 << NF_INET_LOCAL_IN), | |
250 | .me = THIS_MODULE, | |
251 | }, | |
252 | #endif | |
253 | { | |
254 | .name = "socket", | |
255 | .revision = 2, | |
256 | .family = NFPROTO_IPV4, | |
01555e74 | 257 | .match = socket_mt4_v1_v2_v3, |
681f130f ED |
258 | .checkentry = socket_mt_v2_check, |
259 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
260 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
261 | (1 << NF_INET_LOCAL_IN), | |
262 | .me = THIS_MODULE, | |
263 | }, | |
8db4c5be | 264 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
681f130f ED |
265 | { |
266 | .name = "socket", | |
267 | .revision = 2, | |
268 | .family = NFPROTO_IPV6, | |
01555e74 | 269 | .match = socket_mt6_v1_v2_v3, |
681f130f | 270 | .checkentry = socket_mt_v2_check, |
b64c9256 BS |
271 | .matchsize = sizeof(struct xt_socket_mtinfo1), |
272 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
273 | (1 << NF_INET_LOCAL_IN), | |
274 | .me = THIS_MODULE, | |
275 | }, | |
01555e74 HH |
276 | #endif |
277 | { | |
278 | .name = "socket", | |
279 | .revision = 3, | |
280 | .family = NFPROTO_IPV4, | |
281 | .match = socket_mt4_v1_v2_v3, | |
282 | .checkentry = socket_mt_v3_check, | |
283 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
284 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
285 | (1 << NF_INET_LOCAL_IN), | |
286 | .me = THIS_MODULE, | |
287 | }, | |
8db4c5be | 288 | #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) |
01555e74 HH |
289 | { |
290 | .name = "socket", | |
291 | .revision = 3, | |
292 | .family = NFPROTO_IPV6, | |
293 | .match = socket_mt6_v1_v2_v3, | |
294 | .checkentry = socket_mt_v3_check, | |
295 | .matchsize = sizeof(struct xt_socket_mtinfo1), | |
296 | .hooks = (1 << NF_INET_PRE_ROUTING) | | |
297 | (1 << NF_INET_LOCAL_IN), | |
298 | .me = THIS_MODULE, | |
299 | }, | |
b64c9256 | 300 | #endif |
136cdc71 KK |
301 | }; |
302 | ||
303 | static int __init socket_mt_init(void) | |
304 | { | |
a31e1ffd | 305 | return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
306 | } |
307 | ||
308 | static void __exit socket_mt_exit(void) | |
309 | { | |
a31e1ffd | 310 | xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg)); |
136cdc71 KK |
311 | } |
312 | ||
313 | module_init(socket_mt_init); | |
314 | module_exit(socket_mt_exit); | |
315 | ||
316 | MODULE_LICENSE("GPL"); | |
317 | MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler"); | |
318 | MODULE_DESCRIPTION("x_tables socket match module"); | |
319 | MODULE_ALIAS("ipt_socket"); | |
b64c9256 | 320 | MODULE_ALIAS("ip6t_socket"); |