search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Staging: hv: remove OnChildDeviceRemove vmbus_driver callback
[zen-stable.git] / net / netfilter / xt_TPROXY.c
blob640678f47a2ad5420a869e4fbcd63bd677297c2c
1 /*
2 * Transparent proxy support for Linux/iptables
3 *
4 * Copyright (c) 2006-2010 BalaBit IT Ltd.
5 * Author: Balazs Scheidler, Krisztian Kovacs
6 *
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
10 *
11 */
12 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13 #include <linux/module.h>
14 #include <linux/skbuff.h>
15 #include <linux/ip.h>
16 #include <net/checksum.h>
17 #include <net/udp.h>
18 #include <net/inet_sock.h>
19 #include <linux/inetdevice.h>
20 #include <linux/netfilter/x_tables.h>
21 #include <linux/netfilter_ipv4/ip_tables.h>
22
23 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
24
25 #if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
26 #define XT_TPROXY_HAVE_IPV6 1
27 #include <net/if_inet6.h>
28 #include <net/addrconf.h>
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
31 #endif
32
33 #include <net/netfilter/nf_tproxy_core.h>
34 #include <linux/netfilter/xt_TPROXY.h>
35
36 static inline __be32
37 tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
38 {
39 struct in_device *indev;
40 __be32 laddr;
41
42 if (user_laddr)
43 return user_laddr;
44
45 laddr = 0;
46 rcu_read_lock();
47 indev = __in_dev_get_rcu(skb->dev);
48 for_primary_ifa(indev) {
49 laddr = ifa->ifa_local;
50 break;
51 } endfor_ifa(indev);
52 rcu_read_unlock();
53
54 return laddr ? laddr : daddr;
55 }
56
57 /**
58 * tproxy_handle_time_wait4() - handle IPv4 TCP TIME_WAIT reopen redirections
59 * @skb: The skb being processed.
60 * @laddr: IPv4 address to redirect to or zero.
61 * @lport: TCP port to redirect to or zero.
62 * @sk: The TIME_WAIT TCP socket found by the lookup.
63 *
64 * We have to handle SYN packets arriving to TIME_WAIT sockets
65 * differently: instead of reopening the connection we should rather
66 * redirect the new connection to the proxy if there's a listener
67 * socket present.
68 *
69 * tproxy_handle_time_wait4() consumes the socket reference passed in.
70 *
71 * Returns the listener socket if there's one, the TIME_WAIT socket if
72 * no such listener is found, or NULL if the TCP header is incomplete.
73 */
74 static struct sock *
75 tproxy_handle_time_wait4(struct sk_buff *skb, __be32 laddr, __be16 lport,
76 struct sock *sk)
77 {
78 const struct iphdr *iph = ip_hdr(skb);
79 struct tcphdr _hdr, *hp;
80
81 hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
82 if (hp == NULL) {
83 inet_twsk_put(inet_twsk(sk));
84 return NULL;
85 }
86
87 if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
88 /* SYN to a TIME_WAIT socket, we'd rather redirect it
89 * to a listener socket if there's one */
90 struct sock *sk2;
91
92 sk2 = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
93 iph->saddr, laddr ? laddr : iph->daddr,
94 hp->source, lport ? lport : hp->dest,
95 skb->dev, NFT_LOOKUP_LISTENER);
96 if (sk2) {
97 inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
98 inet_twsk_put(inet_twsk(sk));
99 sk = sk2;
100 }
101 }
102
103 return sk;
104 }
105
106 static unsigned int
107 tproxy_tg4(struct sk_buff *skb, __be32 laddr, __be16 lport,
108 u_int32_t mark_mask, u_int32_t mark_value)
109 {
110 const struct iphdr *iph = ip_hdr(skb);
111 struct udphdr _hdr, *hp;
112 struct sock *sk;
113
114 hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
115 if (hp == NULL)
116 return NF_DROP;
117
118 /* check if there's an ongoing connection on the packet
119 * addresses, this happens if the redirect already happened
120 * and the current packet belongs to an already established
121 * connection */
122 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
123 iph->saddr, iph->daddr,
124 hp->source, hp->dest,
125 skb->dev, NFT_LOOKUP_ESTABLISHED);
126
127 laddr = tproxy_laddr4(skb, laddr, iph->daddr);
128 if (!lport)
129 lport = hp->dest;
130
131 /* UDP has no TCP_TIME_WAIT state, so we never enter here */
132 if (sk && sk->sk_state == TCP_TIME_WAIT)
133 /* reopening a TIME_WAIT connection needs special handling */
134 sk = tproxy_handle_time_wait4(skb, laddr, lport, sk);
135 else if (!sk)
136 /* no, there's no established connection, check if
137 * there's a listener on the redirected addr/port */
138 sk = nf_tproxy_get_sock_v4(dev_net(skb->dev), iph->protocol,
139 iph->saddr, laddr,
140 hp->source, lport,
141 skb->dev, NFT_LOOKUP_LISTENER);
142
143 /* NOTE: assign_sock consumes our sk reference */
144 if (sk && nf_tproxy_assign_sock(skb, sk)) {
145 /* This should be in a separate target, but we don't do multiple
146 targets on the same rule yet */
147 skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
148
149 pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
150 iph->protocol, &iph->daddr, ntohs(hp->dest),
151 &laddr, ntohs(lport), skb->mark);
152 return NF_ACCEPT;
153 }
154
155 pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
156 iph->protocol, &iph->saddr, ntohs(hp->source),
157 &iph->daddr, ntohs(hp->dest), skb->mark);
158 return NF_DROP;
159 }
160
161 static unsigned int
162 tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
163 {
164 const struct xt_tproxy_target_info *tgi = par->targinfo;
165
166 return tproxy_tg4(skb, tgi->laddr, tgi->lport, tgi->mark_mask, tgi->mark_value);
167 }
168
169 static unsigned int
170 tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
171 {
172 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
173
174 return tproxy_tg4(skb, tgi->laddr.ip, tgi->lport, tgi->mark_mask, tgi->mark_value);
175 }
176
177 #ifdef XT_TPROXY_HAVE_IPV6
178
179 static inline const struct in6_addr *
180 tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
181 const struct in6_addr *daddr)
182 {
183 struct inet6_dev *indev;
184 struct inet6_ifaddr *ifa;
185 struct in6_addr *laddr;
186
187 if (!ipv6_addr_any(user_laddr))
188 return user_laddr;
189 laddr = NULL;
190
191 rcu_read_lock();
192 indev = __in6_dev_get(skb->dev);
193 if (indev)
194 list_for_each_entry(ifa, &indev->addr_list, if_list) {
195 if (ifa->flags & (IFA_F_TENTATIVE | IFA_F_DEPRECATED))
196 continue;
197
198 laddr = &ifa->addr;
199 break;
200 }
201 rcu_read_unlock();
202
203 return laddr ? laddr : daddr;
204 }
205
206 /**
207 * tproxy_handle_time_wait6() - handle IPv6 TCP TIME_WAIT reopen redirections
208 * @skb: The skb being processed.
209 * @tproto: Transport protocol.
210 * @thoff: Transport protocol header offset.
211 * @par: Iptables target parameters.
212 * @sk: The TIME_WAIT TCP socket found by the lookup.
213 *
214 * We have to handle SYN packets arriving to TIME_WAIT sockets
215 * differently: instead of reopening the connection we should rather
216 * redirect the new connection to the proxy if there's a listener
217 * socket present.
218 *
219 * tproxy_handle_time_wait6() consumes the socket reference passed in.
220 *
221 * Returns the listener socket if there's one, the TIME_WAIT socket if
222 * no such listener is found, or NULL if the TCP header is incomplete.
223 */
224 static struct sock *
225 tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
226 const struct xt_action_param *par,
227 struct sock *sk)
228 {
229 const struct ipv6hdr *iph = ipv6_hdr(skb);
230 struct tcphdr _hdr, *hp;
231 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
232
233 hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
234 if (hp == NULL) {
235 inet_twsk_put(inet_twsk(sk));
236 return NULL;
237 }
238
239 if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
240 /* SYN to a TIME_WAIT socket, we'd rather redirect it
241 * to a listener socket if there's one */
242 struct sock *sk2;
243
244 sk2 = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
245 &iph->saddr,
246 tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr),
247 hp->source,
248 tgi->lport ? tgi->lport : hp->dest,
249 skb->dev, NFT_LOOKUP_LISTENER);
250 if (sk2) {
251 inet_twsk_deschedule(inet_twsk(sk), &tcp_death_row);
252 inet_twsk_put(inet_twsk(sk));
253 sk = sk2;
254 }
255 }
256
257 return sk;
258 }
259
260 static unsigned int
261 tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
262 {
263 const struct ipv6hdr *iph = ipv6_hdr(skb);
264 const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
265 struct udphdr _hdr, *hp;
266 struct sock *sk;
267 const struct in6_addr *laddr;
268 __be16 lport;
269 int thoff;
270 int tproto;
271
272 tproto = ipv6_find_hdr(skb, &thoff, -1, NULL);
273 if (tproto < 0) {
274 pr_debug("unable to find transport header in IPv6 packet, dropping\n");
275 return NF_DROP;
276 }
277
278 hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
279 if (hp == NULL) {
280 pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
281 return NF_DROP;
282 }
283
284 /* check if there's an ongoing connection on the packet
285 * addresses, this happens if the redirect already happened
286 * and the current packet belongs to an already established
287 * connection */
288 sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
289 &iph->saddr, &iph->daddr,
290 hp->source, hp->dest,
291 par->in, NFT_LOOKUP_ESTABLISHED);
292
293 laddr = tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
294 lport = tgi->lport ? tgi->lport : hp->dest;
295
296 /* UDP has no TCP_TIME_WAIT state, so we never enter here */
297 if (sk && sk->sk_state == TCP_TIME_WAIT)
298 /* reopening a TIME_WAIT connection needs special handling */
299 sk = tproxy_handle_time_wait6(skb, tproto, thoff, par, sk);
300 else if (!sk)
301 /* no there's no established connection, check if
302 * there's a listener on the redirected addr/port */
303 sk = nf_tproxy_get_sock_v6(dev_net(skb->dev), tproto,
304 &iph->saddr, laddr,
305 hp->source, lport,
306 par->in, NFT_LOOKUP_LISTENER);
307
308 /* NOTE: assign_sock consumes our sk reference */
309 if (sk && nf_tproxy_assign_sock(skb, sk)) {
310 /* This should be in a separate target, but we don't do multiple
311 targets on the same rule yet */
312 skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
313
314 pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
315 tproto, &iph->saddr, ntohs(hp->source),
316 laddr, ntohs(lport), skb->mark);
317 return NF_ACCEPT;
318 }
319
320 pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
321 tproto, &iph->saddr, ntohs(hp->source),
322 &iph->daddr, ntohs(hp->dest), skb->mark);
323
324 return NF_DROP;
325 }
326
327 static int tproxy_tg6_check(const struct xt_tgchk_param *par)
328 {
329 const struct ip6t_ip6 *i = par->entryinfo;
330
331 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
332 && !(i->flags & IP6T_INV_PROTO))
333 return 0;
334
335 pr_info("Can be used only in combination with "
336 "either -p tcp or -p udp\n");
337 return -EINVAL;
338 }
339 #endif
340
341 static int tproxy_tg4_check(const struct xt_tgchk_param *par)
342 {
343 const struct ipt_ip *i = par->entryinfo;
344
345 if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
346 && !(i->invflags & IPT_INV_PROTO))
347 return 0;
348
349 pr_info("Can be used only in combination with "
350 "either -p tcp or -p udp\n");
351 return -EINVAL;
352 }
353
354 static struct xt_target tproxy_tg_reg[] __read_mostly = {
355 {
356 .name = "TPROXY",
357 .family = NFPROTO_IPV4,
358 .table = "mangle",
359 .target = tproxy_tg4_v0,
360 .revision = 0,
361 .targetsize = sizeof(struct xt_tproxy_target_info),
362 .checkentry = tproxy_tg4_check,
363 .hooks = 1 << NF_INET_PRE_ROUTING,
364 .me = THIS_MODULE,
365 },
366 {
367 .name = "TPROXY",
368 .family = NFPROTO_IPV4,
369 .table = "mangle",
370 .target = tproxy_tg4_v1,
371 .revision = 1,
372 .targetsize = sizeof(struct xt_tproxy_target_info_v1),
373 .checkentry = tproxy_tg4_check,
374 .hooks = 1 << NF_INET_PRE_ROUTING,
375 .me = THIS_MODULE,
376 },
377 #ifdef XT_TPROXY_HAVE_IPV6
378 {
379 .name = "TPROXY",
380 .family = NFPROTO_IPV6,
381 .table = "mangle",
382 .target = tproxy_tg6_v1,
383 .revision = 1,
384 .targetsize = sizeof(struct xt_tproxy_target_info_v1),
385 .checkentry = tproxy_tg6_check,
386 .hooks = 1 << NF_INET_PRE_ROUTING,
387 .me = THIS_MODULE,
388 },
389 #endif
390
391 };
392
393 static int __init tproxy_tg_init(void)
394 {
395 nf_defrag_ipv4_enable();
396 #ifdef XT_TPROXY_HAVE_IPV6
397 nf_defrag_ipv6_enable();
398 #endif
399
400 return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
401 }
402
403 static void __exit tproxy_tg_exit(void)
404 {
405 xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
406 }
407
408 module_init(tproxy_tg_init);
409 module_exit(tproxy_tg_exit);
410 MODULE_LICENSE("GPL");
411 MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
412 MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
413 MODULE_ALIAS("ipt_TPROXY");
414 MODULE_ALIAS("ip6t_TPROXY");