mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-13 06:08:07 +00:00
de8c12110a
When I changed defrag hooks to no longer get registered by default I intentionally made it so that registration can only be un-done by unloading the nf_defrag_ipv4/6 module. In hindsight this was too conservative; there is no reason to keep defrag on while there is no feature dependency anymore. Moreover, this won't work if user isn't allowed to remove nf_defrag module. This adds the disable() functions for both ipv4 and ipv6 and calls them from conntrack, TPROXY and the xtables socket module. ipvs isn't converted here, it will behave as before this patch and will need module removal. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
290 lines
8.2 KiB
C
290 lines
8.2 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Transparent proxy support for Linux/iptables
|
|
*
|
|
* Copyright (c) 2006-2010 BalaBit IT Ltd.
|
|
* Author: Balazs Scheidler, Krisztian Kovacs
|
|
*/
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
#include <linux/module.h>
|
|
#include <linux/skbuff.h>
|
|
#include <linux/ip.h>
|
|
#include <net/checksum.h>
|
|
#include <net/udp.h>
|
|
#include <net/tcp.h>
|
|
#include <net/inet_sock.h>
|
|
#include <net/inet_hashtables.h>
|
|
#include <linux/inetdevice.h>
|
|
#include <linux/netfilter/x_tables.h>
|
|
#include <linux/netfilter_ipv4/ip_tables.h>
|
|
|
|
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
|
|
|
|
#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
|
|
#define XT_TPROXY_HAVE_IPV6 1
|
|
#include <net/if_inet6.h>
|
|
#include <net/addrconf.h>
|
|
#include <net/inet6_hashtables.h>
|
|
#include <linux/netfilter_ipv6/ip6_tables.h>
|
|
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
|
|
#endif
|
|
|
|
#include <net/netfilter/nf_tproxy.h>
|
|
#include <linux/netfilter/xt_TPROXY.h>
|
|
|
|
static unsigned int
|
|
tproxy_tg4(struct net *net, struct sk_buff *skb, __be32 laddr, __be16 lport,
|
|
u_int32_t mark_mask, u_int32_t mark_value)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct udphdr _hdr, *hp;
|
|
struct sock *sk;
|
|
|
|
hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
|
|
if (hp == NULL)
|
|
return NF_DROP;
|
|
|
|
/* check if there's an ongoing connection on the packet
|
|
* addresses, this happens if the redirect already happened
|
|
* and the current packet belongs to an already established
|
|
* connection */
|
|
sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
|
|
iph->saddr, iph->daddr,
|
|
hp->source, hp->dest,
|
|
skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
|
|
|
|
laddr = nf_tproxy_laddr4(skb, laddr, iph->daddr);
|
|
if (!lport)
|
|
lport = hp->dest;
|
|
|
|
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
|
|
if (sk && sk->sk_state == TCP_TIME_WAIT)
|
|
/* reopening a TIME_WAIT connection needs special handling */
|
|
sk = nf_tproxy_handle_time_wait4(net, skb, laddr, lport, sk);
|
|
else if (!sk)
|
|
/* no, there's no established connection, check if
|
|
* there's a listener on the redirected addr/port */
|
|
sk = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
|
|
iph->saddr, laddr,
|
|
hp->source, lport,
|
|
skb->dev, NF_TPROXY_LOOKUP_LISTENER);
|
|
|
|
/* NOTE: assign_sock consumes our sk reference */
|
|
if (sk && nf_tproxy_sk_is_transparent(sk)) {
|
|
/* This should be in a separate target, but we don't do multiple
|
|
targets on the same rule yet */
|
|
skb->mark = (skb->mark & ~mark_mask) ^ mark_value;
|
|
|
|
pr_debug("redirecting: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
|
|
iph->protocol, &iph->daddr, ntohs(hp->dest),
|
|
&laddr, ntohs(lport), skb->mark);
|
|
|
|
nf_tproxy_assign_sock(skb, sk);
|
|
return NF_ACCEPT;
|
|
}
|
|
|
|
pr_debug("no socket, dropping: proto %hhu %pI4:%hu -> %pI4:%hu, mark: %x\n",
|
|
iph->protocol, &iph->saddr, ntohs(hp->source),
|
|
&iph->daddr, ntohs(hp->dest), skb->mark);
|
|
return NF_DROP;
|
|
}
|
|
|
|
static unsigned int
|
|
tproxy_tg4_v0(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct xt_tproxy_target_info *tgi = par->targinfo;
|
|
|
|
return tproxy_tg4(xt_net(par), skb, tgi->laddr, tgi->lport,
|
|
tgi->mark_mask, tgi->mark_value);
|
|
}
|
|
|
|
static unsigned int
|
|
tproxy_tg4_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
|
|
return tproxy_tg4(xt_net(par), skb, tgi->laddr.ip, tgi->lport,
|
|
tgi->mark_mask, tgi->mark_value);
|
|
}
|
|
|
|
#ifdef XT_TPROXY_HAVE_IPV6
|
|
|
|
static unsigned int
|
|
tproxy_tg6_v1(struct sk_buff *skb, const struct xt_action_param *par)
|
|
{
|
|
const struct ipv6hdr *iph = ipv6_hdr(skb);
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
struct udphdr _hdr, *hp;
|
|
struct sock *sk;
|
|
const struct in6_addr *laddr;
|
|
__be16 lport;
|
|
int thoff = 0;
|
|
int tproto;
|
|
|
|
tproto = ipv6_find_hdr(skb, &thoff, -1, NULL, NULL);
|
|
if (tproto < 0) {
|
|
pr_debug("unable to find transport header in IPv6 packet, dropping\n");
|
|
return NF_DROP;
|
|
}
|
|
|
|
hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
|
|
if (hp == NULL) {
|
|
pr_debug("unable to grab transport header contents in IPv6 packet, dropping\n");
|
|
return NF_DROP;
|
|
}
|
|
|
|
/* check if there's an ongoing connection on the packet
|
|
* addresses, this happens if the redirect already happened
|
|
* and the current packet belongs to an already established
|
|
* connection */
|
|
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff, tproto,
|
|
&iph->saddr, &iph->daddr,
|
|
hp->source, hp->dest,
|
|
xt_in(par), NF_TPROXY_LOOKUP_ESTABLISHED);
|
|
|
|
laddr = nf_tproxy_laddr6(skb, &tgi->laddr.in6, &iph->daddr);
|
|
lport = tgi->lport ? tgi->lport : hp->dest;
|
|
|
|
/* UDP has no TCP_TIME_WAIT state, so we never enter here */
|
|
if (sk && sk->sk_state == TCP_TIME_WAIT) {
|
|
const struct xt_tproxy_target_info_v1 *tgi = par->targinfo;
|
|
/* reopening a TIME_WAIT connection needs special handling */
|
|
sk = nf_tproxy_handle_time_wait6(skb, tproto, thoff,
|
|
xt_net(par),
|
|
&tgi->laddr.in6,
|
|
tgi->lport,
|
|
sk);
|
|
}
|
|
else if (!sk)
|
|
/* no there's no established connection, check if
|
|
* there's a listener on the redirected addr/port */
|
|
sk = nf_tproxy_get_sock_v6(xt_net(par), skb, thoff,
|
|
tproto, &iph->saddr, laddr,
|
|
hp->source, lport,
|
|
xt_in(par), NF_TPROXY_LOOKUP_LISTENER);
|
|
|
|
/* NOTE: assign_sock consumes our sk reference */
|
|
if (sk && nf_tproxy_sk_is_transparent(sk)) {
|
|
/* This should be in a separate target, but we don't do multiple
|
|
targets on the same rule yet */
|
|
skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
|
|
|
|
pr_debug("redirecting: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
|
|
tproto, &iph->saddr, ntohs(hp->source),
|
|
laddr, ntohs(lport), skb->mark);
|
|
|
|
nf_tproxy_assign_sock(skb, sk);
|
|
return NF_ACCEPT;
|
|
}
|
|
|
|
pr_debug("no socket, dropping: proto %hhu %pI6:%hu -> %pI6:%hu, mark: %x\n",
|
|
tproto, &iph->saddr, ntohs(hp->source),
|
|
&iph->daddr, ntohs(hp->dest), skb->mark);
|
|
|
|
return NF_DROP;
|
|
}
|
|
|
|
static int tproxy_tg6_check(const struct xt_tgchk_param *par)
|
|
{
|
|
const struct ip6t_ip6 *i = par->entryinfo;
|
|
int err;
|
|
|
|
err = nf_defrag_ipv6_enable(par->net);
|
|
if (err)
|
|
return err;
|
|
|
|
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP) &&
|
|
!(i->invflags & IP6T_INV_PROTO))
|
|
return 0;
|
|
|
|
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
static void tproxy_tg6_destroy(const struct xt_tgdtor_param *par)
|
|
{
|
|
nf_defrag_ipv6_disable(par->net);
|
|
}
|
|
#endif
|
|
|
|
static int tproxy_tg4_check(const struct xt_tgchk_param *par)
|
|
{
|
|
const struct ipt_ip *i = par->entryinfo;
|
|
int err;
|
|
|
|
err = nf_defrag_ipv4_enable(par->net);
|
|
if (err)
|
|
return err;
|
|
|
|
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
|
|
&& !(i->invflags & IPT_INV_PROTO))
|
|
return 0;
|
|
|
|
pr_info_ratelimited("Can be used only with -p tcp or -p udp\n");
|
|
return -EINVAL;
|
|
}
|
|
|
|
static void tproxy_tg4_destroy(const struct xt_tgdtor_param *par)
|
|
{
|
|
nf_defrag_ipv4_disable(par->net);
|
|
}
|
|
|
|
static struct xt_target tproxy_tg_reg[] __read_mostly = {
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV4,
|
|
.table = "mangle",
|
|
.target = tproxy_tg4_v0,
|
|
.revision = 0,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info),
|
|
.checkentry = tproxy_tg4_check,
|
|
.destroy = tproxy_tg4_destroy,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV4,
|
|
.table = "mangle",
|
|
.target = tproxy_tg4_v1,
|
|
.revision = 1,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info_v1),
|
|
.checkentry = tproxy_tg4_check,
|
|
.destroy = tproxy_tg4_destroy,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
#ifdef XT_TPROXY_HAVE_IPV6
|
|
{
|
|
.name = "TPROXY",
|
|
.family = NFPROTO_IPV6,
|
|
.table = "mangle",
|
|
.target = tproxy_tg6_v1,
|
|
.revision = 1,
|
|
.targetsize = sizeof(struct xt_tproxy_target_info_v1),
|
|
.checkentry = tproxy_tg6_check,
|
|
.destroy = tproxy_tg6_destroy,
|
|
.hooks = 1 << NF_INET_PRE_ROUTING,
|
|
.me = THIS_MODULE,
|
|
},
|
|
#endif
|
|
|
|
};
|
|
|
|
static int __init tproxy_tg_init(void)
|
|
{
|
|
return xt_register_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
|
|
}
|
|
|
|
static void __exit tproxy_tg_exit(void)
|
|
{
|
|
xt_unregister_targets(tproxy_tg_reg, ARRAY_SIZE(tproxy_tg_reg));
|
|
}
|
|
|
|
module_init(tproxy_tg_init);
|
|
module_exit(tproxy_tg_exit);
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
|
|
MODULE_DESCRIPTION("Netfilter transparent proxy (TPROXY) target module.");
|
|
MODULE_ALIAS("ipt_TPROXY");
|
|
MODULE_ALIAS("ip6t_TPROXY");
|