[thirdparty/squid.git] / src / ip / Intercept.cc

/*
 * DEBUG: section 89    NAT / IP Interception
 * AUTHOR: Robert Collins
 * AUTHOR: Amos Jeffries
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */
#include "squid.h"
#include "comm/Connection.h"
#include "ip/Intercept.h"
#include "fde.h"

#if IPF_TRANSPARENT

#if HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif
#if HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#if HAVE_NET_IF_H
#include <net/if.h>
#endif
#if HAVE_IPL_H
#include <ipl.h>
#elif HAVE_NETINET_IPL_H
#include <netinet/ipl.h>
#endif
#if HAVE_IP_FIL_COMPAT_H
#include <ip_fil_compat.h>
#elif HAVE_NETINET_IP_FIL_COMPAT_H
#include <netinet/ip_fil_compat.h>
#elif HAVE_IP_COMPAT_H
#include <ip_compat.h>
#elif HAVE_NETINET_IP_COMPAT_H
#include <netinet/ip_compat.h>
#endif
#if HAVE_IP_FIL_H
#include <ip_fil.h>
#elif HAVE_NETINET_IP_FIL_H
#include <netinet/ip_fil.h>
#endif
#if HAVE_IP_NAT_H
#include <ip_nat.h>
#elif HAVE_NETINET_IP_NAT_H
#include <netinet/ip_nat.h>
#endif
#if HAVE_ERRNO_H
#include <errno.h>
#endif

#endif /* IPF_TRANSPARENT required headers */

#if PF_TRANSPARENT
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#if HAVE_NET_PF_PFVAR_H
#include <net/pf/pfvar.h>
#endif /* HAVE_NET_PF_PFVAR_H */
#if HAVE_NET_PFVAR_H
#include <net/pfvar.h>
#endif /* HAVE_NET_PFVAR_H */
#endif /* PF_TRANSPARENT required headers */
/* must be before including netfilter_ipv4.h */
#if HAVE_LIMITS_H
#include <limits.h>
#endif
#if LINUX_NETFILTER
#include <linux/netfilter_ipv4.h>
#endif

// single global instance for access by other components.
Ip::Intercept Ip::Interceptor;

void
Ip::Intercept::StopTransparency(const char *str)
{
    if (transparentActive_) {
        debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
        transparentActive_ = 0;
    }
}

void
Ip::Intercept::StopInterception(const char *str)
{
    if (interceptActive_) {
        debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
        interceptActive_ = 0;
    }
}

bool
Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if LINUX_NETFILTER
    struct sockaddr_in lookup;
    socklen_t len = sizeof(struct sockaddr_in);
    newConn->local.GetSockAddr(lookup);

    /** \par
     * Try NAT lookup for REDIRECT or DNAT targets. */
    if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) != 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
            lastReported_ = squid_curtime;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }
#endif
    return false;
}

bool
Ip::Intercept::NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent)
{
#if LINUX_NETFILTER
    /* Trust the user configured properly. If not no harm done.
     * We will simply attempt a bind outgoing on our own IP.
     */
    newConn->remote.SetPort(0); // allow random outgoing port to prevent address clashes
    debugs(89, 5, HERE << "address TPROXY: " << newConn);
    return true;
#else
    return false;
#endif
}

bool
Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if IPFW_TRANSPARENT
    struct sockaddr_storage lookup;
    socklen_t len = sizeof(struct sockaddr_storage);
    newConn->local.GetSockAddr(lookup, AF_INET);

    /** \par
     * Try lookup for IPFW interception. */
    if ( getsockname(newConn->fd, (struct sockaddr*)&lookup, &len) != 0 ) {
        if ( !silent ) {
            debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
            lastReported_ = squid_curtime;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }
#endif
    return false;
}

bool
Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if IPF_TRANSPARENT  /* --enable-ipf-transparent */

    struct natlookup natLookup;
    static int natfd = -1;
    int x;

    // all fields must be set to 0
    memset(&natLookup, 0, sizeof(natLookup));
    // for NAT lookup set local and remote IP:port's
    natLookup.nl_inport = htons(newConn->local.GetPort());
    newConn->local.GetInAddr(natLookup.nl_inip);
    natLookup.nl_outport = htons(newConn->remote.GetPort());
    newConn->remote.GetInAddr(natLookup.nl_outip);
    // ... and the TCP flag
    natLookup.nl_flags = IPN_TCP;

    if (natfd < 0) {
        int save_errno;
        enter_suid();
#ifdef IPNAT_NAME
        natfd = open(IPNAT_NAME, O_RDONLY, 0);
#else
        natfd = open(IPL_NAT, O_RDONLY, 0);
#endif
        save_errno = errno;
        leave_suid();
        errno = save_errno;
    }

    if (natfd < 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
            lastReported_ = squid_curtime;
            return false;
        }
    }

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
    struct ipfobj obj;
    memset(&obj, 0, sizeof(obj));
    obj.ipfo_rev = IPFILTER_VERSION;
    obj.ipfo_size = sizeof(natLookup);
    obj.ipfo_ptr = &natLookup;
    obj.ipfo_type = IPFOBJ_NATLOOKUP;

    x = ioctl(natfd, SIOCGNATL, &obj);
#else
    /*
    * IP-Filter changed the type for SIOCGNATL between
    * 3.3 and 3.4.  It also changed the cmd value for
    * SIOCGNATL, so at least we can detect it.  We could
    * put something in configure and use ifdefs here, but
    * this seems simpler.
    */
    static int siocgnatl_cmd = SIOCGNATL & 0xff;
    if (63 == siocgnatl_cmd) {
        struct natlookup *nlp = &natLookup;
        x = ioctl(natfd, SIOCGNATL, &nlp);
    } else {
        x = ioctl(natfd, SIOCGNATL, &natLookup);
    }

#endif
    if (x < 0) {
        if (errno != ESRCH) {
            if (!silent) {
                debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
                lastReported_ = squid_curtime;
            }

            close(natfd);
            natfd = -1;
        }

        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = natLookup.nl_realip;
        newConn->local.SetPort(ntohs(natLookup.nl_realport));
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }

#endif /* --enable-ipf-transparent */
    return false;
}

bool
Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if PF_TRANSPARENT  /* --enable-pf-transparent */

    struct pfioc_natlook nl;
    static int pffd = -1;

    if (pffd < 0)
        pffd = open("/dev/pf", O_RDONLY);

    if (pffd < 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
            lastReported_ = squid_curtime;
        }
        return false;
    }

    memset(&nl, 0, sizeof(struct pfioc_natlook));
    newConn->remote.GetInAddr(nl.saddr.v4);
    nl.sport = htons(newConn->remote.GetPort());

    newConn->local.GetInAddr(nl.daddr.v4);
    nl.dport = htons(newConn->local.GetPort());

    nl.af = AF_INET;
    nl.proto = IPPROTO_TCP;
    nl.direction = PF_OUT;

    if (ioctl(pffd, DIOCNATLOOK, &nl)) {
        if (errno != ENOENT) {
            if (!silent) {
                debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
                lastReported_ = squid_curtime;
            }
            close(pffd);
            pffd = -1;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = nl.rdaddr.v4;
        newConn->local.SetPort(ntohs(nl.rdport));
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }

#endif /* --enable-pf-transparent */
    return false;
}

bool
Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
{
    /* --enable-linux-netfilter    */
    /* --enable-ipfw-transparent   */
    /* --enable-ipf-transparent    */
    /* --enable-pf-transparent     */
#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT

#if 0
    // Crop interception errors down to one per minute.
    int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
#else
    // Show all interception errors.
    int silent = 0;
#endif

    debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);

    newConn->flags |= (listenConn->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));

    /* NP: try TPROXY first, its much quieter than NAT when non-matching */
    if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
        if (NetfilterTransparent(newConn, silent)) return true;
    }

    /* NAT is only available in IPv4 */
    if ( !newConn->local.IsIPv4()  ) return false;
    if ( !newConn->remote.IsIPv4() ) return false;

    if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
        /* NAT methods that use sock-opts to return client address */
        if (NetfilterInterception(newConn, silent)) return true;
        if (IpfwInterception(newConn, silent)) return true;

        /* NAT methods that use ioctl to return client address AND destination address */
        if (PfInterception(newConn, silent)) return true;
        if (IpfInterception(newConn, silent)) return true;
    }

#else /* none of the transparent options configured */
    debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
#endif

    return false;
}

bool
Ip::Intercept::ProbeForTproxy(Ip::Address &test)
{
    debugs(3, 3, "Detect TPROXY support on port " << test);

#if defined(IP_TRANSPARENT)

    int tos = 1;
    int tmp_sock = -1;

    /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
    if (test.IsIPv6()) {
        debugs(3, 3, "...Probing for IPv6 TPROXY support.");

        struct sockaddr_in6 tmp_ip6;
        Ip::Address tmp = "::2";
        tmp.SetPort(0);
        tmp.GetSockAddr(tmp_ip6);

        if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {

            debugs(3, 3, "IPv6 TPROXY support detected. Using.");
            close(tmp_sock);
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
            tmp_sock = -1;
        }
    }

    if ( test.IsIPv6() && !test.SetIPv4() ) {
        debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
        return false;
    }

    /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
    if (test.IsIPv4()) {
        debugs(3, 3, "...Probing for IPv4 TPROXY support.");

        struct sockaddr_in tmp_ip4;
        Ip::Address tmp = "127.0.0.2";
        tmp.SetPort(0);
        tmp.GetSockAddr(tmp_ip4);

        if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {

            debugs(3, 3, "IPv4 TPROXY support detected. Using.");
            close(tmp_sock);
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
        }
    }

#else /* undefined IP_TRANSPARENT */
    debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
#endif
    return false;
}
Commit	Line	Data
c8be6d7b	1	/*
26ac0430	2	* DEBUG: section 89 NAT / IP Interception
c8be6d7b	3	* AUTHOR: Robert Collins
04f87469	4	* AUTHOR: Amos Jeffries
c8be6d7b	5	*
	6	* SQUID Web Proxy Cache http://www.squid-cache.org/
	7	* ----------------------------------------------------------
	8	*
	9	* Squid is the result of efforts by numerous individuals from
	10	* the Internet community; see the CONTRIBUTORS file for full
	11	* details. Many organizations have provided support for Squid's
	12	* development; see the SPONSORS file for full details. Squid is
	13	* Copyrighted (C) 2001 by the Regents of the University of
	14	* California; see the COPYRIGHT file for full details. Squid
	15	* incorporates software developed and/or copyrighted by other
	16	* sources; see the CREDITS file for full details.
	17	*
	18	* This program is free software; you can redistribute it and/or modify
	19	* it under the terms of the GNU General Public License as published by
	20	* the Free Software Foundation; either version 2 of the License, or
	21	* (at your option) any later version.
26ac0430	22	*
c8be6d7b	23	* This program is distributed in the hope that it will be useful,
	24	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	25	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	26	* GNU General Public License for more details.
26ac0430	27	*
c8be6d7b	28	* You should have received a copy of the GNU General Public License
	29	* along with this program; if not, write to the Free Software
	30	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	31	*
	32	*/
f7f3304a	33	#include "squid.h"
40d34a62	34	#include "comm/Connection.h"
96d89ea0	35	#include "ip/Intercept.h"
b3166404	36	#include "fde.h"
fc27cd70	37
c8be6d7b	38	#if IPF_TRANSPARENT
34ec5c62	39
c8be6d7b	40	#if HAVE_SYS_IOCTL_H
	41	#include <sys/ioctl.h>
	42	#endif
e9e7c285	43	#if HAVE_NETINET_TCP_H
c8be6d7b	44	#include <netinet/tcp.h>
e9e7c285	45	#endif
e9e7c285	46	#if HAVE_NET_IF_H
c8be6d7b	47	#include <net/if.h>
e9e7c285	48	#endif
b0dfd10b	49	#if HAVE_IPL_H
dbc5782a	50	#include <ipl.h>
	51	#elif HAVE_NETINET_IPL_H
	52	#include <netinet/ipl.h>
	53	#endif
c8be6d7b	54	#if HAVE_IP_FIL_COMPAT_H
	55	#include <ip_fil_compat.h>
	56	#elif HAVE_NETINET_IP_FIL_COMPAT_H
	57	#include <netinet/ip_fil_compat.h>
	58	#elif HAVE_IP_COMPAT_H
	59	#include <ip_compat.h>
	60	#elif HAVE_NETINET_IP_COMPAT_H
	61	#include <netinet/ip_compat.h>
	62	#endif
	63	#if HAVE_IP_FIL_H
	64	#include <ip_fil.h>
	65	#elif HAVE_NETINET_IP_FIL_H
	66	#include <netinet/ip_fil.h>
	67	#endif
	68	#if HAVE_IP_NAT_H
	69	#include <ip_nat.h>
	70	#elif HAVE_NETINET_IP_NAT_H
	71	#include <netinet/ip_nat.h>
	72	#endif
21d845b1 FC	73	#if HAVE_ERRNO_H
	74	#include <errno.h>
	75	#endif
34ec5c62 AJ	76
34ec5c62 AJ	77	#endif /* IPF_TRANSPARENT required headers */
c8be6d7b	78
c8be6d7b	79	#if PF_TRANSPARENT
c8be6d7b	80	#include <sys/socket.h>
	81	#include <sys/ioctl.h>
	82	#include <sys/fcntl.h>
	83	#include <net/if.h>
	84	#include <netinet/in.h>
b0dfd10b	85	#if HAVE_NET_PF_PFVAR_H
ec9909b0 AJ	86	#include <net/pf/pfvar.h>
ec9909b0 AJ	87	#endif /* HAVE_NET_PF_PFVAR_H */
b0dfd10b	88	#if HAVE_NET_PFVAR_H
c8be6d7b	89	#include <net/pfvar.h>
ec9909b0	90	#endif /* HAVE_NET_PFVAR_H */
34ec5c62	91	#endif /* PF_TRANSPARENT required headers */
62c972a6 FC	92	/* must be before including netfilter_ipv4.h */
	93	#if HAVE_LIMITS_H
	94	#include <limits.h>
	95	#endif
c8be6d7b	96	#if LINUX_NETFILTER
	97	#include <linux/netfilter_ipv4.h>
	98	#endif
	99
0fc2952e	100	// single global instance for access by other components.
b7ac5457	101	Ip::Intercept Ip::Interceptor;
0fc2952e	102
04f87469	103	void
b7ac5457	104	Ip::Intercept::StopTransparency(const char *str)
26ac0430	105	{
40d34a62	106	if (transparentActive_) {
788625af	107	debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
40d34a62	108	transparentActive_ = 0;
788625af	109	}
04f87469 AJ	110	}
	111
	112	void
b7ac5457	113	Ip::Intercept::StopInterception(const char *str)
26ac0430	114	{
40d34a62	115	if (interceptActive_) {
788625af	116	debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
40d34a62	117	interceptActive_ = 0;
788625af	118	}
04f87469	119	}
0fc2952e	120
40d34a62 AJ	121	bool
40d34a62 AJ	122	Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
7b0a0d1f AJ	123	{
7b0a0d1f AJ	124	#if LINUX_NETFILTER
40d34a62 AJ	125	struct sockaddr_in lookup;
	126	socklen_t len = sizeof(struct sockaddr_in);
	127	newConn->local.GetSockAddr(lookup);
7b0a0d1f AJ	128
	129	/** \par
	130	* Try NAT lookup for REDIRECT or DNAT targets. */
40d34a62	131	if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) != 0) {
26ac0430	132	if (!silent) {
40d34a62 AJ	133	debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
40d34a62 AJ	134	lastReported_ = squid_curtime;
7b0a0d1f	135	}
40d34a62 AJ	136	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	137	return false;
26ac0430	138	} else {
40d34a62 AJ	139	newConn->local = lookup;
	140	debugs(89, 5, HERE << "address NAT: " << newConn);
	141	return true;
7b0a0d1f	142	}
7b0a0d1f	143	#endif
40d34a62	144	return false;
7b0a0d1f AJ	145	}
7b0a0d1f AJ	146
40d34a62 AJ	147	bool
40d34a62 AJ	148	Ip::Intercept::NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent)
7b0a0d1f AJ	149	{
7b0a0d1f AJ	150	#if LINUX_NETFILTER
acaa7194 AJ	151	/* Trust the user configured properly. If not no harm done.
acaa7194 AJ	152	* We will simply attempt a bind outgoing on our own IP.
acaa7194	153	*/
40d34a62 AJ	154	newConn->remote.SetPort(0); // allow random outgoing port to prevent address clashes
	155	debugs(89, 5, HERE << "address TPROXY: " << newConn);
	156	return true;
	157	#else
	158	return false;
acaa7194	159	#endif
7b0a0d1f AJ	160	}
7b0a0d1f AJ	161
40d34a62 AJ	162	bool
40d34a62 AJ	163	Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int silent)
d8b5bcbc AJ	164	{
d8b5bcbc AJ	165	#if IPFW_TRANSPARENT
1b76e6c1 AJ	166	struct sockaddr_storage lookup;
	167	socklen_t len = sizeof(struct sockaddr_storage);
	168	newConn->local.GetSockAddr(lookup, AF_INET);
d8b5bcbc AJ	169
	170	/** \par
	171	* Try lookup for IPFW interception. */
1b76e6c1	172	if ( getsockname(newConn->fd, (struct sockaddr*)&lookup, &len) != 0 ) {
26ac0430	173	if ( !silent ) {
d8b5bcbc	174	debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
40d34a62	175	lastReported_ = squid_curtime;
d8b5bcbc	176	}
40d34a62 AJ	177	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	178	return false;
26ac0430	179	} else {
40d34a62 AJ	180	newConn->local = lookup;
	181	debugs(89, 5, HERE << "address NAT: " << newConn);
	182	return true;
d8b5bcbc	183	}
d8b5bcbc	184	#endif
40d34a62	185	return false;
d8b5bcbc	186	}
0fc2952e	187
40d34a62 AJ	188	bool
40d34a62 AJ	189	Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
3f38a55e	190	{
f1e0717c	191	#if IPF_TRANSPARENT /* --enable-ipf-transparent */
62e76326	192
c8be6d7b	193	struct natlookup natLookup;
c8be6d7b	194	static int natfd = -1;
c8be6d7b	195	int x;
3f38a55e	196
c74be4ce	197	// all fields must be set to 0
dcfb239f	198	memset(&natLookup, 0, sizeof(natLookup));
c74be4ce	199	// for NAT lookup set local and remote IP:port's
40d34a62 AJ	200	natLookup.nl_inport = htons(newConn->local.GetPort());
40d34a62 AJ	201	newConn->local.GetInAddr(natLookup.nl_inip);
9a8b1816	202	natLookup.nl_outport = htons(newConn->remote.GetPort());
40d34a62	203	newConn->remote.GetInAddr(natLookup.nl_outip);
c74be4ce	204	// ... and the TCP flag
c8be6d7b	205	natLookup.nl_flags = IPN_TCP;
62e76326	206
26ac0430	207	if (natfd < 0) {
62e76326	208	int save_errno;
62e76326	209	enter_suid();
dbc5782a	210	#ifdef IPNAT_NAME
dbc5782a	211	natfd = open(IPNAT_NAME, O_RDONLY, 0);
98a3bc99	212	#else
62e76326	213	natfd = open(IPL_NAT, O_RDONLY, 0);
98a3bc99	214	#endif
62e76326	215	save_errno = errno;
	216	leave_suid();
	217	errno = save_errno;
c8be6d7b	218	}
62e76326	219
26ac0430	220	if (natfd < 0) {
219f8edb	221	if (!silent) {
c74be4ce	222	debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
40d34a62 AJ	223	lastReported_ = squid_curtime;
40d34a62 AJ	224	return false;
d6026916	225	}
c8be6d7b	226	}
62e76326	227
dbc5782a	228	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
c74be4ce AJ	229	struct ipfobj obj;
	230	memset(&obj, 0, sizeof(obj));
	231	obj.ipfo_rev = IPFILTER_VERSION;
	232	obj.ipfo_size = sizeof(natLookup);
	233	obj.ipfo_ptr = &natLookup;
	234	obj.ipfo_type = IPFOBJ_NATLOOKUP;
	235
dbc5782a	236	x = ioctl(natfd, SIOCGNATL, &obj);
dbc5782a	237	#else
3f38a55e	238	/*
dbc5782a	239	* IP-Filter changed the type for SIOCGNATL between
	240	* 3.3 and 3.4. It also changed the cmd value for
	241	* SIOCGNATL, so at least we can detect it. We could
	242	* put something in configure and use ifdefs here, but
	243	* this seems simpler.
	244	*/
c74be4ce	245	static int siocgnatl_cmd = SIOCGNATL & 0xff;
26ac0430	246	if (63 == siocgnatl_cmd) {
62e76326	247	struct natlookup *nlp = &natLookup;
62e76326	248	x = ioctl(natfd, SIOCGNATL, &nlp);
26ac0430	249	} else {
62e76326	250	x = ioctl(natfd, SIOCGNATL, &natLookup);
	251	}
	252
dbc5782a	253	#endif
26ac0430	254	if (x < 0) {
62e76326	255	if (errno != ESRCH) {
219f8edb	256	if (!silent) {
c74be4ce	257	debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
40d34a62	258	lastReported_ = squid_curtime;
d6026916	259	}
d6026916	260
62e76326	261	close(natfd);
	262	natfd = -1;
	263	}
	264
40d34a62 AJ	265	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	266	return false;
26ac0430	267	} else {
40d34a62 AJ	268	newConn->local = natLookup.nl_realip;
	269	newConn->local.SetPort(ntohs(natLookup.nl_realport));
	270	debugs(89, 5, HERE << "address NAT: " << newConn);
	271	return true;
c8be6d7b	272	}
62e76326	273
219f8edb	274	#endif /* --enable-ipf-transparent */
40d34a62	275	return false;
219f8edb	276	}
f1e0717c	277
40d34a62 AJ	278	bool
40d34a62 AJ	279	Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
219f8edb	280	{
51f4d36b	281	#if PF_TRANSPARENT /* --enable-pf-transparent */
62e76326	282
3f38a55e	283	struct pfioc_natlook nl;
3f38a55e	284	static int pffd = -1;
62e76326	285
62e76326	286	if (pffd < 0)
d14c6ef2	287	pffd = open("/dev/pf", O_RDONLY);
62e76326	288
26ac0430	289	if (pffd < 0) {
51f4d36b	290	if (!silent) {
e9172f79	291	debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
40d34a62	292	lastReported_ = squid_curtime;
d6026916	293	}
40d34a62	294	return false;
c8be6d7b	295	}
62e76326	296
c8be6d7b	297	memset(&nl, 0, sizeof(struct pfioc_natlook));
40d34a62 AJ	298	newConn->remote.GetInAddr(nl.saddr.v4);
40d34a62 AJ	299	nl.sport = htons(newConn->remote.GetPort());
cc192b50	300
40d34a62 AJ	301	newConn->local.GetInAddr(nl.daddr.v4);
40d34a62 AJ	302	nl.dport = htons(newConn->local.GetPort());
cc192b50	303
c8be6d7b	304	nl.af = AF_INET;
	305	nl.proto = IPPROTO_TCP;
	306	nl.direction = PF_OUT;
62e76326	307
26ac0430	308	if (ioctl(pffd, DIOCNATLOOK, &nl)) {
62e76326	309	if (errno != ENOENT) {
51f4d36b	310	if (!silent) {
e9172f79	311	debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
40d34a62	312	lastReported_ = squid_curtime;
d6026916	313	}
62e76326	314	close(pffd);
	315	pffd = -1;
	316	}
40d34a62 AJ	317	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	318	return false;
26ac0430	319	} else {
40d34a62 AJ	320	newConn->local = nl.rdaddr.v4;
	321	newConn->local.SetPort(ntohs(nl.rdport));
	322	debugs(89, 5, HERE << "address NAT: " << newConn);
	323	return true;
3f38a55e	324	}
62e76326	325
51f4d36b	326	#endif /* --enable-pf-transparent */
40d34a62	327	return false;
51f4d36b AJ	328	}
51f4d36b AJ	329
40d34a62 AJ	330	bool
40d34a62 AJ	331	Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
51f4d36b	332	{
af6a12ee AJ	333	/* --enable-linux-netfilter */
	334	/* --enable-ipfw-transparent */
	335	/* --enable-ipf-transparent */
	336	/* --enable-pf-transparent */
51f4d36b AJ	337	#if IPF_TRANSPARENT \|\| LINUX_NETFILTER \|\| IPFW_TRANSPARENT \|\| PF_TRANSPARENT
51f4d36b AJ	338
51f4d36b AJ	339	#if 0
51f4d36b AJ	340	// Crop interception errors down to one per minute.
40d34a62	341	int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
51f4d36b AJ	342	#else
	343	// Show all interception errors.
	344	int silent = 0;
	345	#endif
	346
40d34a62 AJ	347	debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);
	348
	349	newConn->flags \|= (listenConn->flags & (COMM_TRANSPARENT\|COMM_INTERCEPTION));
e9172f79	350
9bad3e09	351	/* NP: try TPROXY first, its much quieter than NAT when non-matching */
40d34a62 AJ	352	if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
40d34a62 AJ	353	if (NetfilterTransparent(newConn, silent)) return true;
9bad3e09 AJ	354	}
9bad3e09 AJ	355
b9420956	356	/* NAT is only available in IPv4 */
40d34a62 AJ	357	if ( !newConn->local.IsIPv4() ) return false;
40d34a62 AJ	358	if ( !newConn->remote.IsIPv4() ) return false;
11298d0d	359
40d34a62	360	if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
e9172f79	361	/* NAT methods that use sock-opts to return client address */
40d34a62 AJ	362	if (NetfilterInterception(newConn, silent)) return true;
40d34a62 AJ	363	if (IpfwInterception(newConn, silent)) return true;
e9172f79 AJ	364
e9172f79 AJ	365	/* NAT methods that use ioctl to return client address AND destination address */
40d34a62 AJ	366	if (PfInterception(newConn, silent)) return true;
40d34a62 AJ	367	if (IpfInterception(newConn, silent)) return true;
51f4d36b	368	}
f1e0717c	369
51f4d36b	370	#else /* none of the transparent options configured */
e9172f79	371	debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
3f38a55e	372	#endif
3f38a55e	373
40d34a62	374	return false;
f1e0717c	375	}
34ec5c62	376
263f84f0	377	bool
b7ac5457	378	Ip::Intercept::ProbeForTproxy(Ip::Address &test)
263f84f0 AJ	379	{
263f84f0 AJ	380	debugs(3, 3, "Detect TPROXY support on port " << test);
263f84f0 AJ	381
	382	#if defined(IP_TRANSPARENT)
	383
	384	int tos = 1;
	385	int tmp_sock = -1;
	386
263f84f0 AJ	387	/* Probe to see if the Kernel TPROXY support is IPv6-enabled */
	388	if (test.IsIPv6()) {
	389	debugs(3, 3, "...Probing for IPv6 TPROXY support.");
	390
	391	struct sockaddr_in6 tmp_ip6;
b7ac5457	392	Ip::Address tmp = "::2";
263f84f0 AJ	393	tmp.SetPort(0);
	394	tmp.GetSockAddr(tmp_ip6);
	395
	396	if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
f54f527e AJ	397	setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
f54f527e AJ	398	bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
263f84f0 AJ	399
263f84f0 AJ	400	debugs(3, 3, "IPv6 TPROXY support detected. Using.");
fb5bffa3	401	close(tmp_sock);
263f84f0 AJ	402	return true;
	403	}
	404	if (tmp_sock >= 0) {
fb5bffa3	405	close(tmp_sock);
263f84f0 AJ	406	tmp_sock = -1;
	407	}
	408	}
	409
	410	if ( test.IsIPv6() && !test.SetIPv4() ) {
	411	debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
	412	return false;
	413	}
263f84f0 AJ	414
	415	/* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
	416	if (test.IsIPv4()) {
	417	debugs(3, 3, "...Probing for IPv4 TPROXY support.");
	418
	419	struct sockaddr_in tmp_ip4;
b7ac5457	420	Ip::Address tmp = "127.0.0.2";
263f84f0 AJ	421	tmp.SetPort(0);
	422	tmp.GetSockAddr(tmp_ip4);
	423
	424	if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
f54f527e AJ	425	setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
f54f527e AJ	426	bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
263f84f0 AJ	427
263f84f0 AJ	428	debugs(3, 3, "IPv4 TPROXY support detected. Using.");
fb5bffa3	429	close(tmp_sock);
263f84f0 AJ	430	return true;
	431	}
	432	if (tmp_sock >= 0) {
fb5bffa3	433	close(tmp_sock);
263f84f0 AJ	434	}
	435	}
	436
	437	#else /* undefined IP_TRANSPARENT */
	438	debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
	439	#endif
263f84f0 AJ	440	return false;
263f84f0 AJ	441	}