[thirdparty/squid.git] / src / ip / Intercept.cc

/*
 * DEBUG: section 89    NAT / IP Interception
 * AUTHOR: Robert Collins
 * AUTHOR: Amos Jeffries
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */
#include "config.h"
#include "comm/Connection.h"
#include "ip/Intercept.h"
#include "fde.h"

#if IPF_TRANSPARENT

#if HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif
#if HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#if HAVE_NET_IF_H
#include <net/if.h>
#endif
#if HAVE_IPL_H
#include <ipl.h>
#elif HAVE_NETINET_IPL_H
#include <netinet/ipl.h>
#endif
#if HAVE_IP_FIL_COMPAT_H
#include <ip_fil_compat.h>
#elif HAVE_NETINET_IP_FIL_COMPAT_H
#include <netinet/ip_fil_compat.h>
#elif HAVE_IP_COMPAT_H
#include <ip_compat.h>
#elif HAVE_NETINET_IP_COMPAT_H
#include <netinet/ip_compat.h>
#endif
#if HAVE_IP_FIL_H
#include <ip_fil.h>
#elif HAVE_NETINET_IP_FIL_H
#include <netinet/ip_fil.h>
#endif
#if HAVE_IP_NAT_H
#include <ip_nat.h>
#elif HAVE_NETINET_IP_NAT_H
#include <netinet/ip_nat.h>
#endif

#endif /* IPF_TRANSPARENT required headers */

#if PF_TRANSPARENT
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#if HAVE_NET_PF_PFVAR_H
#include <net/pf/pfvar.h>
#endif /* HAVE_NET_PF_PFVAR_H */
#if HAVE_NET_PFVAR_H
#include <net/pfvar.h>
#endif /* HAVE_NET_PFVAR_H */
#endif /* PF_TRANSPARENT required headers */

#if LINUX_NETFILTER
#include <linux/netfilter_ipv4.h>
#endif

// single global instance for access by other components.
Ip::Intercept Ip::Interceptor;

void
Ip::Intercept::StopTransparency(const char *str)
{
    if (transparentActive_) {
        debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
        transparentActive_ = 0;
    }
}

void
Ip::Intercept::StopInterception(const char *str)
{
    if (interceptActive_) {
        debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
        interceptActive_ = 0;
    }
}

bool
Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if LINUX_NETFILTER
    struct sockaddr_in lookup;
    socklen_t len = sizeof(struct sockaddr_in);
    newConn->local.GetSockAddr(lookup);

    /** \par
     * Try NAT lookup for REDIRECT or DNAT targets. */
    if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) != 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
            lastReported_ = squid_curtime;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }
#endif
    return false;
}

bool
Ip::Intercept::NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent)
{
#if LINUX_NETFILTER
    /* Trust the user configured properly. If not no harm done.
     * We will simply attempt a bind outgoing on our own IP.
     */
    newConn->remote.SetPort(0); // allow random outgoing port to prevent address clashes
    debugs(89, 5, HERE << "address TPROXY: " << newConn);
    return true;
#else
    return false;
#endif
}

bool
Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if IPFW_TRANSPARENT
    struct sockaddr_storage lookup;
    socklen_t len = sizeof(struct sockaddr_storage);
    newConn->local.GetSockAddr(lookup, AF_INET);

    /** \par
     * Try lookup for IPFW interception. */
    if ( getsockname(newConn->fd, (struct sockaddr*)&lookup, &len) != 0 ) {
        if ( !silent ) {
            debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
            lastReported_ = squid_curtime;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }
#endif
    return false;
}

bool
Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if IPF_TRANSPARENT  /* --enable-ipf-transparent */

    struct natlookup natLookup;
    static int natfd = -1;
    int x;

    // all fields must be set to 0
    memset(&natLookup, 0, sizeof(natLookup));
    // for NAT lookup set local and remote IP:port's
    natLookup.nl_inport = htons(newConn->local.GetPort());
    newConn->local.GetInAddr(natLookup.nl_inip);
    natLookup.nl_outport = htons(newConn->remote.GetPort());
    newConn->remote.GetInAddr(natLookup.nl_outip);
    // ... and the TCP flag
    natLookup.nl_flags = IPN_TCP;

    if (natfd < 0) {
        int save_errno;
        enter_suid();
#ifdef IPNAT_NAME
        natfd = open(IPNAT_NAME, O_RDONLY, 0);
#else
        natfd = open(IPL_NAT, O_RDONLY, 0);
#endif
        save_errno = errno;
        leave_suid();
        errno = save_errno;
    }

    if (natfd < 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
            lastReported_ = squid_curtime;
            return false;
        }
    }

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
    struct ipfobj obj;
    memset(&obj, 0, sizeof(obj));
    obj.ipfo_rev = IPFILTER_VERSION;
    obj.ipfo_size = sizeof(natLookup);
    obj.ipfo_ptr = &natLookup;
    obj.ipfo_type = IPFOBJ_NATLOOKUP;

    x = ioctl(natfd, SIOCGNATL, &obj);
#else
    /*
    * IP-Filter changed the type for SIOCGNATL between
    * 3.3 and 3.4.  It also changed the cmd value for
    * SIOCGNATL, so at least we can detect it.  We could
    * put something in configure and use ifdefs here, but
    * this seems simpler.
    */
    static int siocgnatl_cmd = SIOCGNATL & 0xff;
    if (63 == siocgnatl_cmd) {
        struct natlookup *nlp = &natLookup;
        x = ioctl(natfd, SIOCGNATL, &nlp);
    } else {
        x = ioctl(natfd, SIOCGNATL, &natLookup);
    }

#endif
    if (x < 0) {
        if (errno != ESRCH) {
            if (!silent) {
                debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
                lastReported_ = squid_curtime;
            }

            close(natfd);
            natfd = -1;
        }

        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = natLookup.nl_realip;
        newConn->local.SetPort(ntohs(natLookup.nl_realport));
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }

#endif /* --enable-ipf-transparent */
    return false;
}

bool
Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
{
#if PF_TRANSPARENT  /* --enable-pf-transparent */

    struct pfioc_natlook nl;
    static int pffd = -1;

    if (pffd < 0)
        pffd = open("/dev/pf", O_RDONLY);

    if (pffd < 0) {
        if (!silent) {
            debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
            lastReported_ = squid_curtime;
        }
        return false;
    }

    memset(&nl, 0, sizeof(struct pfioc_natlook));
    newConn->remote.GetInAddr(nl.saddr.v4);
    nl.sport = htons(newConn->remote.GetPort());

    newConn->local.GetInAddr(nl.daddr.v4);
    nl.dport = htons(newConn->local.GetPort());

    nl.af = AF_INET;
    nl.proto = IPPROTO_TCP;
    nl.direction = PF_OUT;

    if (ioctl(pffd, DIOCNATLOOK, &nl)) {
        if (errno != ENOENT) {
            if (!silent) {
                debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
                lastReported_ = squid_curtime;
            }
            close(pffd);
            pffd = -1;
        }
        debugs(89, 9, HERE << "address: " << newConn);
        return false;
    } else {
        newConn->local = nl.rdaddr.v4;
        newConn->local.SetPort(ntohs(nl.rdport));
        debugs(89, 5, HERE << "address NAT: " << newConn);
        return true;
    }

#endif /* --enable-pf-transparent */
    return false;
}

bool
Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
{
    /* --enable-linux-netfilter    */
    /* --enable-ipfw-transparent   */
    /* --enable-ipf-transparent    */
    /* --enable-pf-transparent     */
#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT

#if 0
    // Crop interception errors down to one per minute.
    int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
#else
    // Show all interception errors.
    int silent = 0;
#endif

    debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);

    newConn->flags |= (listenConn->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));

    /* NP: try TPROXY first, its much quieter than NAT when non-matching */
    if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
        if (NetfilterTransparent(newConn, silent)) return true;
    }

    /* NAT is only available in IPv4 */
    if ( !newConn->local.IsIPv4()  ) return false;
    if ( !newConn->remote.IsIPv4() ) return false;

    if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
        /* NAT methods that use sock-opts to return client address */
        if (NetfilterInterception(newConn, silent)) return true;
        if (IpfwInterception(newConn, silent)) return true;

        /* NAT methods that use ioctl to return client address AND destination address */
        if (PfInterception(newConn, silent)) return true;
        if (IpfInterception(newConn, silent)) return true;
    }

#else /* none of the transparent options configured */
    debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
#endif

    return false;
}

bool
Ip::Intercept::ProbeForTproxy(Ip::Address &test)
{
    debugs(3, 3, "Detect TPROXY support on port " << test);

#if defined(IP_TRANSPARENT)

    int tos = 1;
    int tmp_sock = -1;

    /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
    if (test.IsIPv6()) {
        debugs(3, 3, "...Probing for IPv6 TPROXY support.");

        struct sockaddr_in6 tmp_ip6;
        Ip::Address tmp = "::2";
        tmp.SetPort(0);
        tmp.GetSockAddr(tmp_ip6);

        if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {

            debugs(3, 3, "IPv6 TPROXY support detected. Using.");
            close(tmp_sock);
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
            tmp_sock = -1;
        }
    }

    if ( test.IsIPv6() && !test.SetIPv4() ) {
        debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
        return false;
    }

    /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
    if (test.IsIPv4()) {
        debugs(3, 3, "...Probing for IPv4 TPROXY support.");

        struct sockaddr_in tmp_ip4;
        Ip::Address tmp = "127.0.0.2";
        tmp.SetPort(0);
        tmp.GetSockAddr(tmp_ip4);

        if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {

            debugs(3, 3, "IPv4 TPROXY support detected. Using.");
            close(tmp_sock);
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
        }
    }

#else /* undefined IP_TRANSPARENT */
    debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
#endif
    return false;
}
Commit	Line	Data
c8be6d7b	1	/*
26ac0430	2	* DEBUG: section 89 NAT / IP Interception
c8be6d7b	3	* AUTHOR: Robert Collins
04f87469	4	* AUTHOR: Amos Jeffries
c8be6d7b	5	*
	6	* SQUID Web Proxy Cache http://www.squid-cache.org/
	7	* ----------------------------------------------------------
	8	*
	9	* Squid is the result of efforts by numerous individuals from
	10	* the Internet community; see the CONTRIBUTORS file for full
	11	* details. Many organizations have provided support for Squid's
	12	* development; see the SPONSORS file for full details. Squid is
	13	* Copyrighted (C) 2001 by the Regents of the University of
	14	* California; see the COPYRIGHT file for full details. Squid
	15	* incorporates software developed and/or copyrighted by other
	16	* sources; see the CREDITS file for full details.
	17	*
	18	* This program is free software; you can redistribute it and/or modify
	19	* it under the terms of the GNU General Public License as published by
	20	* the Free Software Foundation; either version 2 of the License, or
	21	* (at your option) any later version.
26ac0430	22	*
c8be6d7b	23	* This program is distributed in the hope that it will be useful,
	24	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	25	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	26	* GNU General Public License for more details.
26ac0430	27	*
c8be6d7b	28	* You should have received a copy of the GNU General Public License
	29	* along with this program; if not, write to the Free Software
	30	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	31	*
	32	*/
a74968c2	33	#include "config.h"
40d34a62	34	#include "comm/Connection.h"
96d89ea0	35	#include "ip/Intercept.h"
b3166404	36	#include "fde.h"
fc27cd70	37
c8be6d7b	38	#if IPF_TRANSPARENT
34ec5c62	39
c8be6d7b	40	#if HAVE_SYS_IOCTL_H
	41	#include <sys/ioctl.h>
	42	#endif
e9e7c285	43	#if HAVE_NETINET_TCP_H
c8be6d7b	44	#include <netinet/tcp.h>
e9e7c285	45	#endif
e9e7c285	46	#if HAVE_NET_IF_H
c8be6d7b	47	#include <net/if.h>
e9e7c285	48	#endif
b0dfd10b	49	#if HAVE_IPL_H
dbc5782a	50	#include <ipl.h>
	51	#elif HAVE_NETINET_IPL_H
	52	#include <netinet/ipl.h>
	53	#endif
c8be6d7b	54	#if HAVE_IP_FIL_COMPAT_H
	55	#include <ip_fil_compat.h>
	56	#elif HAVE_NETINET_IP_FIL_COMPAT_H
	57	#include <netinet/ip_fil_compat.h>
	58	#elif HAVE_IP_COMPAT_H
	59	#include <ip_compat.h>
	60	#elif HAVE_NETINET_IP_COMPAT_H
	61	#include <netinet/ip_compat.h>
	62	#endif
	63	#if HAVE_IP_FIL_H
	64	#include <ip_fil.h>
	65	#elif HAVE_NETINET_IP_FIL_H
	66	#include <netinet/ip_fil.h>
	67	#endif
	68	#if HAVE_IP_NAT_H
	69	#include <ip_nat.h>
	70	#elif HAVE_NETINET_IP_NAT_H
	71	#include <netinet/ip_nat.h>
	72	#endif
34ec5c62 AJ	73
34ec5c62 AJ	74	#endif /* IPF_TRANSPARENT required headers */
c8be6d7b	75
c8be6d7b	76	#if PF_TRANSPARENT
c8be6d7b	77	#include <sys/socket.h>
	78	#include <sys/ioctl.h>
	79	#include <sys/fcntl.h>
	80	#include <net/if.h>
	81	#include <netinet/in.h>
b0dfd10b	82	#if HAVE_NET_PF_PFVAR_H
ec9909b0 AJ	83	#include <net/pf/pfvar.h>
ec9909b0 AJ	84	#endif /* HAVE_NET_PF_PFVAR_H */
b0dfd10b	85	#if HAVE_NET_PFVAR_H
c8be6d7b	86	#include <net/pfvar.h>
ec9909b0	87	#endif /* HAVE_NET_PFVAR_H */
34ec5c62	88	#endif /* PF_TRANSPARENT required headers */
c8be6d7b	89
	90	#if LINUX_NETFILTER
	91	#include <linux/netfilter_ipv4.h>
	92	#endif
	93
0fc2952e	94	// single global instance for access by other components.
b7ac5457	95	Ip::Intercept Ip::Interceptor;
0fc2952e	96
04f87469	97	void
b7ac5457	98	Ip::Intercept::StopTransparency(const char *str)
26ac0430	99	{
40d34a62	100	if (transparentActive_) {
788625af	101	debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
40d34a62	102	transparentActive_ = 0;
788625af	103	}
04f87469 AJ	104	}
	105
	106	void
b7ac5457	107	Ip::Intercept::StopInterception(const char *str)
26ac0430	108	{
40d34a62	109	if (interceptActive_) {
788625af	110	debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
40d34a62	111	interceptActive_ = 0;
788625af	112	}
04f87469	113	}
0fc2952e	114
40d34a62 AJ	115	bool
40d34a62 AJ	116	Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
7b0a0d1f AJ	117	{
7b0a0d1f AJ	118	#if LINUX_NETFILTER
40d34a62 AJ	119	struct sockaddr_in lookup;
	120	socklen_t len = sizeof(struct sockaddr_in);
	121	newConn->local.GetSockAddr(lookup);
7b0a0d1f AJ	122
	123	/** \par
	124	* Try NAT lookup for REDIRECT or DNAT targets. */
40d34a62	125	if ( getsockopt(newConn->fd, IPPROTO_IP, SO_ORIGINAL_DST, &lookup, &len) != 0) {
26ac0430	126	if (!silent) {
40d34a62 AJ	127	debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
40d34a62 AJ	128	lastReported_ = squid_curtime;
7b0a0d1f	129	}
40d34a62 AJ	130	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	131	return false;
26ac0430	132	} else {
40d34a62 AJ	133	newConn->local = lookup;
	134	debugs(89, 5, HERE << "address NAT: " << newConn);
	135	return true;
7b0a0d1f	136	}
7b0a0d1f	137	#endif
40d34a62	138	return false;
7b0a0d1f AJ	139	}
7b0a0d1f AJ	140
40d34a62 AJ	141	bool
40d34a62 AJ	142	Ip::Intercept::NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent)
7b0a0d1f AJ	143	{
7b0a0d1f AJ	144	#if LINUX_NETFILTER
acaa7194 AJ	145	/* Trust the user configured properly. If not no harm done.
acaa7194 AJ	146	* We will simply attempt a bind outgoing on our own IP.
acaa7194	147	*/
40d34a62 AJ	148	newConn->remote.SetPort(0); // allow random outgoing port to prevent address clashes
	149	debugs(89, 5, HERE << "address TPROXY: " << newConn);
	150	return true;
	151	#else
	152	return false;
acaa7194	153	#endif
7b0a0d1f AJ	154	}
7b0a0d1f AJ	155
40d34a62 AJ	156	bool
40d34a62 AJ	157	Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int silent)
d8b5bcbc AJ	158	{
d8b5bcbc AJ	159	#if IPFW_TRANSPARENT
1b76e6c1 AJ	160	struct sockaddr_storage lookup;
	161	socklen_t len = sizeof(struct sockaddr_storage);
	162	newConn->local.GetSockAddr(lookup, AF_INET);
d8b5bcbc AJ	163
	164	/** \par
	165	* Try lookup for IPFW interception. */
1b76e6c1	166	if ( getsockname(newConn->fd, (struct sockaddr*)&lookup, &len) != 0 ) {
26ac0430	167	if ( !silent ) {
d8b5bcbc	168	debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
40d34a62	169	lastReported_ = squid_curtime;
d8b5bcbc	170	}
40d34a62 AJ	171	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	172	return false;
26ac0430	173	} else {
40d34a62 AJ	174	newConn->local = lookup;
	175	debugs(89, 5, HERE << "address NAT: " << newConn);
	176	return true;
d8b5bcbc	177	}
d8b5bcbc	178	#endif
40d34a62	179	return false;
d8b5bcbc	180	}
0fc2952e	181
40d34a62 AJ	182	bool
40d34a62 AJ	183	Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
3f38a55e	184	{
f1e0717c	185	#if IPF_TRANSPARENT /* --enable-ipf-transparent */
62e76326	186
c8be6d7b	187	struct natlookup natLookup;
c8be6d7b	188	static int natfd = -1;
c8be6d7b	189	int x;
3f38a55e	190
c74be4ce	191	// all fields must be set to 0
dcfb239f	192	memset(&natLookup, 0, sizeof(natLookup));
c74be4ce	193	// for NAT lookup set local and remote IP:port's
40d34a62 AJ	194	natLookup.nl_inport = htons(newConn->local.GetPort());
40d34a62 AJ	195	newConn->local.GetInAddr(natLookup.nl_inip);
9a8b1816	196	natLookup.nl_outport = htons(newConn->remote.GetPort());
40d34a62	197	newConn->remote.GetInAddr(natLookup.nl_outip);
c74be4ce	198	// ... and the TCP flag
c8be6d7b	199	natLookup.nl_flags = IPN_TCP;
62e76326	200
26ac0430	201	if (natfd < 0) {
62e76326	202	int save_errno;
62e76326	203	enter_suid();
dbc5782a	204	#ifdef IPNAT_NAME
dbc5782a	205	natfd = open(IPNAT_NAME, O_RDONLY, 0);
98a3bc99	206	#else
62e76326	207	natfd = open(IPL_NAT, O_RDONLY, 0);
98a3bc99	208	#endif
62e76326	209	save_errno = errno;
	210	leave_suid();
	211	errno = save_errno;
c8be6d7b	212	}
62e76326	213
26ac0430	214	if (natfd < 0) {
219f8edb	215	if (!silent) {
c74be4ce	216	debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
40d34a62 AJ	217	lastReported_ = squid_curtime;
40d34a62 AJ	218	return false;
d6026916	219	}
c8be6d7b	220	}
62e76326	221
dbc5782a	222	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
c74be4ce AJ	223	struct ipfobj obj;
	224	memset(&obj, 0, sizeof(obj));
	225	obj.ipfo_rev = IPFILTER_VERSION;
	226	obj.ipfo_size = sizeof(natLookup);
	227	obj.ipfo_ptr = &natLookup;
	228	obj.ipfo_type = IPFOBJ_NATLOOKUP;
	229
dbc5782a	230	x = ioctl(natfd, SIOCGNATL, &obj);
dbc5782a	231	#else
3f38a55e	232	/*
dbc5782a	233	* IP-Filter changed the type for SIOCGNATL between
	234	* 3.3 and 3.4. It also changed the cmd value for
	235	* SIOCGNATL, so at least we can detect it. We could
	236	* put something in configure and use ifdefs here, but
	237	* this seems simpler.
	238	*/
c74be4ce	239	static int siocgnatl_cmd = SIOCGNATL & 0xff;
26ac0430	240	if (63 == siocgnatl_cmd) {
62e76326	241	struct natlookup *nlp = &natLookup;
62e76326	242	x = ioctl(natfd, SIOCGNATL, &nlp);
26ac0430	243	} else {
62e76326	244	x = ioctl(natfd, SIOCGNATL, &natLookup);
	245	}
	246
dbc5782a	247	#endif
26ac0430	248	if (x < 0) {
62e76326	249	if (errno != ESRCH) {
219f8edb	250	if (!silent) {
c74be4ce	251	debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
40d34a62	252	lastReported_ = squid_curtime;
d6026916	253	}
d6026916	254
62e76326	255	close(natfd);
	256	natfd = -1;
	257	}
	258
40d34a62 AJ	259	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	260	return false;
26ac0430	261	} else {
40d34a62 AJ	262	newConn->local = natLookup.nl_realip;
	263	newConn->local.SetPort(ntohs(natLookup.nl_realport));
	264	debugs(89, 5, HERE << "address NAT: " << newConn);
	265	return true;
c8be6d7b	266	}
62e76326	267
219f8edb	268	#endif /* --enable-ipf-transparent */
40d34a62	269	return false;
219f8edb	270	}
f1e0717c	271
40d34a62 AJ	272	bool
40d34a62 AJ	273	Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
219f8edb	274	{
51f4d36b	275	#if PF_TRANSPARENT /* --enable-pf-transparent */
62e76326	276
3f38a55e	277	struct pfioc_natlook nl;
3f38a55e	278	static int pffd = -1;
62e76326	279
62e76326	280	if (pffd < 0)
d14c6ef2	281	pffd = open("/dev/pf", O_RDONLY);
62e76326	282
26ac0430	283	if (pffd < 0) {
51f4d36b	284	if (!silent) {
e9172f79	285	debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
40d34a62	286	lastReported_ = squid_curtime;
d6026916	287	}
40d34a62	288	return false;
c8be6d7b	289	}
62e76326	290
c8be6d7b	291	memset(&nl, 0, sizeof(struct pfioc_natlook));
40d34a62 AJ	292	newConn->remote.GetInAddr(nl.saddr.v4);
40d34a62 AJ	293	nl.sport = htons(newConn->remote.GetPort());
cc192b50	294
40d34a62 AJ	295	newConn->local.GetInAddr(nl.daddr.v4);
40d34a62 AJ	296	nl.dport = htons(newConn->local.GetPort());
cc192b50	297
c8be6d7b	298	nl.af = AF_INET;
	299	nl.proto = IPPROTO_TCP;
	300	nl.direction = PF_OUT;
62e76326	301
26ac0430	302	if (ioctl(pffd, DIOCNATLOOK, &nl)) {
62e76326	303	if (errno != ENOENT) {
51f4d36b	304	if (!silent) {
e9172f79	305	debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
40d34a62	306	lastReported_ = squid_curtime;
d6026916	307	}
62e76326	308	close(pffd);
	309	pffd = -1;
	310	}
40d34a62 AJ	311	debugs(89, 9, HERE << "address: " << newConn);
40d34a62 AJ	312	return false;
26ac0430	313	} else {
40d34a62 AJ	314	newConn->local = nl.rdaddr.v4;
	315	newConn->local.SetPort(ntohs(nl.rdport));
	316	debugs(89, 5, HERE << "address NAT: " << newConn);
	317	return true;
3f38a55e	318	}
62e76326	319
51f4d36b	320	#endif /* --enable-pf-transparent */
40d34a62	321	return false;
51f4d36b AJ	322	}
51f4d36b AJ	323
40d34a62 AJ	324	bool
40d34a62 AJ	325	Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
51f4d36b	326	{
af6a12ee AJ	327	/* --enable-linux-netfilter */
	328	/* --enable-ipfw-transparent */
	329	/* --enable-ipf-transparent */
	330	/* --enable-pf-transparent */
51f4d36b AJ	331	#if IPF_TRANSPARENT \|\| LINUX_NETFILTER \|\| IPFW_TRANSPARENT \|\| PF_TRANSPARENT
51f4d36b AJ	332
51f4d36b AJ	333	#if 0
51f4d36b AJ	334	// Crop interception errors down to one per minute.
40d34a62	335	int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
51f4d36b AJ	336	#else
	337	// Show all interception errors.
	338	int silent = 0;
	339	#endif
	340
40d34a62 AJ	341	debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);
	342
	343	newConn->flags \|= (listenConn->flags & (COMM_TRANSPARENT\|COMM_INTERCEPTION));
e9172f79	344
9bad3e09	345	/* NP: try TPROXY first, its much quieter than NAT when non-matching */
40d34a62 AJ	346	if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
40d34a62 AJ	347	if (NetfilterTransparent(newConn, silent)) return true;
9bad3e09 AJ	348	}
9bad3e09 AJ	349
b9420956	350	/* NAT is only available in IPv4 */
40d34a62 AJ	351	if ( !newConn->local.IsIPv4() ) return false;
40d34a62 AJ	352	if ( !newConn->remote.IsIPv4() ) return false;
11298d0d	353
40d34a62	354	if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
e9172f79	355	/* NAT methods that use sock-opts to return client address */
40d34a62 AJ	356	if (NetfilterInterception(newConn, silent)) return true;
40d34a62 AJ	357	if (IpfwInterception(newConn, silent)) return true;
e9172f79 AJ	358
e9172f79 AJ	359	/* NAT methods that use ioctl to return client address AND destination address */
40d34a62 AJ	360	if (PfInterception(newConn, silent)) return true;
40d34a62 AJ	361	if (IpfInterception(newConn, silent)) return true;
51f4d36b	362	}
f1e0717c	363
51f4d36b	364	#else /* none of the transparent options configured */
e9172f79	365	debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
3f38a55e	366	#endif
3f38a55e	367
40d34a62	368	return false;
f1e0717c	369	}
34ec5c62	370
263f84f0	371	bool
b7ac5457	372	Ip::Intercept::ProbeForTproxy(Ip::Address &test)
263f84f0 AJ	373	{
263f84f0 AJ	374	debugs(3, 3, "Detect TPROXY support on port " << test);
263f84f0 AJ	375
	376	#if defined(IP_TRANSPARENT)
	377
	378	int tos = 1;
	379	int tmp_sock = -1;
	380
263f84f0 AJ	381	/* Probe to see if the Kernel TPROXY support is IPv6-enabled */
	382	if (test.IsIPv6()) {
	383	debugs(3, 3, "...Probing for IPv6 TPROXY support.");
	384
	385	struct sockaddr_in6 tmp_ip6;
b7ac5457	386	Ip::Address tmp = "::2";
263f84f0 AJ	387	tmp.SetPort(0);
	388	tmp.GetSockAddr(tmp_ip6);
	389
	390	if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
f54f527e AJ	391	setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
f54f527e AJ	392	bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
263f84f0 AJ	393
263f84f0 AJ	394	debugs(3, 3, "IPv6 TPROXY support detected. Using.");
fb5bffa3	395	close(tmp_sock);
263f84f0 AJ	396	return true;
	397	}
	398	if (tmp_sock >= 0) {
fb5bffa3	399	close(tmp_sock);
263f84f0 AJ	400	tmp_sock = -1;
	401	}
	402	}
	403
	404	if ( test.IsIPv6() && !test.SetIPv4() ) {
	405	debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
	406	return false;
	407	}
263f84f0 AJ	408
	409	/* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
	410	if (test.IsIPv4()) {
	411	debugs(3, 3, "...Probing for IPv4 TPROXY support.");
	412
	413	struct sockaddr_in tmp_ip4;
b7ac5457	414	Ip::Address tmp = "127.0.0.2";
263f84f0 AJ	415	tmp.SetPort(0);
	416	tmp.GetSockAddr(tmp_ip4);
	417
	418	if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
f54f527e AJ	419	setsockopt(tmp_sock, SOL_IP, IP_TRANSPARENT, (char *)&tos, sizeof(int)) == 0 &&
f54f527e AJ	420	bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
263f84f0 AJ	421
263f84f0 AJ	422	debugs(3, 3, "IPv4 TPROXY support detected. Using.");
fb5bffa3	423	close(tmp_sock);
263f84f0 AJ	424	return true;
	425	}
	426	if (tmp_sock >= 0) {
fb5bffa3	427	close(tmp_sock);
263f84f0 AJ	428	}
	429	}
	430
	431	#else /* undefined IP_TRANSPARENT */
	432	debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
	433	#endif
263f84f0 AJ	434	return false;
263f84f0 AJ	435	}