[thirdparty/squid.git] / src / ip / Intercept.cc

/*
 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
 *
 * Squid software is distributed under GPLv2+ license and includes
 * contributions from numerous individuals and organizations.
 * Please see the COPYING and CONTRIBUTORS files for details.
 */

/* DEBUG: section 89    NAT / IP Interception */

// Enable hack to workaround Solaris 10 IPFilter breakage
#define BUILDING_SQUID_IP_INTERCEPT_CC 1

#include "squid.h"
#include "comm/Connection.h"
#include "fde.h"
#include "ip/Intercept.h"
#include "ip/tools.h"
#include "src/tools.h"

#include <cerrno>

#if IPF_TRANSPARENT

#if !defined(IPFILTER_VERSION)
#define IPFILTER_VERSION        5000004
#endif

#if HAVE_SYS_PARAM_H
#include <sys/param.h>
#endif
#if HAVE_SYS_IOCCOM_H
#include <sys/ioccom.h>
#endif
#if HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif
#if HAVE_NETINET_IP6_H
#include <netinet/ip6.h>
#endif
#if HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#if HAVE_NET_IF_H
#include <net/if.h>
#endif
#if HAVE_IPL_H
#include <ipl.h>
#elif HAVE_NETINET_IPL_H
#include <netinet/ipl.h>
#endif
#if USE_SOLARIS_IPFILTER_MINOR_T_HACK
#undef minor_t
#endif
#if HAVE_IP_FIL_COMPAT_H
#include <ip_fil_compat.h>
#elif HAVE_NETINET_IP_FIL_COMPAT_H
#include <netinet/ip_fil_compat.h>
#elif HAVE_IP_COMPAT_H
#include <ip_compat.h>
#elif HAVE_NETINET_IP_COMPAT_H
#include <netinet/ip_compat.h>
#endif
#if HAVE_IP_FIL_H
#include <ip_fil.h>
#elif HAVE_NETINET_IP_FIL_H
#include <netinet/ip_fil.h>
#endif
#if HAVE_IP_NAT_H
#include <ip_nat.h>
#elif HAVE_NETINET_IP_NAT_H
#include <netinet/ip_nat.h>
#endif

#endif /* IPF_TRANSPARENT required headers */

#if PF_TRANSPARENT
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#if HAVE_NET_PF_PFVAR_H
#include <net/pf/pfvar.h>
#endif /* HAVE_NET_PF_PFVAR_H */
#if HAVE_NET_PFVAR_H
#include <net/pfvar.h>
#endif /* HAVE_NET_PFVAR_H */
#endif /* PF_TRANSPARENT required headers */

#if LINUX_NETFILTER
/* <climits> must be before including netfilter_ipv4.h */
#include <climits>
#include <linux/if.h>
#include <linux/netfilter_ipv4.h>
#if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
/* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches
 * which will enable C++ compilers to build the Netfilter public headers.
 * We can auto-detect its presence and attempt to use in case he ever
 * changes his mind or things get cleaned up some other way.
 * But until then are usually forced to hard-code the getsockopt() code
 * for IPv6 NAT lookups.
 */
#include <linux/netfilter_ipv6/ip6_tables.h>
#endif
#if !defined(IP6T_SO_ORIGINAL_DST)
#define IP6T_SO_ORIGINAL_DST    80  // stolen with prejudice from the above file.
#endif
#endif /* LINUX_NETFILTER required headers */

// single global instance for access by other components.
Ip::Intercept Ip::Interceptor;

void
Ip::Intercept::StopTransparency(const char *str)
{
    if (transparentActive_) {
        debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
        transparentActive_ = 0;
    }
}

bool
Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn)
{
#if LINUX_NETFILTER
    struct sockaddr_storage lookup;
    socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in);
    newConn->local.getSockAddr(lookup, AF_UNSPEC);

    /** \par
     * Try NAT lookup for REDIRECT or DNAT targets. */
    if ( getsockopt(newConn->fd,
                    newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP,
                    newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
                    &lookup,
                    &len) != 0) {
        const auto xerrno = errno;
        debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno));
        return false;
    } else {
        newConn->local = lookup;
        debugs(89, 5, "address NAT: " << newConn);
        return true;
    }
#else
    (void)newConn;
#endif
    return false;
}

void
Ip::Intercept::StartTransparency()
{
    // --enable-linux-netfilter
    // --enable-pf-transparent
    // --enable-ipfw-transparent
#if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \
    (PF_TRANSPARENT && defined(SO_BINDANY)) || \
    (IPFW_TRANSPARENT && defined(IP_BINDANY))
    transparentActive_ = 1;
#else
    throw TextException("requires TPROXY feature to be enabled by ./configure", Here());
#endif
}

void
Ip::Intercept::StartInterception()
{
    // --enable-linux-netfilter
    // --enable-ipfw-transparent
    // --enable-ipf-transparent
    // --enable-pf-transparent
#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
    interceptActive_ = 1;
#else
    throw TextException("requires NAT Interception feature to be enabled by ./configure", Here());
#endif
}

bool
Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn)
{
#if IPFW_TRANSPARENT
    return UseInterceptionAddressesLookedUpEarlier(__FUNCTION__, newConn);
#else
    (void)newConn;
    return false;
#endif
}

/// Assume that getsockname() has been called already and provided the necessary
/// TCP packet details. There is no way to identify whether they came from NAT.
/// Trust the user configured properly.
bool
Ip::Intercept::UseInterceptionAddressesLookedUpEarlier(const char * const caller, const Comm::ConnectionPointer &newConn)
{
    // paranoid: ./configure should prohibit these combinations
#if LINUX_NETFILTER && PF_TRANSPARENT && !USE_NAT_DEVPF
    static_assert(!"--enable-linux-netfilter is incompatible with --enable-pf-transparent --without-nat-devpf");
#endif
#if LINUX_NETFILTER && IPFW_TRANSPARENT
    static_assert(!"--enable-linux-netfilter is incompatible with --enable-ipfw-transparent");
#endif
    // --enable-linux-netfilter is compatible with --enable-ipf-transparent

    debugs(89, 5, caller << " uses " << newConn);
    return true;
}

bool
Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn)
{
#if IPF_TRANSPARENT  /* --enable-ipf-transparent */

    struct natlookup natLookup;
    static int natfd = -1;
    int x;

    // all fields must be set to 0
    memset(&natLookup, 0, sizeof(natLookup));
    // for NAT lookup set local and remote IP:port's
    if (newConn->remote.isIPv6()) {
#if HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6
        natLookup.nl_v = 6;
        newConn->local.getInAddr(natLookup.nl_inipaddr.in6);
        newConn->remote.getInAddr(natLookup.nl_outipaddr.in6);
    }
    else {
        natLookup.nl_v = 4;
        newConn->local.getInAddr(natLookup.nl_inipaddr.in4);
        newConn->remote.getInAddr(natLookup.nl_outipaddr.in4);
    }
#else /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
        // warn once every 10 at critical level, then push down a level each repeated event
        static int warningLevel = DBG_CRITICAL;
        debugs(89, warningLevel, "Your IPF (IPFilter) NAT does not support IPv6. Please upgrade it.");
        warningLevel = (warningLevel + 1) % 10;
        return false;
    }
    newConn->local.getInAddr(natLookup.nl_inip);
    newConn->remote.getInAddr(natLookup.nl_outip);
#endif /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
    natLookup.nl_inport = htons(newConn->local.port());
    natLookup.nl_outport = htons(newConn->remote.port());
    // ... and the TCP flag
    natLookup.nl_flags = IPN_TCP;

    if (natfd < 0) {
        int save_errno;
        enter_suid();
#ifdef IPNAT_NAME
        natfd = open(IPNAT_NAME, O_RDONLY, 0);
#else
        natfd = open(IPL_NAT, O_RDONLY, 0);
#endif
        save_errno = errno;
        leave_suid();
        errno = save_errno;
    }

    if (natfd < 0) {
        const auto xerrno = errno;
        debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT open failed: " << xstrerr(xerrno));
        return false;
    }

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
    struct ipfobj obj;
    memset(&obj, 0, sizeof(obj));
    obj.ipfo_rev = IPFILTER_VERSION;
    obj.ipfo_size = sizeof(natLookup);
    obj.ipfo_ptr = &natLookup;
    obj.ipfo_type = IPFOBJ_NATLOOKUP;

    x = ioctl(natfd, SIOCGNATL, &obj);
#else
    /*
    * IP-Filter changed the type for SIOCGNATL between
    * 3.3 and 3.4.  It also changed the cmd value for
    * SIOCGNATL, so at least we can detect it.  We could
    * put something in configure and use ifdefs here, but
    * this seems simpler.
    */
    static int siocgnatl_cmd = SIOCGNATL & 0xff;
    if (63 == siocgnatl_cmd) {
        struct natlookup *nlp = &natLookup;
        x = ioctl(natfd, SIOCGNATL, &nlp);
    } else {
        x = ioctl(natfd, SIOCGNATL, &natLookup);
    }

#endif /* defined(IPFILTER_VERSION) ... */
    if (x < 0) {
        const auto xerrno = errno;
        if (xerrno != ESRCH) {
            debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno));
            close(natfd);
            natfd = -1;
        }

        debugs(89, 9, "address: " << newConn);
        return false;
    } else {
#if HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6
        if (newConn->remote.isIPv6())
            newConn->local = natLookup.nl_realipaddr.in6;
        else
            newConn->local = natLookup.nl_realipaddr.in4;
#else
        newConn->local = natLookup.nl_realip;
#endif
        newConn->local.port(ntohs(natLookup.nl_realport));
        debugs(89, 5, "address NAT: " << newConn);
        return true;
    }

#else
    (void)newConn;
#endif /* --enable-ipf-transparent */
    return false;
}

bool
Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn)
{
#if PF_TRANSPARENT  /* --enable-pf-transparent */

#if !USE_NAT_DEVPF
    return UseInterceptionAddressesLookedUpEarlier("recent PF version", newConn);

#else /* USE_NAT_DEVPF / --with-nat-devpf */

    struct pfioc_natlook nl;
    static int pffd = -1;

    if (pffd < 0)
        pffd = open("/dev/pf", O_RDONLY);

    if (pffd < 0) {
        const auto xerrno = errno;
        debugs(89, DBG_IMPORTANT, "ERROR: PF open failed: " << xstrerr(xerrno));
        return false;
    }

    memset(&nl, 0, sizeof(struct pfioc_natlook));

    if (newConn->remote.isIPv6()) {
        newConn->remote.getInAddr(nl.saddr.v6);
        newConn->local.getInAddr(nl.daddr.v6);
        nl.af = AF_INET6;
    } else {
        newConn->remote.getInAddr(nl.saddr.v4);
        newConn->local.getInAddr(nl.daddr.v4);
        nl.af = AF_INET;
    }

    nl.sport = htons(newConn->remote.port());
    nl.dport = htons(newConn->local.port());

    nl.proto = IPPROTO_TCP;
    nl.direction = PF_OUT;

    if (ioctl(pffd, DIOCNATLOOK, &nl)) {
        const auto xerrno = errno;
        if (xerrno != ENOENT) {
            debugs(89, DBG_IMPORTANT, "ERROR: PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno));
            close(pffd);
            pffd = -1;
        }
        debugs(89, 9, "address: " << newConn);
        return false;
    } else {
        if (newConn->remote.isIPv6())
            newConn->local = nl.rdaddr.v6;
        else
            newConn->local = nl.rdaddr.v4;
        newConn->local.port(ntohs(nl.rdport));
        debugs(89, 5, "address NAT: " << newConn);
        return true;
    }
#endif /* --with-nat-devpf */
#else
    (void)newConn;
#endif /* --enable-pf-transparent */
    return false;
}

bool
Ip::Intercept::LookupNat(const Comm::Connection &aConn)
{
    debugs(89, 5, "address BEGIN: me/client= " << aConn.local << ", destination/me= " << aConn.remote);
    assert(interceptActive_);

    Comm::ConnectionPointer newConn = &aConn;
    return NetfilterInterception(newConn) || IpfwInterception(newConn) || // use sock-opts to return client address
           PfInterception(newConn) || IpfInterception(newConn); // use ioctl to return client address AND destination address
}

bool
Ip::Intercept::ProbeForTproxy(Ip::Address &test)
{
    bool doneSuid = false;

#if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux
# define soLevel SOL_IP
# define soFlag  IP_TRANSPARENT

#elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF
# define soLevel SOL_SOCKET
# define soFlag  SO_BINDANY
    enter_suid();
    doneSuid = true;

#elif defined(IP_BINDANY) // FreeBSD with IPFW
# define soLevel IPPROTO_IP
# define soFlag  IP_BINDANY
    enter_suid();
    doneSuid = true;

#endif

#if defined(soLevel) && defined(soFlag)

    debugs(3, 3, "Detect TPROXY support on port " << test);

    if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
        debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
        if (doneSuid)
            leave_suid();
        return false;
    }

    int tos = 1;
    int tmp_sock = -1;

    /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
    if (test.isIPv6()) {
        debugs(3, 3, "...Probing for IPv6 TPROXY support.");

        struct sockaddr_in6 tmp_ip6;
        Ip::Address tmp = "::2";
        tmp.port(0);
        tmp.getSockAddr(tmp_ip6);

        if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {

            debugs(3, 3, "IPv6 TPROXY support detected. Using.");
            close(tmp_sock);
            if (doneSuid)
                leave_suid();
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
            tmp_sock = -1;
        }
    }

    if ( test.isIPv6() && !test.setIPv4() ) {
        debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
        if (doneSuid)
            leave_suid();
        return false;
    }

    /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
    if (test.isIPv4()) {
        debugs(3, 3, "...Probing for IPv4 TPROXY support.");

        struct sockaddr_in tmp_ip4;
        Ip::Address tmp = "127.0.0.2";
        tmp.port(0);
        tmp.getSockAddr(tmp_ip4);

        if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
                setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
                bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {

            debugs(3, 3, "IPv4 TPROXY support detected. Using.");
            close(tmp_sock);
            if (doneSuid)
                leave_suid();
            return true;
        }
        if (tmp_sock >= 0) {
            close(tmp_sock);
        }
    }

#else
    debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY on port " << test);

#endif
    if (doneSuid)
        leave_suid();
    return false;
}
Commit	Line	Data
c8be6d7b	1	/*
1f7b830e	2	* Copyright (C) 1996-2025 The Squid Software Foundation and contributors
c8be6d7b	3	*
bbc27441 AJ	4	* Squid software is distributed under GPLv2+ license and includes
	5	* contributions from numerous individuals and organizations.
	6	* Please see the COPYING and CONTRIBUTORS files for details.
c8be6d7b	7	*/
bbc27441 AJ	8
	9	/* DEBUG: section 89 NAT / IP Interception */
	10
d25bbe26 AJ	11	// Enable hack to workaround Solaris 10 IPFilter breakage
	12	#define BUILDING_SQUID_IP_INTERCEPT_CC 1
	13
f7f3304a	14	#include "squid.h"
40d34a62	15	#include "comm/Connection.h"
b3166404	16	#include "fde.h"
602d9612	17	#include "ip/Intercept.h"
97bbba61	18	#include "ip/tools.h"
5c1be108	19	#include "src/tools.h"
fc27cd70	20
1a30fdf5 AJ	21	#include <cerrno>
1a30fdf5 AJ	22
c8be6d7b	23	#if IPF_TRANSPARENT
34ec5c62	24
d25bbe26 AJ	25	#if !defined(IPFILTER_VERSION)
	26	#define IPFILTER_VERSION 5000004
	27	#endif
	28
4e3e244d TK	29	#if HAVE_SYS_PARAM_H
	30	#include <sys/param.h>
	31	#endif
d25bbe26 AJ	32	#if HAVE_SYS_IOCCOM_H
	33	#include <sys/ioccom.h>
	34	#endif
c8be6d7b	35	#if HAVE_SYS_IOCTL_H
	36	#include <sys/ioctl.h>
	37	#endif
d25bbe26 AJ	38	#if HAVE_NETINET_IP6_H
	39	#include <netinet/ip6.h>
	40	#endif
e9e7c285	41	#if HAVE_NETINET_TCP_H
c8be6d7b	42	#include <netinet/tcp.h>
e9e7c285	43	#endif
e9e7c285	44	#if HAVE_NET_IF_H
c8be6d7b	45	#include <net/if.h>
e9e7c285	46	#endif
b0dfd10b	47	#if HAVE_IPL_H
dbc5782a	48	#include <ipl.h>
	49	#elif HAVE_NETINET_IPL_H
	50	#include <netinet/ipl.h>
	51	#endif
d25bbe26 AJ	52	#if USE_SOLARIS_IPFILTER_MINOR_T_HACK
	53	#undef minor_t
	54	#endif
c8be6d7b	55	#if HAVE_IP_FIL_COMPAT_H
	56	#include <ip_fil_compat.h>
	57	#elif HAVE_NETINET_IP_FIL_COMPAT_H
	58	#include <netinet/ip_fil_compat.h>
	59	#elif HAVE_IP_COMPAT_H
	60	#include <ip_compat.h>
	61	#elif HAVE_NETINET_IP_COMPAT_H
	62	#include <netinet/ip_compat.h>
	63	#endif
	64	#if HAVE_IP_FIL_H
	65	#include <ip_fil.h>
	66	#elif HAVE_NETINET_IP_FIL_H
	67	#include <netinet/ip_fil.h>
	68	#endif
	69	#if HAVE_IP_NAT_H
	70	#include <ip_nat.h>
	71	#elif HAVE_NETINET_IP_NAT_H
	72	#include <netinet/ip_nat.h>
	73	#endif
34ec5c62 AJ	74
34ec5c62 AJ	75	#endif /* IPF_TRANSPARENT required headers */
c8be6d7b	76
c8be6d7b	77	#if PF_TRANSPARENT
c8be6d7b	78	#include <sys/socket.h>
	79	#include <sys/ioctl.h>
	80	#include <sys/fcntl.h>
	81	#include <net/if.h>
	82	#include <netinet/in.h>
b0dfd10b	83	#if HAVE_NET_PF_PFVAR_H
ec9909b0 AJ	84	#include <net/pf/pfvar.h>
ec9909b0 AJ	85	#endif /* HAVE_NET_PF_PFVAR_H */
b0dfd10b	86	#if HAVE_NET_PFVAR_H
c8be6d7b	87	#include <net/pfvar.h>
ec9909b0	88	#endif /* HAVE_NET_PFVAR_H */
34ec5c62	89	#endif /* PF_TRANSPARENT required headers */
5afac208 AJ	90
5afac208 AJ	91	#if LINUX_NETFILTER
074d6a40 AJ	92	/* <climits> must be before including netfilter_ipv4.h */
074d6a40 AJ	93	#include <climits>
ee80a919	94	#include <linux/if.h>
c8be6d7b	95	#include <linux/netfilter_ipv4.h>
ee80a919 AR	96	#if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
	97	/* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches
	98	* which will enable C++ compilers to build the Netfilter public headers.
	99	* We can auto-detect its presence and attempt to use in case he ever
	100	* changes his mind or things get cleaned up some other way.
	101	* But until then are usually forced to hard-code the getsockopt() code
	102	* for IPv6 NAT lookups.
	103	*/
	104	#include <linux/netfilter_ipv6/ip6_tables.h>
	105	#endif
	106	#if !defined(IP6T_SO_ORIGINAL_DST)
f53969cc	107	#define IP6T_SO_ORIGINAL_DST 80 // stolen with prejudice from the above file.
ee80a919	108	#endif
5afac208	109	#endif /* LINUX_NETFILTER required headers */
c8be6d7b	110
0fc2952e	111	// single global instance for access by other components.
b7ac5457	112	Ip::Intercept Ip::Interceptor;
0fc2952e	113
04f87469	114	void
b7ac5457	115	Ip::Intercept::StopTransparency(const char *str)
26ac0430	116	{
40d34a62	117	if (transparentActive_) {
788625af	118	debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
40d34a62	119	transparentActive_ = 0;
788625af	120	}
04f87469 AJ	121	}
04f87469 AJ	122
40d34a62	123	bool
7c35cc90	124	Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn)
7b0a0d1f AJ	125	{
7b0a0d1f AJ	126	#if LINUX_NETFILTER
ee80a919 AR	127	struct sockaddr_storage lookup;
	128	socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in);
	129	newConn->local.getSockAddr(lookup, AF_UNSPEC);
7b0a0d1f AJ	130
	131	/** \par
	132	* Try NAT lookup for REDIRECT or DNAT targets. */
ee80a919	133	if ( getsockopt(newConn->fd,
fa0b1a25 A	134	newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP,
	135	newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
	136	&lookup,
	137	&len) != 0) {
7c35cc90 AJ	138	const auto xerrno = errno;
7c35cc90 AJ	139	debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno));
40d34a62	140	return false;
26ac0430	141	} else {
40d34a62	142	newConn->local = lookup;
ee80a919	143	debugs(89, 5, "address NAT: " << newConn);
40d34a62	144	return true;
7b0a0d1f	145	}
8b082ed9 FC	146	#else
8b082ed9 FC	147	(void)newConn;
7b0a0d1f	148	#endif
40d34a62	149	return false;
7b0a0d1f AJ	150	}
7b0a0d1f AJ	151
96f97829 EB	152	void
96f97829 EB	153	Ip::Intercept::StartTransparency()
7b0a0d1f	154	{
96f97829 EB	155	// --enable-linux-netfilter
	156	// --enable-pf-transparent
	157	// --enable-ipfw-transparent
b2192042 AJ	158	#if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) \|\| \
	159	(PF_TRANSPARENT && defined(SO_BINDANY)) \|\| \
	160	(IPFW_TRANSPARENT && defined(IP_BINDANY))
96f97829 EB	161	transparentActive_ = 1;
	162	#else
	163	throw TextException("requires TPROXY feature to be enabled by ./configure", Here());
	164	#endif
	165	}
b2192042	166
96f97829 EB	167	void
	168	Ip::Intercept::StartInterception()
	169	{
	170	// --enable-linux-netfilter
	171	// --enable-ipfw-transparent
	172	// --enable-ipf-transparent
	173	// --enable-pf-transparent
	174	#if IPF_TRANSPARENT \|\| LINUX_NETFILTER \|\| IPFW_TRANSPARENT \|\| PF_TRANSPARENT
	175	interceptActive_ = 1;
40d34a62	176	#else
96f97829	177	throw TextException("requires NAT Interception feature to be enabled by ./configure", Here());
acaa7194	178	#endif
7b0a0d1f AJ	179	}
7b0a0d1f AJ	180
40d34a62	181	bool
7c35cc90	182	Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn)
d8b5bcbc AJ	183	{
d8b5bcbc AJ	184	#if IPFW_TRANSPARENT
399990a7	185	return UseInterceptionAddressesLookedUpEarlier(__FUNCTION__, newConn);
b2192042	186	#else
8b082ed9	187	(void)newConn;
40d34a62	188	return false;
b2192042	189	#endif
d8b5bcbc	190	}
0fc2952e	191
399990a7 AR	192	/// Assume that getsockname() has been called already and provided the necessary
	193	/// TCP packet details. There is no way to identify whether they came from NAT.
	194	/// Trust the user configured properly.
	195	bool
	196	Ip::Intercept::UseInterceptionAddressesLookedUpEarlier(const char * const caller, const Comm::ConnectionPointer &newConn)
	197	{
	198	// paranoid: ./configure should prohibit these combinations
	199	#if LINUX_NETFILTER && PF_TRANSPARENT && !USE_NAT_DEVPF
	200	static_assert(!"--enable-linux-netfilter is incompatible with --enable-pf-transparent --without-nat-devpf");
	201	#endif
	202	#if LINUX_NETFILTER && IPFW_TRANSPARENT
	203	static_assert(!"--enable-linux-netfilter is incompatible with --enable-ipfw-transparent");
	204	#endif
	205	// --enable-linux-netfilter is compatible with --enable-ipf-transparent
	206
	207	debugs(89, 5, caller << " uses " << newConn);
	208	return true;
	209	}
	210
40d34a62	211	bool
7c35cc90	212	Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn)
3f38a55e	213	{
f1e0717c	214	#if IPF_TRANSPARENT /* --enable-ipf-transparent */
62e76326	215
c8be6d7b	216	struct natlookup natLookup;
c8be6d7b	217	static int natfd = -1;
c8be6d7b	218	int x;
3f38a55e	219
c74be4ce	220	// all fields must be set to 0
dcfb239f	221	memset(&natLookup, 0, sizeof(natLookup));
c74be4ce	222	// for NAT lookup set local and remote IP:port's
b2fb6c8a	223	if (newConn->remote.isIPv6()) {
8433f128	224	#if HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6
b2fb6c8a	225	natLookup.nl_v = 6;
04e81e71 AJ	226	newConn->local.getInAddr(natLookup.nl_inipaddr.in6);
04e81e71 AJ	227	newConn->remote.getInAddr(natLookup.nl_outipaddr.in6);
8ea96604 SM	228	}
8ea96604 SM	229	else {
b2fb6c8a	230	natLookup.nl_v = 4;
04e81e71 AJ	231	newConn->local.getInAddr(natLookup.nl_inipaddr.in4);
04e81e71 AJ	232	newConn->remote.getInAddr(natLookup.nl_outipaddr.in4);
b2fb6c8a	233	}
8b082ed9	234	#else /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
4eaf432d AJ	235	// warn once every 10 at critical level, then push down a level each repeated event
	236	static int warningLevel = DBG_CRITICAL;
	237	debugs(89, warningLevel, "Your IPF (IPFilter) NAT does not support IPv6. Please upgrade it.");
	238	warningLevel = (warningLevel + 1) % 10;
	239	return false;
	240	}
	241	newConn->local.getInAddr(natLookup.nl_inip);
	242	newConn->remote.getInAddr(natLookup.nl_outip);
8b082ed9	243	#endif /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
4dd643d5	244	natLookup.nl_inport = htons(newConn->local.port());
4dd643d5	245	natLookup.nl_outport = htons(newConn->remote.port());
c74be4ce	246	// ... and the TCP flag
c8be6d7b	247	natLookup.nl_flags = IPN_TCP;
62e76326	248
26ac0430	249	if (natfd < 0) {
62e76326	250	int save_errno;
62e76326	251	enter_suid();
dbc5782a	252	#ifdef IPNAT_NAME
dbc5782a	253	natfd = open(IPNAT_NAME, O_RDONLY, 0);
98a3bc99	254	#else
62e76326	255	natfd = open(IPL_NAT, O_RDONLY, 0);
98a3bc99	256	#endif
62e76326	257	save_errno = errno;
	258	leave_suid();
	259	errno = save_errno;
c8be6d7b	260	}
62e76326	261
26ac0430	262	if (natfd < 0) {
7c35cc90 AJ	263	const auto xerrno = errno;
	264	debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT open failed: " << xstrerr(xerrno));
	265	return false;
c8be6d7b	266	}
62e76326	267
dbc5782a	268	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
c74be4ce AJ	269	struct ipfobj obj;
	270	memset(&obj, 0, sizeof(obj));
	271	obj.ipfo_rev = IPFILTER_VERSION;
	272	obj.ipfo_size = sizeof(natLookup);
	273	obj.ipfo_ptr = &natLookup;
	274	obj.ipfo_type = IPFOBJ_NATLOOKUP;
	275
dbc5782a	276	x = ioctl(natfd, SIOCGNATL, &obj);
dbc5782a	277	#else
3f38a55e	278	/*
dbc5782a	279	* IP-Filter changed the type for SIOCGNATL between
	280	* 3.3 and 3.4. It also changed the cmd value for
	281	* SIOCGNATL, so at least we can detect it. We could
	282	* put something in configure and use ifdefs here, but
	283	* this seems simpler.
	284	*/
c74be4ce	285	static int siocgnatl_cmd = SIOCGNATL & 0xff;
26ac0430	286	if (63 == siocgnatl_cmd) {
62e76326	287	struct natlookup *nlp = &natLookup;
62e76326	288	x = ioctl(natfd, SIOCGNATL, &nlp);
26ac0430	289	} else {
62e76326	290	x = ioctl(natfd, SIOCGNATL, &natLookup);
	291	}
	292
8b082ed9	293	#endif /* defined(IPFILTER_VERSION) ... */
26ac0430	294	if (x < 0) {
7c35cc90	295	const auto xerrno = errno;
b69e9ffa	296	if (xerrno != ESRCH) {
7c35cc90	297	debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno));
62e76326	298	close(natfd);
	299	natfd = -1;
	300	}
	301
bf95c10a	302	debugs(89, 9, "address: " << newConn);
40d34a62	303	return false;
26ac0430	304	} else {
8433f128	305	#if HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6
04e81e71 AJ	306	if (newConn->remote.isIPv6())
	307	newConn->local = natLookup.nl_realipaddr.in6;
	308	else
	309	newConn->local = natLookup.nl_realipaddr.in4;
4eaf432d AJ	310	#else
4eaf432d AJ	311	newConn->local = natLookup.nl_realip;
04e81e71	312	#endif
4dd643d5	313	newConn->local.port(ntohs(natLookup.nl_realport));
bf95c10a	314	debugs(89, 5, "address NAT: " << newConn);
40d34a62	315	return true;
c8be6d7b	316	}
62e76326	317
8b082ed9 FC	318	#else
8b082ed9 FC	319	(void)newConn;
219f8edb	320	#endif /* --enable-ipf-transparent */
40d34a62	321	return false;
219f8edb	322	}
f1e0717c	323
1125ea7b	324	bool
7c35cc90	325	Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn)
1125ea7b	326	{
b2192042 AJ	327	#if PF_TRANSPARENT /* --enable-pf-transparent */
	328
	329	#if !USE_NAT_DEVPF
399990a7	330	return UseInterceptionAddressesLookedUpEarlier("recent PF version", newConn);
1125ea7b	331
b2192042	332	#else /* USE_NAT_DEVPF / --with-nat-devpf */
62e76326	333
3f38a55e	334	struct pfioc_natlook nl;
3f38a55e	335	static int pffd = -1;
62e76326	336
62e76326	337	if (pffd < 0)
d14c6ef2	338	pffd = open("/dev/pf", O_RDONLY);
62e76326	339
26ac0430	340	if (pffd < 0) {
7c35cc90 AJ	341	const auto xerrno = errno;
7c35cc90 AJ	342	debugs(89, DBG_IMPORTANT, "ERROR: PF open failed: " << xstrerr(xerrno));
40d34a62	343	return false;
c8be6d7b	344	}
62e76326	345
c8be6d7b	346	memset(&nl, 0, sizeof(struct pfioc_natlook));
cc192b50	347
5a33064f EG	348	if (newConn->remote.isIPv6()) {
	349	newConn->remote.getInAddr(nl.saddr.v6);
	350	newConn->local.getInAddr(nl.daddr.v6);
	351	nl.af = AF_INET6;
	352	} else {
	353	newConn->remote.getInAddr(nl.saddr.v4);
	354	newConn->local.getInAddr(nl.daddr.v4);
	355	nl.af = AF_INET;
	356	}
	357
	358	nl.sport = htons(newConn->remote.port());
4dd643d5	359	nl.dport = htons(newConn->local.port());
cc192b50	360
c8be6d7b	361	nl.proto = IPPROTO_TCP;
c8be6d7b	362	nl.direction = PF_OUT;
62e76326	363
26ac0430	364	if (ioctl(pffd, DIOCNATLOOK, &nl)) {
7c35cc90	365	const auto xerrno = errno;
b69e9ffa	366	if (xerrno != ENOENT) {
7c35cc90	367	debugs(89, DBG_IMPORTANT, "ERROR: PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno));
62e76326	368	close(pffd);
	369	pffd = -1;
	370	}
bf95c10a	371	debugs(89, 9, "address: " << newConn);
40d34a62	372	return false;
26ac0430	373	} else {
5a33064f EG	374	if (newConn->remote.isIPv6())
	375	newConn->local = nl.rdaddr.v6;
	376	else
	377	newConn->local = nl.rdaddr.v4;
4dd643d5	378	newConn->local.port(ntohs(nl.rdport));
bf95c10a	379	debugs(89, 5, "address NAT: " << newConn);
40d34a62	380	return true;
3f38a55e	381	}
b2192042	382	#endif /* --with-nat-devpf */
8b082ed9 FC	383	#else
8b082ed9 FC	384	(void)newConn;
51f4d36b	385	#endif /* --enable-pf-transparent */
40d34a62	386	return false;
51f4d36b AJ	387	}
51f4d36b AJ	388
40d34a62	389	bool
96f97829	390	Ip::Intercept::LookupNat(const Comm::Connection &aConn)
51f4d36b	391	{
96f97829 EB	392	debugs(89, 5, "address BEGIN: me/client= " << aConn.local << ", destination/me= " << aConn.remote);
96f97829 EB	393	assert(interceptActive_);
9bad3e09	394
96f97829 EB	395	Comm::ConnectionPointer newConn = &aConn;
	396	return NetfilterInterception(newConn) \|\| IpfwInterception(newConn) \|\| // use sock-opts to return client address
	397	PfInterception(newConn) \|\| IpfInterception(newConn); // use ioctl to return client address AND destination address
f1e0717c	398	}
34ec5c62	399
263f84f0	400	bool
b7ac5457	401	Ip::Intercept::ProbeForTproxy(Ip::Address &test)
263f84f0	402	{
b2192042 AJ	403	bool doneSuid = false;
	404
	405	#if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux
	406	# define soLevel SOL_IP
	407	# define soFlag IP_TRANSPARENT
	408
	409	#elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF
	410	# define soLevel SOL_SOCKET
	411	# define soFlag SO_BINDANY
	412	enter_suid();
	413	doneSuid = true;
	414
	415	#elif defined(IP_BINDANY) // FreeBSD with IPFW
	416	# define soLevel IPPROTO_IP
	417	# define soFlag IP_BINDANY
	418	enter_suid();
	419	doneSuid = true;
	420
	421	#endif
	422
	423	#if defined(soLevel) && defined(soFlag)
	424
1125ea7b	425	debugs(3, 3, "Detect TPROXY support on port " << test);
263f84f0	426
97bbba61 AR	427	if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
	428	debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
	429	if (doneSuid)
	430	leave_suid();
	431	return false;
	432	}
	433
263f84f0 AJ	434	int tos = 1;
	435	int tmp_sock = -1;
	436
263f84f0	437	/* Probe to see if the Kernel TPROXY support is IPv6-enabled */
4dd643d5	438	if (test.isIPv6()) {
263f84f0 AJ	439	debugs(3, 3, "...Probing for IPv6 TPROXY support.");
	440
	441	struct sockaddr_in6 tmp_ip6;
b7ac5457	442	Ip::Address tmp = "::2";
4dd643d5 AJ	443	tmp.port(0);
4dd643d5 AJ	444	tmp.getSockAddr(tmp_ip6);
263f84f0 AJ	445
263f84f0 AJ	446	if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
b2192042	447	setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
f54f527e	448	bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
263f84f0 AJ	449
263f84f0 AJ	450	debugs(3, 3, "IPv6 TPROXY support detected. Using.");
fb5bffa3	451	close(tmp_sock);
b2192042 AJ	452	if (doneSuid)
b2192042 AJ	453	leave_suid();
263f84f0 AJ	454	return true;
	455	}
	456	if (tmp_sock >= 0) {
fb5bffa3	457	close(tmp_sock);
263f84f0 AJ	458	tmp_sock = -1;
	459	}
	460	}
	461
4dd643d5	462	if ( test.isIPv6() && !test.setIPv4() ) {
263f84f0	463	debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
b2192042 AJ	464	if (doneSuid)
b2192042 AJ	465	leave_suid();
263f84f0 AJ	466	return false;
263f84f0 AJ	467	}
263f84f0 AJ	468
263f84f0 AJ	469	/* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
4dd643d5	470	if (test.isIPv4()) {
263f84f0 AJ	471	debugs(3, 3, "...Probing for IPv4 TPROXY support.");
	472
	473	struct sockaddr_in tmp_ip4;
b7ac5457	474	Ip::Address tmp = "127.0.0.2";
4dd643d5 AJ	475	tmp.port(0);
4dd643d5 AJ	476	tmp.getSockAddr(tmp_ip4);
263f84f0 AJ	477
263f84f0 AJ	478	if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
b2192042	479	setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
f54f527e	480	bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
263f84f0 AJ	481
263f84f0 AJ	482	debugs(3, 3, "IPv4 TPROXY support detected. Using.");
fb5bffa3	483	close(tmp_sock);
b2192042 AJ	484	if (doneSuid)
b2192042 AJ	485	leave_suid();
263f84f0 AJ	486	return true;
	487	}
	488	if (tmp_sock >= 0) {
fb5bffa3	489	close(tmp_sock);
263f84f0 AJ	490	}
	491	}
	492
1125ea7b	493	#else
c46e7feb	494	debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY on port " << test);
1125ea7b	495
263f84f0	496	#endif
b2192042 AJ	497	if (doneSuid)
b2192042 AJ	498	leave_suid();
263f84f0 AJ	499	return false;
263f84f0 AJ	500	}
f53969cc	501