]> git.ipfire.org Git - thirdparty/squid.git/blame - src/ip/Intercept.cc
Simplify appending SBuf to String (#2108)
[thirdparty/squid.git] / src / ip / Intercept.cc
CommitLineData
c8be6d7b 1/*
1f7b830e 2 * Copyright (C) 1996-2025 The Squid Software Foundation and contributors
c8be6d7b 3 *
bbc27441
AJ
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
c8be6d7b 7 */
bbc27441
AJ
8
9/* DEBUG: section 89 NAT / IP Interception */
10
d25bbe26
AJ
11// Enable hack to workaround Solaris 10 IPFilter breakage
12#define BUILDING_SQUID_IP_INTERCEPT_CC 1
13
f7f3304a 14#include "squid.h"
40d34a62 15#include "comm/Connection.h"
b3166404 16#include "fde.h"
602d9612 17#include "ip/Intercept.h"
97bbba61 18#include "ip/tools.h"
5c1be108 19#include "src/tools.h"
fc27cd70 20
1a30fdf5
AJ
21#include <cerrno>
22
c8be6d7b 23#if IPF_TRANSPARENT
34ec5c62 24
d25bbe26
AJ
25#if !defined(IPFILTER_VERSION)
26#define IPFILTER_VERSION 5000004
27#endif
28
4e3e244d
TK
29#if HAVE_SYS_PARAM_H
30#include <sys/param.h>
31#endif
d25bbe26
AJ
32#if HAVE_SYS_IOCCOM_H
33#include <sys/ioccom.h>
34#endif
c8be6d7b 35#if HAVE_SYS_IOCTL_H
36#include <sys/ioctl.h>
37#endif
d25bbe26
AJ
38#if HAVE_NETINET_IP6_H
39#include <netinet/ip6.h>
40#endif
e9e7c285 41#if HAVE_NETINET_TCP_H
c8be6d7b 42#include <netinet/tcp.h>
e9e7c285 43#endif
44#if HAVE_NET_IF_H
c8be6d7b 45#include <net/if.h>
e9e7c285 46#endif
b0dfd10b 47#if HAVE_IPL_H
dbc5782a 48#include <ipl.h>
49#elif HAVE_NETINET_IPL_H
50#include <netinet/ipl.h>
51#endif
d25bbe26
AJ
52#if USE_SOLARIS_IPFILTER_MINOR_T_HACK
53#undef minor_t
54#endif
c8be6d7b 55#if HAVE_IP_FIL_COMPAT_H
56#include <ip_fil_compat.h>
57#elif HAVE_NETINET_IP_FIL_COMPAT_H
58#include <netinet/ip_fil_compat.h>
59#elif HAVE_IP_COMPAT_H
60#include <ip_compat.h>
61#elif HAVE_NETINET_IP_COMPAT_H
62#include <netinet/ip_compat.h>
63#endif
64#if HAVE_IP_FIL_H
65#include <ip_fil.h>
66#elif HAVE_NETINET_IP_FIL_H
67#include <netinet/ip_fil.h>
68#endif
69#if HAVE_IP_NAT_H
70#include <ip_nat.h>
71#elif HAVE_NETINET_IP_NAT_H
72#include <netinet/ip_nat.h>
73#endif
34ec5c62
AJ
74
75#endif /* IPF_TRANSPARENT required headers */
c8be6d7b 76
77#if PF_TRANSPARENT
c8be6d7b 78#include <sys/socket.h>
79#include <sys/ioctl.h>
80#include <sys/fcntl.h>
81#include <net/if.h>
82#include <netinet/in.h>
b0dfd10b 83#if HAVE_NET_PF_PFVAR_H
ec9909b0
AJ
84#include <net/pf/pfvar.h>
85#endif /* HAVE_NET_PF_PFVAR_H */
b0dfd10b 86#if HAVE_NET_PFVAR_H
c8be6d7b 87#include <net/pfvar.h>
ec9909b0 88#endif /* HAVE_NET_PFVAR_H */
34ec5c62 89#endif /* PF_TRANSPARENT required headers */
5afac208
AJ
90
91#if LINUX_NETFILTER
074d6a40
AJ
92/* <climits> must be before including netfilter_ipv4.h */
93#include <climits>
ee80a919 94#include <linux/if.h>
c8be6d7b 95#include <linux/netfilter_ipv4.h>
ee80a919
AR
96#if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
97/* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches
98 * which will enable C++ compilers to build the Netfilter public headers.
99 * We can auto-detect its presence and attempt to use in case he ever
100 * changes his mind or things get cleaned up some other way.
101 * But until then are usually forced to hard-code the getsockopt() code
102 * for IPv6 NAT lookups.
103 */
104#include <linux/netfilter_ipv6/ip6_tables.h>
105#endif
106#if !defined(IP6T_SO_ORIGINAL_DST)
f53969cc 107#define IP6T_SO_ORIGINAL_DST 80 // stolen with prejudice from the above file.
ee80a919 108#endif
5afac208 109#endif /* LINUX_NETFILTER required headers */
c8be6d7b 110
0fc2952e 111// single global instance for access by other components.
b7ac5457 112Ip::Intercept Ip::Interceptor;
0fc2952e 113
04f87469 114void
b7ac5457 115Ip::Intercept::StopTransparency(const char *str)
26ac0430 116{
40d34a62 117 if (transparentActive_) {
788625af 118 debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
40d34a62 119 transparentActive_ = 0;
788625af 120 }
04f87469
AJ
121}
122
40d34a62 123bool
7c35cc90 124Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn)
7b0a0d1f
AJ
125{
126#if LINUX_NETFILTER
ee80a919
AR
127 struct sockaddr_storage lookup;
128 socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in);
129 newConn->local.getSockAddr(lookup, AF_UNSPEC);
7b0a0d1f
AJ
130
131 /** \par
132 * Try NAT lookup for REDIRECT or DNAT targets. */
ee80a919 133 if ( getsockopt(newConn->fd,
fa0b1a25
A
134 newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP,
135 newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
136 &lookup,
137 &len) != 0) {
7c35cc90
AJ
138 const auto xerrno = errno;
139 debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno));
40d34a62 140 return false;
26ac0430 141 } else {
40d34a62 142 newConn->local = lookup;
ee80a919 143 debugs(89, 5, "address NAT: " << newConn);
40d34a62 144 return true;
7b0a0d1f 145 }
8b082ed9
FC
146#else
147 (void)newConn;
7b0a0d1f 148#endif
40d34a62 149 return false;
7b0a0d1f
AJ
150}
151
96f97829
EB
152void
153Ip::Intercept::StartTransparency()
7b0a0d1f 154{
96f97829
EB
155 // --enable-linux-netfilter
156 // --enable-pf-transparent
157 // --enable-ipfw-transparent
b2192042
AJ
158#if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \
159 (PF_TRANSPARENT && defined(SO_BINDANY)) || \
160 (IPFW_TRANSPARENT && defined(IP_BINDANY))
96f97829
EB
161 transparentActive_ = 1;
162#else
163 throw TextException("requires TPROXY feature to be enabled by ./configure", Here());
164#endif
165}
b2192042 166
96f97829
EB
167void
168Ip::Intercept::StartInterception()
169{
170 // --enable-linux-netfilter
171 // --enable-ipfw-transparent
172 // --enable-ipf-transparent
173 // --enable-pf-transparent
174#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
175 interceptActive_ = 1;
40d34a62 176#else
96f97829 177 throw TextException("requires NAT Interception feature to be enabled by ./configure", Here());
acaa7194 178#endif
7b0a0d1f
AJ
179}
180
40d34a62 181bool
7c35cc90 182Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn)
d8b5bcbc
AJ
183{
184#if IPFW_TRANSPARENT
399990a7 185 return UseInterceptionAddressesLookedUpEarlier(__FUNCTION__, newConn);
b2192042 186#else
8b082ed9 187 (void)newConn;
40d34a62 188 return false;
b2192042 189#endif
d8b5bcbc 190}
0fc2952e 191
399990a7
AR
192/// Assume that getsockname() has been called already and provided the necessary
193/// TCP packet details. There is no way to identify whether they came from NAT.
194/// Trust the user configured properly.
195bool
196Ip::Intercept::UseInterceptionAddressesLookedUpEarlier(const char * const caller, const Comm::ConnectionPointer &newConn)
197{
198 // paranoid: ./configure should prohibit these combinations
199#if LINUX_NETFILTER && PF_TRANSPARENT && !USE_NAT_DEVPF
200 static_assert(!"--enable-linux-netfilter is incompatible with --enable-pf-transparent --without-nat-devpf");
201#endif
202#if LINUX_NETFILTER && IPFW_TRANSPARENT
203 static_assert(!"--enable-linux-netfilter is incompatible with --enable-ipfw-transparent");
204#endif
205 // --enable-linux-netfilter is compatible with --enable-ipf-transparent
206
207 debugs(89, 5, caller << " uses " << newConn);
208 return true;
209}
210
40d34a62 211bool
7c35cc90 212Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn)
3f38a55e 213{
f1e0717c 214#if IPF_TRANSPARENT /* --enable-ipf-transparent */
62e76326 215
c8be6d7b 216 struct natlookup natLookup;
217 static int natfd = -1;
c8be6d7b 218 int x;
3f38a55e 219
c74be4ce 220 // all fields must be set to 0
dcfb239f 221 memset(&natLookup, 0, sizeof(natLookup));
c74be4ce 222 // for NAT lookup set local and remote IP:port's
b2fb6c8a 223 if (newConn->remote.isIPv6()) {
8433f128 224#if HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6
b2fb6c8a 225 natLookup.nl_v = 6;
04e81e71
AJ
226 newConn->local.getInAddr(natLookup.nl_inipaddr.in6);
227 newConn->remote.getInAddr(natLookup.nl_outipaddr.in6);
8ea96604
SM
228 }
229 else {
b2fb6c8a 230 natLookup.nl_v = 4;
04e81e71
AJ
231 newConn->local.getInAddr(natLookup.nl_inipaddr.in4);
232 newConn->remote.getInAddr(natLookup.nl_outipaddr.in4);
b2fb6c8a 233 }
8b082ed9 234#else /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
4eaf432d
AJ
235 // warn once every 10 at critical level, then push down a level each repeated event
236 static int warningLevel = DBG_CRITICAL;
237 debugs(89, warningLevel, "Your IPF (IPFilter) NAT does not support IPv6. Please upgrade it.");
238 warningLevel = (warningLevel + 1) % 10;
239 return false;
240 }
241 newConn->local.getInAddr(natLookup.nl_inip);
242 newConn->remote.getInAddr(natLookup.nl_outip);
8b082ed9 243#endif /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */
4dd643d5 244 natLookup.nl_inport = htons(newConn->local.port());
4dd643d5 245 natLookup.nl_outport = htons(newConn->remote.port());
c74be4ce 246 // ... and the TCP flag
c8be6d7b 247 natLookup.nl_flags = IPN_TCP;
62e76326 248
26ac0430 249 if (natfd < 0) {
62e76326 250 int save_errno;
251 enter_suid();
dbc5782a 252#ifdef IPNAT_NAME
dbc5782a 253 natfd = open(IPNAT_NAME, O_RDONLY, 0);
98a3bc99 254#else
62e76326 255 natfd = open(IPL_NAT, O_RDONLY, 0);
98a3bc99 256#endif
62e76326 257 save_errno = errno;
258 leave_suid();
259 errno = save_errno;
c8be6d7b 260 }
62e76326 261
26ac0430 262 if (natfd < 0) {
7c35cc90
AJ
263 const auto xerrno = errno;
264 debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT open failed: " << xstrerr(xerrno));
265 return false;
c8be6d7b 266 }
62e76326 267
dbc5782a 268#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
c74be4ce
AJ
269 struct ipfobj obj;
270 memset(&obj, 0, sizeof(obj));
271 obj.ipfo_rev = IPFILTER_VERSION;
272 obj.ipfo_size = sizeof(natLookup);
273 obj.ipfo_ptr = &natLookup;
274 obj.ipfo_type = IPFOBJ_NATLOOKUP;
275
dbc5782a 276 x = ioctl(natfd, SIOCGNATL, &obj);
dbc5782a 277#else
3f38a55e 278 /*
dbc5782a 279 * IP-Filter changed the type for SIOCGNATL between
280 * 3.3 and 3.4. It also changed the cmd value for
281 * SIOCGNATL, so at least we can detect it. We could
282 * put something in configure and use ifdefs here, but
283 * this seems simpler.
284 */
c74be4ce 285 static int siocgnatl_cmd = SIOCGNATL & 0xff;
26ac0430 286 if (63 == siocgnatl_cmd) {
62e76326 287 struct natlookup *nlp = &natLookup;
288 x = ioctl(natfd, SIOCGNATL, &nlp);
26ac0430 289 } else {
62e76326 290 x = ioctl(natfd, SIOCGNATL, &natLookup);
291 }
292
8b082ed9 293#endif /* defined(IPFILTER_VERSION) ... */
26ac0430 294 if (x < 0) {
7c35cc90 295 const auto xerrno = errno;
b69e9ffa 296 if (xerrno != ESRCH) {
7c35cc90 297 debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno));
62e76326 298 close(natfd);
299 natfd = -1;
300 }
301
bf95c10a 302 debugs(89, 9, "address: " << newConn);
40d34a62 303 return false;
26ac0430 304 } else {
8433f128 305#if HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6
04e81e71
AJ
306 if (newConn->remote.isIPv6())
307 newConn->local = natLookup.nl_realipaddr.in6;
308 else
309 newConn->local = natLookup.nl_realipaddr.in4;
4eaf432d
AJ
310#else
311 newConn->local = natLookup.nl_realip;
04e81e71 312#endif
4dd643d5 313 newConn->local.port(ntohs(natLookup.nl_realport));
bf95c10a 314 debugs(89, 5, "address NAT: " << newConn);
40d34a62 315 return true;
c8be6d7b 316 }
62e76326 317
8b082ed9
FC
318#else
319 (void)newConn;
219f8edb 320#endif /* --enable-ipf-transparent */
40d34a62 321 return false;
219f8edb 322}
f1e0717c 323
1125ea7b 324bool
7c35cc90 325Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn)
1125ea7b 326{
b2192042
AJ
327#if PF_TRANSPARENT /* --enable-pf-transparent */
328
329#if !USE_NAT_DEVPF
399990a7 330 return UseInterceptionAddressesLookedUpEarlier("recent PF version", newConn);
1125ea7b 331
b2192042 332#else /* USE_NAT_DEVPF / --with-nat-devpf */
62e76326 333
3f38a55e 334 struct pfioc_natlook nl;
335 static int pffd = -1;
62e76326 336
337 if (pffd < 0)
d14c6ef2 338 pffd = open("/dev/pf", O_RDONLY);
62e76326 339
26ac0430 340 if (pffd < 0) {
7c35cc90
AJ
341 const auto xerrno = errno;
342 debugs(89, DBG_IMPORTANT, "ERROR: PF open failed: " << xstrerr(xerrno));
40d34a62 343 return false;
c8be6d7b 344 }
62e76326 345
c8be6d7b 346 memset(&nl, 0, sizeof(struct pfioc_natlook));
cc192b50 347
5a33064f
EG
348 if (newConn->remote.isIPv6()) {
349 newConn->remote.getInAddr(nl.saddr.v6);
350 newConn->local.getInAddr(nl.daddr.v6);
351 nl.af = AF_INET6;
352 } else {
353 newConn->remote.getInAddr(nl.saddr.v4);
354 newConn->local.getInAddr(nl.daddr.v4);
355 nl.af = AF_INET;
356 }
357
358 nl.sport = htons(newConn->remote.port());
4dd643d5 359 nl.dport = htons(newConn->local.port());
cc192b50 360
c8be6d7b 361 nl.proto = IPPROTO_TCP;
362 nl.direction = PF_OUT;
62e76326 363
26ac0430 364 if (ioctl(pffd, DIOCNATLOOK, &nl)) {
7c35cc90 365 const auto xerrno = errno;
b69e9ffa 366 if (xerrno != ENOENT) {
7c35cc90 367 debugs(89, DBG_IMPORTANT, "ERROR: PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno));
62e76326 368 close(pffd);
369 pffd = -1;
370 }
bf95c10a 371 debugs(89, 9, "address: " << newConn);
40d34a62 372 return false;
26ac0430 373 } else {
5a33064f
EG
374 if (newConn->remote.isIPv6())
375 newConn->local = nl.rdaddr.v6;
376 else
377 newConn->local = nl.rdaddr.v4;
4dd643d5 378 newConn->local.port(ntohs(nl.rdport));
bf95c10a 379 debugs(89, 5, "address NAT: " << newConn);
40d34a62 380 return true;
3f38a55e 381 }
b2192042 382#endif /* --with-nat-devpf */
8b082ed9
FC
383#else
384 (void)newConn;
51f4d36b 385#endif /* --enable-pf-transparent */
40d34a62 386 return false;
51f4d36b
AJ
387}
388
40d34a62 389bool
96f97829 390Ip::Intercept::LookupNat(const Comm::Connection &aConn)
51f4d36b 391{
96f97829
EB
392 debugs(89, 5, "address BEGIN: me/client= " << aConn.local << ", destination/me= " << aConn.remote);
393 assert(interceptActive_);
9bad3e09 394
96f97829
EB
395 Comm::ConnectionPointer newConn = &aConn;
396 return NetfilterInterception(newConn) || IpfwInterception(newConn) || // use sock-opts to return client address
397 PfInterception(newConn) || IpfInterception(newConn); // use ioctl to return client address AND destination address
f1e0717c 398}
34ec5c62 399
263f84f0 400bool
b7ac5457 401Ip::Intercept::ProbeForTproxy(Ip::Address &test)
263f84f0 402{
b2192042
AJ
403 bool doneSuid = false;
404
405#if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux
406# define soLevel SOL_IP
407# define soFlag IP_TRANSPARENT
408
409#elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF
410# define soLevel SOL_SOCKET
411# define soFlag SO_BINDANY
412 enter_suid();
413 doneSuid = true;
414
415#elif defined(IP_BINDANY) // FreeBSD with IPFW
416# define soLevel IPPROTO_IP
417# define soFlag IP_BINDANY
418 enter_suid();
419 doneSuid = true;
420
421#endif
422
423#if defined(soLevel) && defined(soFlag)
424
1125ea7b 425 debugs(3, 3, "Detect TPROXY support on port " << test);
263f84f0 426
97bbba61
AR
427 if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) {
428 debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled");
429 if (doneSuid)
430 leave_suid();
431 return false;
432 }
433
263f84f0
AJ
434 int tos = 1;
435 int tmp_sock = -1;
436
263f84f0 437 /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
4dd643d5 438 if (test.isIPv6()) {
263f84f0
AJ
439 debugs(3, 3, "...Probing for IPv6 TPROXY support.");
440
441 struct sockaddr_in6 tmp_ip6;
b7ac5457 442 Ip::Address tmp = "::2";
4dd643d5
AJ
443 tmp.port(0);
444 tmp.getSockAddr(tmp_ip6);
263f84f0
AJ
445
446 if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
b2192042 447 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
f54f527e 448 bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
263f84f0
AJ
449
450 debugs(3, 3, "IPv6 TPROXY support detected. Using.");
fb5bffa3 451 close(tmp_sock);
b2192042
AJ
452 if (doneSuid)
453 leave_suid();
263f84f0
AJ
454 return true;
455 }
456 if (tmp_sock >= 0) {
fb5bffa3 457 close(tmp_sock);
263f84f0
AJ
458 tmp_sock = -1;
459 }
460 }
461
4dd643d5 462 if ( test.isIPv6() && !test.setIPv4() ) {
263f84f0 463 debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
b2192042
AJ
464 if (doneSuid)
465 leave_suid();
263f84f0
AJ
466 return false;
467 }
263f84f0
AJ
468
469 /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
4dd643d5 470 if (test.isIPv4()) {
263f84f0
AJ
471 debugs(3, 3, "...Probing for IPv4 TPROXY support.");
472
473 struct sockaddr_in tmp_ip4;
b7ac5457 474 Ip::Address tmp = "127.0.0.2";
4dd643d5
AJ
475 tmp.port(0);
476 tmp.getSockAddr(tmp_ip4);
263f84f0
AJ
477
478 if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
b2192042 479 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
f54f527e 480 bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
263f84f0
AJ
481
482 debugs(3, 3, "IPv4 TPROXY support detected. Using.");
fb5bffa3 483 close(tmp_sock);
b2192042
AJ
484 if (doneSuid)
485 leave_suid();
263f84f0
AJ
486 return true;
487 }
488 if (tmp_sock >= 0) {
fb5bffa3 489 close(tmp_sock);
263f84f0
AJ
490 }
491 }
492
1125ea7b 493#else
c46e7feb 494 debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY on port " << test);
1125ea7b 495
263f84f0 496#endif
b2192042
AJ
497 if (doneSuid)
498 leave_suid();
263f84f0
AJ
499 return false;
500}
f53969cc 501