]>
Commit | Line | Data |
---|---|---|
c8be6d7b | 1 | /* |
1f7b830e | 2 | * Copyright (C) 1996-2025 The Squid Software Foundation and contributors |
c8be6d7b | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
c8be6d7b | 7 | */ |
bbc27441 AJ |
8 | |
9 | /* DEBUG: section 89 NAT / IP Interception */ | |
10 | ||
d25bbe26 AJ |
11 | // Enable hack to workaround Solaris 10 IPFilter breakage |
12 | #define BUILDING_SQUID_IP_INTERCEPT_CC 1 | |
13 | ||
f7f3304a | 14 | #include "squid.h" |
40d34a62 | 15 | #include "comm/Connection.h" |
b3166404 | 16 | #include "fde.h" |
602d9612 | 17 | #include "ip/Intercept.h" |
97bbba61 | 18 | #include "ip/tools.h" |
5c1be108 | 19 | #include "src/tools.h" |
fc27cd70 | 20 | |
1a30fdf5 AJ |
21 | #include <cerrno> |
22 | ||
c8be6d7b | 23 | #if IPF_TRANSPARENT |
34ec5c62 | 24 | |
d25bbe26 AJ |
25 | #if !defined(IPFILTER_VERSION) |
26 | #define IPFILTER_VERSION 5000004 | |
27 | #endif | |
28 | ||
4e3e244d TK |
29 | #if HAVE_SYS_PARAM_H |
30 | #include <sys/param.h> | |
31 | #endif | |
d25bbe26 AJ |
32 | #if HAVE_SYS_IOCCOM_H |
33 | #include <sys/ioccom.h> | |
34 | #endif | |
c8be6d7b | 35 | #if HAVE_SYS_IOCTL_H |
36 | #include <sys/ioctl.h> | |
37 | #endif | |
d25bbe26 AJ |
38 | #if HAVE_NETINET_IP6_H |
39 | #include <netinet/ip6.h> | |
40 | #endif | |
e9e7c285 | 41 | #if HAVE_NETINET_TCP_H |
c8be6d7b | 42 | #include <netinet/tcp.h> |
e9e7c285 | 43 | #endif |
44 | #if HAVE_NET_IF_H | |
c8be6d7b | 45 | #include <net/if.h> |
e9e7c285 | 46 | #endif |
b0dfd10b | 47 | #if HAVE_IPL_H |
dbc5782a | 48 | #include <ipl.h> |
49 | #elif HAVE_NETINET_IPL_H | |
50 | #include <netinet/ipl.h> | |
51 | #endif | |
d25bbe26 AJ |
52 | #if USE_SOLARIS_IPFILTER_MINOR_T_HACK |
53 | #undef minor_t | |
54 | #endif | |
c8be6d7b | 55 | #if HAVE_IP_FIL_COMPAT_H |
56 | #include <ip_fil_compat.h> | |
57 | #elif HAVE_NETINET_IP_FIL_COMPAT_H | |
58 | #include <netinet/ip_fil_compat.h> | |
59 | #elif HAVE_IP_COMPAT_H | |
60 | #include <ip_compat.h> | |
61 | #elif HAVE_NETINET_IP_COMPAT_H | |
62 | #include <netinet/ip_compat.h> | |
63 | #endif | |
64 | #if HAVE_IP_FIL_H | |
65 | #include <ip_fil.h> | |
66 | #elif HAVE_NETINET_IP_FIL_H | |
67 | #include <netinet/ip_fil.h> | |
68 | #endif | |
69 | #if HAVE_IP_NAT_H | |
70 | #include <ip_nat.h> | |
71 | #elif HAVE_NETINET_IP_NAT_H | |
72 | #include <netinet/ip_nat.h> | |
73 | #endif | |
34ec5c62 AJ |
74 | |
75 | #endif /* IPF_TRANSPARENT required headers */ | |
c8be6d7b | 76 | |
77 | #if PF_TRANSPARENT | |
c8be6d7b | 78 | #include <sys/socket.h> |
79 | #include <sys/ioctl.h> | |
80 | #include <sys/fcntl.h> | |
81 | #include <net/if.h> | |
82 | #include <netinet/in.h> | |
b0dfd10b | 83 | #if HAVE_NET_PF_PFVAR_H |
ec9909b0 AJ |
84 | #include <net/pf/pfvar.h> |
85 | #endif /* HAVE_NET_PF_PFVAR_H */ | |
b0dfd10b | 86 | #if HAVE_NET_PFVAR_H |
c8be6d7b | 87 | #include <net/pfvar.h> |
ec9909b0 | 88 | #endif /* HAVE_NET_PFVAR_H */ |
34ec5c62 | 89 | #endif /* PF_TRANSPARENT required headers */ |
5afac208 AJ |
90 | |
91 | #if LINUX_NETFILTER | |
074d6a40 AJ |
92 | /* <climits> must be before including netfilter_ipv4.h */ |
93 | #include <climits> | |
ee80a919 | 94 | #include <linux/if.h> |
c8be6d7b | 95 | #include <linux/netfilter_ipv4.h> |
ee80a919 AR |
96 | #if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H |
97 | /* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches | |
98 | * which will enable C++ compilers to build the Netfilter public headers. | |
99 | * We can auto-detect its presence and attempt to use in case he ever | |
100 | * changes his mind or things get cleaned up some other way. | |
101 | * But until then are usually forced to hard-code the getsockopt() code | |
102 | * for IPv6 NAT lookups. | |
103 | */ | |
104 | #include <linux/netfilter_ipv6/ip6_tables.h> | |
105 | #endif | |
106 | #if !defined(IP6T_SO_ORIGINAL_DST) | |
f53969cc | 107 | #define IP6T_SO_ORIGINAL_DST 80 // stolen with prejudice from the above file. |
ee80a919 | 108 | #endif |
5afac208 | 109 | #endif /* LINUX_NETFILTER required headers */ |
c8be6d7b | 110 | |
0fc2952e | 111 | // single global instance for access by other components. |
b7ac5457 | 112 | Ip::Intercept Ip::Interceptor; |
0fc2952e | 113 | |
04f87469 | 114 | void |
b7ac5457 | 115 | Ip::Intercept::StopTransparency(const char *str) |
26ac0430 | 116 | { |
40d34a62 | 117 | if (transparentActive_) { |
788625af | 118 | debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str); |
40d34a62 | 119 | transparentActive_ = 0; |
788625af | 120 | } |
04f87469 AJ |
121 | } |
122 | ||
40d34a62 | 123 | bool |
7c35cc90 | 124 | Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn) |
7b0a0d1f AJ |
125 | { |
126 | #if LINUX_NETFILTER | |
ee80a919 AR |
127 | struct sockaddr_storage lookup; |
128 | socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in); | |
129 | newConn->local.getSockAddr(lookup, AF_UNSPEC); | |
7b0a0d1f AJ |
130 | |
131 | /** \par | |
132 | * Try NAT lookup for REDIRECT or DNAT targets. */ | |
ee80a919 | 133 | if ( getsockopt(newConn->fd, |
fa0b1a25 A |
134 | newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP, |
135 | newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST, | |
136 | &lookup, | |
137 | &len) != 0) { | |
7c35cc90 AJ |
138 | const auto xerrno = errno; |
139 | debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno)); | |
40d34a62 | 140 | return false; |
26ac0430 | 141 | } else { |
40d34a62 | 142 | newConn->local = lookup; |
ee80a919 | 143 | debugs(89, 5, "address NAT: " << newConn); |
40d34a62 | 144 | return true; |
7b0a0d1f | 145 | } |
8b082ed9 FC |
146 | #else |
147 | (void)newConn; | |
7b0a0d1f | 148 | #endif |
40d34a62 | 149 | return false; |
7b0a0d1f AJ |
150 | } |
151 | ||
96f97829 EB |
152 | void |
153 | Ip::Intercept::StartTransparency() | |
7b0a0d1f | 154 | { |
96f97829 EB |
155 | // --enable-linux-netfilter |
156 | // --enable-pf-transparent | |
157 | // --enable-ipfw-transparent | |
b2192042 AJ |
158 | #if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \ |
159 | (PF_TRANSPARENT && defined(SO_BINDANY)) || \ | |
160 | (IPFW_TRANSPARENT && defined(IP_BINDANY)) | |
96f97829 EB |
161 | transparentActive_ = 1; |
162 | #else | |
163 | throw TextException("requires TPROXY feature to be enabled by ./configure", Here()); | |
164 | #endif | |
165 | } | |
b2192042 | 166 | |
96f97829 EB |
167 | void |
168 | Ip::Intercept::StartInterception() | |
169 | { | |
170 | // --enable-linux-netfilter | |
171 | // --enable-ipfw-transparent | |
172 | // --enable-ipf-transparent | |
173 | // --enable-pf-transparent | |
174 | #if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT | |
175 | interceptActive_ = 1; | |
40d34a62 | 176 | #else |
96f97829 | 177 | throw TextException("requires NAT Interception feature to be enabled by ./configure", Here()); |
acaa7194 | 178 | #endif |
7b0a0d1f AJ |
179 | } |
180 | ||
40d34a62 | 181 | bool |
7c35cc90 | 182 | Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn) |
d8b5bcbc AJ |
183 | { |
184 | #if IPFW_TRANSPARENT | |
399990a7 | 185 | return UseInterceptionAddressesLookedUpEarlier(__FUNCTION__, newConn); |
b2192042 | 186 | #else |
8b082ed9 | 187 | (void)newConn; |
40d34a62 | 188 | return false; |
b2192042 | 189 | #endif |
d8b5bcbc | 190 | } |
0fc2952e | 191 | |
399990a7 AR |
192 | /// Assume that getsockname() has been called already and provided the necessary |
193 | /// TCP packet details. There is no way to identify whether they came from NAT. | |
194 | /// Trust the user configured properly. | |
195 | bool | |
196 | Ip::Intercept::UseInterceptionAddressesLookedUpEarlier(const char * const caller, const Comm::ConnectionPointer &newConn) | |
197 | { | |
198 | // paranoid: ./configure should prohibit these combinations | |
199 | #if LINUX_NETFILTER && PF_TRANSPARENT && !USE_NAT_DEVPF | |
200 | static_assert(!"--enable-linux-netfilter is incompatible with --enable-pf-transparent --without-nat-devpf"); | |
201 | #endif | |
202 | #if LINUX_NETFILTER && IPFW_TRANSPARENT | |
203 | static_assert(!"--enable-linux-netfilter is incompatible with --enable-ipfw-transparent"); | |
204 | #endif | |
205 | // --enable-linux-netfilter is compatible with --enable-ipf-transparent | |
206 | ||
207 | debugs(89, 5, caller << " uses " << newConn); | |
208 | return true; | |
209 | } | |
210 | ||
40d34a62 | 211 | bool |
7c35cc90 | 212 | Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn) |
3f38a55e | 213 | { |
f1e0717c | 214 | #if IPF_TRANSPARENT /* --enable-ipf-transparent */ |
62e76326 | 215 | |
c8be6d7b | 216 | struct natlookup natLookup; |
217 | static int natfd = -1; | |
c8be6d7b | 218 | int x; |
3f38a55e | 219 | |
c74be4ce | 220 | // all fields must be set to 0 |
dcfb239f | 221 | memset(&natLookup, 0, sizeof(natLookup)); |
c74be4ce | 222 | // for NAT lookup set local and remote IP:port's |
b2fb6c8a | 223 | if (newConn->remote.isIPv6()) { |
8433f128 | 224 | #if HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 |
b2fb6c8a | 225 | natLookup.nl_v = 6; |
04e81e71 AJ |
226 | newConn->local.getInAddr(natLookup.nl_inipaddr.in6); |
227 | newConn->remote.getInAddr(natLookup.nl_outipaddr.in6); | |
8ea96604 SM |
228 | } |
229 | else { | |
b2fb6c8a | 230 | natLookup.nl_v = 4; |
04e81e71 AJ |
231 | newConn->local.getInAddr(natLookup.nl_inipaddr.in4); |
232 | newConn->remote.getInAddr(natLookup.nl_outipaddr.in4); | |
b2fb6c8a | 233 | } |
8b082ed9 | 234 | #else /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */ |
4eaf432d AJ |
235 | // warn once every 10 at critical level, then push down a level each repeated event |
236 | static int warningLevel = DBG_CRITICAL; | |
237 | debugs(89, warningLevel, "Your IPF (IPFilter) NAT does not support IPv6. Please upgrade it."); | |
238 | warningLevel = (warningLevel + 1) % 10; | |
239 | return false; | |
240 | } | |
241 | newConn->local.getInAddr(natLookup.nl_inip); | |
242 | newConn->remote.getInAddr(natLookup.nl_outip); | |
8b082ed9 | 243 | #endif /* HAVE_STRUCT_NATLOOKUP_NL_INIPADDR_IN6 */ |
4dd643d5 | 244 | natLookup.nl_inport = htons(newConn->local.port()); |
4dd643d5 | 245 | natLookup.nl_outport = htons(newConn->remote.port()); |
c74be4ce | 246 | // ... and the TCP flag |
c8be6d7b | 247 | natLookup.nl_flags = IPN_TCP; |
62e76326 | 248 | |
26ac0430 | 249 | if (natfd < 0) { |
62e76326 | 250 | int save_errno; |
251 | enter_suid(); | |
dbc5782a | 252 | #ifdef IPNAT_NAME |
dbc5782a | 253 | natfd = open(IPNAT_NAME, O_RDONLY, 0); |
98a3bc99 | 254 | #else |
62e76326 | 255 | natfd = open(IPL_NAT, O_RDONLY, 0); |
98a3bc99 | 256 | #endif |
62e76326 | 257 | save_errno = errno; |
258 | leave_suid(); | |
259 | errno = save_errno; | |
c8be6d7b | 260 | } |
62e76326 | 261 | |
26ac0430 | 262 | if (natfd < 0) { |
7c35cc90 AJ |
263 | const auto xerrno = errno; |
264 | debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT open failed: " << xstrerr(xerrno)); | |
265 | return false; | |
c8be6d7b | 266 | } |
62e76326 | 267 | |
dbc5782a | 268 | #if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027) |
c74be4ce AJ |
269 | struct ipfobj obj; |
270 | memset(&obj, 0, sizeof(obj)); | |
271 | obj.ipfo_rev = IPFILTER_VERSION; | |
272 | obj.ipfo_size = sizeof(natLookup); | |
273 | obj.ipfo_ptr = &natLookup; | |
274 | obj.ipfo_type = IPFOBJ_NATLOOKUP; | |
275 | ||
dbc5782a | 276 | x = ioctl(natfd, SIOCGNATL, &obj); |
dbc5782a | 277 | #else |
3f38a55e | 278 | /* |
dbc5782a | 279 | * IP-Filter changed the type for SIOCGNATL between |
280 | * 3.3 and 3.4. It also changed the cmd value for | |
281 | * SIOCGNATL, so at least we can detect it. We could | |
282 | * put something in configure and use ifdefs here, but | |
283 | * this seems simpler. | |
284 | */ | |
c74be4ce | 285 | static int siocgnatl_cmd = SIOCGNATL & 0xff; |
26ac0430 | 286 | if (63 == siocgnatl_cmd) { |
62e76326 | 287 | struct natlookup *nlp = &natLookup; |
288 | x = ioctl(natfd, SIOCGNATL, &nlp); | |
26ac0430 | 289 | } else { |
62e76326 | 290 | x = ioctl(natfd, SIOCGNATL, &natLookup); |
291 | } | |
292 | ||
8b082ed9 | 293 | #endif /* defined(IPFILTER_VERSION) ... */ |
26ac0430 | 294 | if (x < 0) { |
7c35cc90 | 295 | const auto xerrno = errno; |
b69e9ffa | 296 | if (xerrno != ESRCH) { |
7c35cc90 | 297 | debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno)); |
62e76326 | 298 | close(natfd); |
299 | natfd = -1; | |
300 | } | |
301 | ||
bf95c10a | 302 | debugs(89, 9, "address: " << newConn); |
40d34a62 | 303 | return false; |
26ac0430 | 304 | } else { |
8433f128 | 305 | #if HAVE_STRUCT_NATLOOKUP_NL_REALIPADDR_IN6 |
04e81e71 AJ |
306 | if (newConn->remote.isIPv6()) |
307 | newConn->local = natLookup.nl_realipaddr.in6; | |
308 | else | |
309 | newConn->local = natLookup.nl_realipaddr.in4; | |
4eaf432d AJ |
310 | #else |
311 | newConn->local = natLookup.nl_realip; | |
04e81e71 | 312 | #endif |
4dd643d5 | 313 | newConn->local.port(ntohs(natLookup.nl_realport)); |
bf95c10a | 314 | debugs(89, 5, "address NAT: " << newConn); |
40d34a62 | 315 | return true; |
c8be6d7b | 316 | } |
62e76326 | 317 | |
8b082ed9 FC |
318 | #else |
319 | (void)newConn; | |
219f8edb | 320 | #endif /* --enable-ipf-transparent */ |
40d34a62 | 321 | return false; |
219f8edb | 322 | } |
f1e0717c | 323 | |
1125ea7b | 324 | bool |
7c35cc90 | 325 | Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn) |
1125ea7b | 326 | { |
b2192042 AJ |
327 | #if PF_TRANSPARENT /* --enable-pf-transparent */ |
328 | ||
329 | #if !USE_NAT_DEVPF | |
399990a7 | 330 | return UseInterceptionAddressesLookedUpEarlier("recent PF version", newConn); |
1125ea7b | 331 | |
b2192042 | 332 | #else /* USE_NAT_DEVPF / --with-nat-devpf */ |
62e76326 | 333 | |
3f38a55e | 334 | struct pfioc_natlook nl; |
335 | static int pffd = -1; | |
62e76326 | 336 | |
337 | if (pffd < 0) | |
d14c6ef2 | 338 | pffd = open("/dev/pf", O_RDONLY); |
62e76326 | 339 | |
26ac0430 | 340 | if (pffd < 0) { |
7c35cc90 AJ |
341 | const auto xerrno = errno; |
342 | debugs(89, DBG_IMPORTANT, "ERROR: PF open failed: " << xstrerr(xerrno)); | |
40d34a62 | 343 | return false; |
c8be6d7b | 344 | } |
62e76326 | 345 | |
c8be6d7b | 346 | memset(&nl, 0, sizeof(struct pfioc_natlook)); |
cc192b50 | 347 | |
5a33064f EG |
348 | if (newConn->remote.isIPv6()) { |
349 | newConn->remote.getInAddr(nl.saddr.v6); | |
350 | newConn->local.getInAddr(nl.daddr.v6); | |
351 | nl.af = AF_INET6; | |
352 | } else { | |
353 | newConn->remote.getInAddr(nl.saddr.v4); | |
354 | newConn->local.getInAddr(nl.daddr.v4); | |
355 | nl.af = AF_INET; | |
356 | } | |
357 | ||
358 | nl.sport = htons(newConn->remote.port()); | |
4dd643d5 | 359 | nl.dport = htons(newConn->local.port()); |
cc192b50 | 360 | |
c8be6d7b | 361 | nl.proto = IPPROTO_TCP; |
362 | nl.direction = PF_OUT; | |
62e76326 | 363 | |
26ac0430 | 364 | if (ioctl(pffd, DIOCNATLOOK, &nl)) { |
7c35cc90 | 365 | const auto xerrno = errno; |
b69e9ffa | 366 | if (xerrno != ENOENT) { |
7c35cc90 | 367 | debugs(89, DBG_IMPORTANT, "ERROR: PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno)); |
62e76326 | 368 | close(pffd); |
369 | pffd = -1; | |
370 | } | |
bf95c10a | 371 | debugs(89, 9, "address: " << newConn); |
40d34a62 | 372 | return false; |
26ac0430 | 373 | } else { |
5a33064f EG |
374 | if (newConn->remote.isIPv6()) |
375 | newConn->local = nl.rdaddr.v6; | |
376 | else | |
377 | newConn->local = nl.rdaddr.v4; | |
4dd643d5 | 378 | newConn->local.port(ntohs(nl.rdport)); |
bf95c10a | 379 | debugs(89, 5, "address NAT: " << newConn); |
40d34a62 | 380 | return true; |
3f38a55e | 381 | } |
b2192042 | 382 | #endif /* --with-nat-devpf */ |
8b082ed9 FC |
383 | #else |
384 | (void)newConn; | |
51f4d36b | 385 | #endif /* --enable-pf-transparent */ |
40d34a62 | 386 | return false; |
51f4d36b AJ |
387 | } |
388 | ||
40d34a62 | 389 | bool |
96f97829 | 390 | Ip::Intercept::LookupNat(const Comm::Connection &aConn) |
51f4d36b | 391 | { |
96f97829 EB |
392 | debugs(89, 5, "address BEGIN: me/client= " << aConn.local << ", destination/me= " << aConn.remote); |
393 | assert(interceptActive_); | |
9bad3e09 | 394 | |
96f97829 EB |
395 | Comm::ConnectionPointer newConn = &aConn; |
396 | return NetfilterInterception(newConn) || IpfwInterception(newConn) || // use sock-opts to return client address | |
397 | PfInterception(newConn) || IpfInterception(newConn); // use ioctl to return client address AND destination address | |
f1e0717c | 398 | } |
34ec5c62 | 399 | |
263f84f0 | 400 | bool |
b7ac5457 | 401 | Ip::Intercept::ProbeForTproxy(Ip::Address &test) |
263f84f0 | 402 | { |
b2192042 AJ |
403 | bool doneSuid = false; |
404 | ||
405 | #if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux | |
406 | # define soLevel SOL_IP | |
407 | # define soFlag IP_TRANSPARENT | |
408 | ||
409 | #elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF | |
410 | # define soLevel SOL_SOCKET | |
411 | # define soFlag SO_BINDANY | |
412 | enter_suid(); | |
413 | doneSuid = true; | |
414 | ||
415 | #elif defined(IP_BINDANY) // FreeBSD with IPFW | |
416 | # define soLevel IPPROTO_IP | |
417 | # define soFlag IP_BINDANY | |
418 | enter_suid(); | |
419 | doneSuid = true; | |
420 | ||
421 | #endif | |
422 | ||
423 | #if defined(soLevel) && defined(soFlag) | |
424 | ||
1125ea7b | 425 | debugs(3, 3, "Detect TPROXY support on port " << test); |
263f84f0 | 426 | |
97bbba61 AR |
427 | if (!Ip::EnableIpv6 && test.isIPv6() && !test.setIPv4()) { |
428 | debugs(3, DBG_CRITICAL, "Cannot use TPROXY for " << test << " because IPv6 support is disabled"); | |
429 | if (doneSuid) | |
430 | leave_suid(); | |
431 | return false; | |
432 | } | |
433 | ||
263f84f0 AJ |
434 | int tos = 1; |
435 | int tmp_sock = -1; | |
436 | ||
263f84f0 | 437 | /* Probe to see if the Kernel TPROXY support is IPv6-enabled */ |
4dd643d5 | 438 | if (test.isIPv6()) { |
263f84f0 AJ |
439 | debugs(3, 3, "...Probing for IPv6 TPROXY support."); |
440 | ||
441 | struct sockaddr_in6 tmp_ip6; | |
b7ac5457 | 442 | Ip::Address tmp = "::2"; |
4dd643d5 AJ |
443 | tmp.port(0); |
444 | tmp.getSockAddr(tmp_ip6); | |
263f84f0 AJ |
445 | |
446 | if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 && | |
b2192042 | 447 | setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 && |
f54f527e | 448 | bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) { |
263f84f0 AJ |
449 | |
450 | debugs(3, 3, "IPv6 TPROXY support detected. Using."); | |
fb5bffa3 | 451 | close(tmp_sock); |
b2192042 AJ |
452 | if (doneSuid) |
453 | leave_suid(); | |
263f84f0 AJ |
454 | return true; |
455 | } | |
456 | if (tmp_sock >= 0) { | |
fb5bffa3 | 457 | close(tmp_sock); |
263f84f0 AJ |
458 | tmp_sock = -1; |
459 | } | |
460 | } | |
461 | ||
4dd643d5 | 462 | if ( test.isIPv6() && !test.setIPv4() ) { |
263f84f0 | 463 | debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test ); |
b2192042 AJ |
464 | if (doneSuid) |
465 | leave_suid(); | |
263f84f0 AJ |
466 | return false; |
467 | } | |
263f84f0 AJ |
468 | |
469 | /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */ | |
4dd643d5 | 470 | if (test.isIPv4()) { |
263f84f0 AJ |
471 | debugs(3, 3, "...Probing for IPv4 TPROXY support."); |
472 | ||
473 | struct sockaddr_in tmp_ip4; | |
b7ac5457 | 474 | Ip::Address tmp = "127.0.0.2"; |
4dd643d5 AJ |
475 | tmp.port(0); |
476 | tmp.getSockAddr(tmp_ip4); | |
263f84f0 AJ |
477 | |
478 | if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 && | |
b2192042 | 479 | setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 && |
f54f527e | 480 | bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) { |
263f84f0 AJ |
481 | |
482 | debugs(3, 3, "IPv4 TPROXY support detected. Using."); | |
fb5bffa3 | 483 | close(tmp_sock); |
b2192042 AJ |
484 | if (doneSuid) |
485 | leave_suid(); | |
263f84f0 AJ |
486 | return true; |
487 | } | |
488 | if (tmp_sock >= 0) { | |
fb5bffa3 | 489 | close(tmp_sock); |
263f84f0 AJ |
490 | } |
491 | } | |
492 | ||
1125ea7b | 493 | #else |
c46e7feb | 494 | debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY on port " << test); |
1125ea7b | 495 | |
263f84f0 | 496 | #endif |
b2192042 AJ |
497 | if (doneSuid) |
498 | leave_suid(); | |
263f84f0 AJ |
499 | return false; |
500 | } | |
f53969cc | 501 |