]>
Commit | Line | Data |
---|---|---|
c8be6d7b | 1 | /* |
04f87469 AJ |
2 | * DEBUG: section 89 NAT / IP Interception |
3 | * AUTHOR: Robert Collins | |
4 | * AUTHOR: Amos Jeffries | |
c8be6d7b | 5 | * |
6 | */ | |
b7ac5457 AJ |
7 | #ifndef SQUID_IP_IPINTERCEPT_H |
8 | #define SQUID_IP_IPINTERCEPT_H | |
62e76326 | 9 | |
fc27cd70 AJ |
10 | /* for time_t */ |
11 | #include "SquidTime.h" | |
12 | ||
63bd4bf7 A |
13 | namespace Ip |
14 | { | |
b7ac5457 AJ |
15 | |
16 | class Address; | |
17 | ||
0fc2952e | 18 | /** |
85944c1c | 19 | \defgroup IpInterceptAPI IP Interception and Transparent Proxy API |
0fc2952e AJ |
20 | \ingroup SquidComponent |
21 | \par | |
22 | * There is no formal state-machine for transparency and interception | |
23 | * instead there is this neutral API which other connection state machines | |
24 | * and the comm layer use to co-ordinate their own state for transparency. | |
25 | */ | |
b7ac5457 | 26 | class Intercept |
0fc2952e AJ |
27 | { |
28 | public: | |
40d34a62 | 29 | Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {}; |
b7ac5457 | 30 | ~Intercept() {}; |
04f87469 | 31 | |
7b0a0d1f | 32 | /** Perform NAT lookups */ |
40d34a62 | 33 | bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn); |
34ec5c62 | 34 | |
263f84f0 AJ |
35 | /** |
36 | * Test system networking calls for TPROXY support. | |
37 | * Detects IPv6 and IPv4 level of support matches the address being listened on | |
38 | * and if the compiled v2/v4 is usable as far down as a bind()ing. | |
f54f527e | 39 | * |
263f84f0 AJ |
40 | * \param test Address set on the http(s)_port being checked. |
41 | * \retval true TPROXY is available. | |
42 | * \retval false TPROXY is not available. | |
43 | */ | |
b7ac5457 | 44 | bool ProbeForTproxy(Address &test); |
263f84f0 | 45 | |
04f87469 AJ |
46 | /** |
47 | \retval 0 Full transparency is disabled. | |
48 | \retval 1 Full transparency is enabled and active. | |
49 | */ | |
40d34a62 | 50 | inline int TransparentActive() { return transparentActive_; }; |
04f87469 AJ |
51 | |
52 | /** \par | |
53 | * Turn on fully Transparent-Proxy activities. | |
54 | * This function should be called during parsing of the squid.conf | |
55 | * When any option requiring full-transparency is encountered. | |
56 | */ | |
40d34a62 | 57 | inline void StartTransparency() { transparentActive_=1; }; |
04f87469 AJ |
58 | |
59 | /** \par | |
60 | * Turn off fully Transparent-Proxy activities on all new connections. | |
61 | * Existing transactions and connections are unaffected and will run | |
62 | * to their natural completion. | |
63 | \param str Reason for stopping. Will be logged to cache.log | |
64 | */ | |
65 | void StopTransparency(const char *str); | |
66 | ||
67 | /** | |
68 | \retval 0 IP Interception is disabled. | |
69 | \retval 1 IP Interception is enabled and active. | |
70 | */ | |
40d34a62 | 71 | inline int InterceptActive() { return interceptActive_; }; |
04f87469 AJ |
72 | |
73 | /** \par | |
74 | * Turn on IP-Interception-Proxy activities. | |
75 | * This function should be called during parsing of the squid.conf | |
76 | * When any option requiring interception / NAT handling is encountered. | |
77 | */ | |
40d34a62 | 78 | inline void StartInterception() { interceptActive_=1; }; |
04f87469 AJ |
79 | |
80 | /** \par | |
81 | * Turn off IP-Interception-Proxy activities on all new connections. | |
82 | * Existing transactions and connections are unaffected and will run | |
83 | * to their natural completion. | |
84 | \param str Reason for stopping. Will be logged to cache.log | |
85 | */ | |
86 | inline void StopInterception(const char *str); | |
87 | ||
88 | private: | |
7b0a0d1f AJ |
89 | |
90 | /** | |
91 | * perform Lookups on Netfilter interception targets (REDIRECT, DNAT). | |
92 | * | |
40d34a62 AJ |
93 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
94 | * \param newConn Details known, to be updated where relevant. | |
95 | * \return Whether successfuly located the new address. | |
7b0a0d1f | 96 | */ |
40d34a62 | 97 | bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f AJ |
98 | |
99 | /** | |
100 | * perform Lookups on Netfilter fully-transparent interception targets (TPROXY). | |
101 | * | |
40d34a62 AJ |
102 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
103 | * \param newConn Details known, to be updated where relevant. | |
104 | * \return Whether successfuly located the new address. | |
7b0a0d1f | 105 | */ |
40d34a62 | 106 | bool NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f AJ |
107 | |
108 | /** | |
109 | * perform Lookups on IPFW interception. | |
110 | * | |
40d34a62 AJ |
111 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
112 | * \param newConn Details known, to be updated where relevant. | |
113 | * \return Whether successfuly located the new address. | |
7b0a0d1f | 114 | */ |
40d34a62 | 115 | bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f | 116 | |
219f8edb AJ |
117 | /** |
118 | * perform Lookups on IPF interception. | |
119 | * | |
40d34a62 AJ |
120 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
121 | * \param newConn Details known, to be updated where relevant. | |
122 | * \return Whether successfuly located the new address. | |
219f8edb | 123 | */ |
40d34a62 | 124 | bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); |
219f8edb | 125 | |
51f4d36b AJ |
126 | /** |
127 | * perform Lookups on PF interception. | |
128 | * | |
40d34a62 AJ |
129 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
130 | * \param newConn Details known, to be updated where relevant. | |
131 | * \return Whether successfuly located the new address. | |
51f4d36b | 132 | */ |
40d34a62 | 133 | bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); |
51f4d36b | 134 | |
40d34a62 AJ |
135 | int transparentActive_; |
136 | int interceptActive_; | |
137 | time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ | |
04f87469 | 138 | }; |
0fc2952e | 139 | |
7b0a0d1f | 140 | #if LINUX_NETFILTER && !defined(IP_TRANSPARENT) |
85944c1c | 141 | /// \ingroup IpInterceptAPI |
f1e0717c AJ |
142 | #define IP_TRANSPARENT 19 |
143 | #endif | |
144 | ||
0fc2952e | 145 | /** |
85944c1c | 146 | \ingroup IpInterceptAPI |
0fc2952e AJ |
147 | * Globally available instance of the IP Interception manager. |
148 | */ | |
b7ac5457 AJ |
149 | extern Intercept Interceptor; |
150 | ||
e5519212 | 151 | } // namespace Ip |
c8be6d7b | 152 | |
b7ac5457 | 153 | #endif /* SQUID_IP_IPINTERCEPT_H */ |