[thirdparty/squid.git] / src / ip / Intercept.h

/*
 * DEBUG: section 89    NAT / IP Interception
 * AUTHOR: Robert Collins
 * AUTHOR: Amos Jeffries
 *
 */
#ifndef SQUID_IP_IPINTERCEPT_H
#define SQUID_IP_IPINTERCEPT_H

/* for time_t */
#include "SquidTime.h"

namespace Ip
{

class Address;

/**
 \defgroup IpInterceptAPI IP Interception and Transparent Proxy API
 \ingroup SquidComponent
 \par
 * There is no formal state-machine for transparency and interception
 * instead there is this neutral API which other connection state machines
 * and the comm layer use to co-ordinate their own state for transparency.
 */
class Intercept
{
public:
    Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
    ~Intercept() {};

    /** Perform NAT lookups */
    bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn);

    /**
     * Test system networking calls for TPROXY support.
     * Detects IPv6 and IPv4 level of support matches the address being listened on
     * and if the compiled v2/v4 is usable as far down as a bind()ing.
     *
     * \param test    Address set on the http(s)_port being checked.
     * \retval true   TPROXY is available.
     * \retval false  TPROXY is not available.
     */
    bool ProbeForTproxy(Address &test);

    /**
     \retval 0	Full transparency is disabled.
     \retval 1  Full transparency is enabled and active.
     */
    inline int TransparentActive() { return transparentActive_; };

    /** \par
     * Turn on fully Transparent-Proxy activities.
     * This function should be called during parsing of the squid.conf
     * When any option requiring full-transparency is encountered.
     */
    inline void StartTransparency() { transparentActive_=1; };

    /** \par
     * Turn off fully Transparent-Proxy activities on all new connections.
     * Existing transactions and connections are unaffected and will run
     * to their natural completion.
     \param str    Reason for stopping. Will be logged to cache.log
     */
    void StopTransparency(const char *str);

    /**
     \retval 0	IP Interception is disabled.
     \retval 1  IP Interception is enabled and active.
     */
    inline int InterceptActive() { return interceptActive_; };

    /** \par
     * Turn on IP-Interception-Proxy activities.
     * This function should be called during parsing of the squid.conf
     * When any option requiring interception / NAT handling is encountered.
     */
    inline void StartInterception() { interceptActive_=1; };

    /** \par
     * Turn off IP-Interception-Proxy activities on all new connections.
     * Existing transactions and connections are unaffected and will run
     * to their natural completion.
     \param str    Reason for stopping. Will be logged to cache.log
     */
    inline void StopInterception(const char *str);

private:

    /**
     * perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
     *
     * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
     * \param newConn  Details known, to be updated where relevant.
     * \return         Whether successfuly located the new address.
     */
    bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);

    /**
     * perform Lookups on Netfilter fully-transparent interception targets (TPROXY).
     *
     * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
     * \param newConn  Details known, to be updated where relevant.
     * \return         Whether successfuly located the new address.
     */
    bool NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent);

    /**
     * perform Lookups on IPFW interception.
     *
     * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
     * \param newConn  Details known, to be updated where relevant.
     * \return         Whether successfuly located the new address.
     */
    bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);

    /**
     * perform Lookups on IPF interception.
     *
     * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
     * \param newConn  Details known, to be updated where relevant.
     * \return         Whether successfuly located the new address.
     */
    bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);

    /**
     * perform Lookups on PF interception.
     *
     * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
     * \param newConn  Details known, to be updated where relevant.
     * \return         Whether successfuly located the new address.
     */
    bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);

    int transparentActive_;
    int interceptActive_;
    time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */
};

#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
/// \ingroup IpInterceptAPI
#define IP_TRANSPARENT 19
#endif

/**
 \ingroup IpInterceptAPI
 * Globally available instance of the IP Interception manager.
 */
extern Intercept Interceptor;

} // namespace Ip

#endif /* SQUID_IP_IPINTERCEPT_H */
Commit	Line	Data
c8be6d7b	1	/*
04f87469 AJ	2	* DEBUG: section 89 NAT / IP Interception
	3	* AUTHOR: Robert Collins
	4	* AUTHOR: Amos Jeffries
c8be6d7b	5	*
c8be6d7b	6	*/
b7ac5457 AJ	7	#ifndef SQUID_IP_IPINTERCEPT_H
b7ac5457 AJ	8	#define SQUID_IP_IPINTERCEPT_H
62e76326	9
fc27cd70 AJ	10	/* for time_t */
	11	#include "SquidTime.h"
	12
63bd4bf7 A	13	namespace Ip
63bd4bf7 A	14	{
b7ac5457 AJ	15
	16	class Address;
	17
0fc2952e	18	/**
85944c1c	19	\defgroup IpInterceptAPI IP Interception and Transparent Proxy API
0fc2952e AJ	20	\ingroup SquidComponent
	21	\par
	22	* There is no formal state-machine for transparency and interception
	23	* instead there is this neutral API which other connection state machines
	24	* and the comm layer use to co-ordinate their own state for transparency.
	25	*/
b7ac5457	26	class Intercept
0fc2952e AJ	27	{
0fc2952e AJ	28	public:
40d34a62	29	Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
b7ac5457	30	~Intercept() {};
04f87469	31
7b0a0d1f	32	/** Perform NAT lookups */
40d34a62	33	bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn);
34ec5c62	34
263f84f0 AJ	35	/**
	36	* Test system networking calls for TPROXY support.
	37	* Detects IPv6 and IPv4 level of support matches the address being listened on
	38	* and if the compiled v2/v4 is usable as far down as a bind()ing.
f54f527e	39	*
263f84f0 AJ	40	* \param test Address set on the http(s)_port being checked.
	41	* \retval true TPROXY is available.
	42	* \retval false TPROXY is not available.
	43	*/
b7ac5457	44	bool ProbeForTproxy(Address &test);
263f84f0	45
04f87469 AJ	46	/**
	47	\retval 0 Full transparency is disabled.
	48	\retval 1 Full transparency is enabled and active.
	49	*/
40d34a62	50	inline int TransparentActive() { return transparentActive_; };
04f87469 AJ	51
	52	/** \par
	53	* Turn on fully Transparent-Proxy activities.
	54	* This function should be called during parsing of the squid.conf
	55	* When any option requiring full-transparency is encountered.
	56	*/
40d34a62	57	inline void StartTransparency() { transparentActive_=1; };
04f87469 AJ	58
	59	/** \par
	60	* Turn off fully Transparent-Proxy activities on all new connections.
	61	* Existing transactions and connections are unaffected and will run
	62	* to their natural completion.
	63	\param str Reason for stopping. Will be logged to cache.log
	64	*/
	65	void StopTransparency(const char *str);
	66
	67	/**
	68	\retval 0 IP Interception is disabled.
	69	\retval 1 IP Interception is enabled and active.
	70	*/
40d34a62	71	inline int InterceptActive() { return interceptActive_; };
04f87469 AJ	72
	73	/** \par
	74	* Turn on IP-Interception-Proxy activities.
	75	* This function should be called during parsing of the squid.conf
	76	* When any option requiring interception / NAT handling is encountered.
	77	*/
40d34a62	78	inline void StartInterception() { interceptActive_=1; };
04f87469 AJ	79
	80	/** \par
	81	* Turn off IP-Interception-Proxy activities on all new connections.
	82	* Existing transactions and connections are unaffected and will run
	83	* to their natural completion.
	84	\param str Reason for stopping. Will be logged to cache.log
	85	*/
	86	inline void StopInterception(const char *str);
	87
	88	private:
7b0a0d1f AJ	89
	90	/**
	91	* perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
	92	*
40d34a62 AJ	93	* \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
	94	* \param newConn Details known, to be updated where relevant.
	95	* \return Whether successfuly located the new address.
7b0a0d1f	96	*/
40d34a62	97	bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);
7b0a0d1f AJ	98
	99	/**
	100	* perform Lookups on Netfilter fully-transparent interception targets (TPROXY).
	101	*
40d34a62 AJ	102	* \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
	103	* \param newConn Details known, to be updated where relevant.
	104	* \return Whether successfuly located the new address.
7b0a0d1f	105	*/
40d34a62	106	bool NetfilterTransparent(const Comm::ConnectionPointer &newConn, int silent);
7b0a0d1f AJ	107
	108	/**
	109	* perform Lookups on IPFW interception.
	110	*
40d34a62 AJ	111	* \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
	112	* \param newConn Details known, to be updated where relevant.
	113	* \return Whether successfuly located the new address.
7b0a0d1f	114	*/
40d34a62	115	bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);
7b0a0d1f	116
219f8edb AJ	117	/**
	118	* perform Lookups on IPF interception.
	119	*
40d34a62 AJ	120	* \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
	121	* \param newConn Details known, to be updated where relevant.
	122	* \return Whether successfuly located the new address.
219f8edb	123	*/
40d34a62	124	bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);
219f8edb	125
51f4d36b AJ	126	/**
	127	* perform Lookups on PF interception.
	128	*
40d34a62 AJ	129	* \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
	130	* \param newConn Details known, to be updated where relevant.
	131	* \return Whether successfuly located the new address.
51f4d36b	132	*/
40d34a62	133	bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);
51f4d36b	134
40d34a62 AJ	135	int transparentActive_;
	136	int interceptActive_;
	137	time_t lastReported_; /*< Time of last error report. Throttles NAT error display to 1 per minute /
04f87469	138	};
0fc2952e	139
7b0a0d1f	140	#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
85944c1c	141	/// \ingroup IpInterceptAPI
f1e0717c AJ	142	#define IP_TRANSPARENT 19
	143	#endif
	144
0fc2952e	145	/**
85944c1c	146	\ingroup IpInterceptAPI
0fc2952e AJ	147	* Globally available instance of the IP Interception manager.
0fc2952e AJ	148	*/
b7ac5457 AJ	149	extern Intercept Interceptor;
b7ac5457 AJ	150
e5519212	151	} // namespace Ip
c8be6d7b	152
b7ac5457	153	#endif /* SQUID_IP_IPINTERCEPT_H */