]>
Commit | Line | Data |
---|---|---|
c8be6d7b | 1 | /* |
f70aedc4 | 2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
c8be6d7b | 3 | * |
bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
c8be6d7b | 7 | */ |
bbc27441 AJ |
8 | |
9 | /* DEBUG: section 89 NAT / IP Interception */ | |
10 | ||
b7ac5457 AJ |
11 | #ifndef SQUID_IP_IPINTERCEPT_H |
12 | #define SQUID_IP_IPINTERCEPT_H | |
62e76326 | 13 | |
fc27cd70 AJ |
14 | /* for time_t */ |
15 | #include "SquidTime.h" | |
16 | ||
63bd4bf7 A |
17 | namespace Ip |
18 | { | |
b7ac5457 AJ |
19 | |
20 | class Address; | |
21 | ||
0fc2952e | 22 | /** |
85944c1c | 23 | \defgroup IpInterceptAPI IP Interception and Transparent Proxy API |
0fc2952e AJ |
24 | \ingroup SquidComponent |
25 | \par | |
26 | * There is no formal state-machine for transparency and interception | |
27 | * instead there is this neutral API which other connection state machines | |
28 | * and the comm layer use to co-ordinate their own state for transparency. | |
29 | */ | |
b7ac5457 | 30 | class Intercept |
0fc2952e AJ |
31 | { |
32 | public: | |
40d34a62 | 33 | Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {}; |
b7ac5457 | 34 | ~Intercept() {}; |
04f87469 | 35 | |
7b0a0d1f | 36 | /** Perform NAT lookups */ |
40d34a62 | 37 | bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn); |
34ec5c62 | 38 | |
263f84f0 AJ |
39 | /** |
40 | * Test system networking calls for TPROXY support. | |
41 | * Detects IPv6 and IPv4 level of support matches the address being listened on | |
42 | * and if the compiled v2/v4 is usable as far down as a bind()ing. | |
f54f527e | 43 | * |
3cc0f4e7 | 44 | * \param test Address set on the squid.conf *_port being checked. |
263f84f0 AJ |
45 | * \retval true TPROXY is available. |
46 | * \retval false TPROXY is not available. | |
47 | */ | |
b7ac5457 | 48 | bool ProbeForTproxy(Address &test); |
263f84f0 | 49 | |
04f87469 | 50 | /** |
f53969cc | 51 | \retval 0 Full transparency is disabled. |
04f87469 AJ |
52 | \retval 1 Full transparency is enabled and active. |
53 | */ | |
40d34a62 | 54 | inline int TransparentActive() { return transparentActive_; }; |
04f87469 AJ |
55 | |
56 | /** \par | |
57 | * Turn on fully Transparent-Proxy activities. | |
58 | * This function should be called during parsing of the squid.conf | |
59 | * When any option requiring full-transparency is encountered. | |
60 | */ | |
40d34a62 | 61 | inline void StartTransparency() { transparentActive_=1; }; |
04f87469 AJ |
62 | |
63 | /** \par | |
64 | * Turn off fully Transparent-Proxy activities on all new connections. | |
65 | * Existing transactions and connections are unaffected and will run | |
66 | * to their natural completion. | |
67 | \param str Reason for stopping. Will be logged to cache.log | |
68 | */ | |
69 | void StopTransparency(const char *str); | |
70 | ||
71 | /** | |
f53969cc | 72 | \retval 0 IP Interception is disabled. |
04f87469 AJ |
73 | \retval 1 IP Interception is enabled and active. |
74 | */ | |
40d34a62 | 75 | inline int InterceptActive() { return interceptActive_; }; |
04f87469 AJ |
76 | |
77 | /** \par | |
78 | * Turn on IP-Interception-Proxy activities. | |
79 | * This function should be called during parsing of the squid.conf | |
80 | * When any option requiring interception / NAT handling is encountered. | |
81 | */ | |
40d34a62 | 82 | inline void StartInterception() { interceptActive_=1; }; |
04f87469 AJ |
83 | |
84 | /** \par | |
85 | * Turn off IP-Interception-Proxy activities on all new connections. | |
86 | * Existing transactions and connections are unaffected and will run | |
87 | * to their natural completion. | |
88 | \param str Reason for stopping. Will be logged to cache.log | |
89 | */ | |
90 | inline void StopInterception(const char *str); | |
91 | ||
92 | private: | |
7b0a0d1f AJ |
93 | |
94 | /** | |
b2192042 AJ |
95 | * perform Lookups on fully-transparent interception targets (TPROXY). |
96 | * Supports Netfilter, PF and IPFW. | |
7b0a0d1f | 97 | * |
40d34a62 AJ |
98 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
99 | * \param newConn Details known, to be updated where relevant. | |
2f8abb64 | 100 | * \return Whether successfully located the new address. |
7b0a0d1f | 101 | */ |
b2192042 | 102 | bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f AJ |
103 | |
104 | /** | |
b2192042 | 105 | * perform Lookups on Netfilter interception targets (REDIRECT, DNAT). |
7b0a0d1f | 106 | * |
40d34a62 AJ |
107 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
108 | * \param newConn Details known, to be updated where relevant. | |
2f8abb64 | 109 | * \return Whether successfully located the new address. |
7b0a0d1f | 110 | */ |
b2192042 | 111 | bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f AJ |
112 | |
113 | /** | |
114 | * perform Lookups on IPFW interception. | |
115 | * | |
40d34a62 AJ |
116 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
117 | * \param newConn Details known, to be updated where relevant. | |
2f8abb64 | 118 | * \return Whether successfully located the new address. |
7b0a0d1f | 119 | */ |
40d34a62 | 120 | bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent); |
7b0a0d1f | 121 | |
219f8edb AJ |
122 | /** |
123 | * perform Lookups on IPF interception. | |
124 | * | |
40d34a62 AJ |
125 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
126 | * \param newConn Details known, to be updated where relevant. | |
2f8abb64 | 127 | * \return Whether successfully located the new address. |
219f8edb | 128 | */ |
40d34a62 | 129 | bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); |
219f8edb | 130 | |
51f4d36b | 131 | /** |
1125ea7b | 132 | * perform Lookups on PF interception target (REDIRECT). |
51f4d36b | 133 | * |
40d34a62 AJ |
134 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
135 | * \param newConn Details known, to be updated where relevant. | |
2f8abb64 | 136 | * \return Whether successfully located the new address. |
51f4d36b | 137 | */ |
40d34a62 | 138 | bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); |
51f4d36b | 139 | |
40d34a62 AJ |
140 | int transparentActive_; |
141 | int interceptActive_; | |
142 | time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ | |
04f87469 | 143 | }; |
0fc2952e | 144 | |
7b0a0d1f | 145 | #if LINUX_NETFILTER && !defined(IP_TRANSPARENT) |
85944c1c | 146 | /// \ingroup IpInterceptAPI |
f1e0717c AJ |
147 | #define IP_TRANSPARENT 19 |
148 | #endif | |
149 | ||
0fc2952e | 150 | /** |
85944c1c | 151 | \ingroup IpInterceptAPI |
0fc2952e AJ |
152 | * Globally available instance of the IP Interception manager. |
153 | */ | |
b7ac5457 AJ |
154 | extern Intercept Interceptor; |
155 | ||
e5519212 | 156 | } // namespace Ip |
c8be6d7b | 157 | |
b7ac5457 | 158 | #endif /* SQUID_IP_IPINTERCEPT_H */ |
f53969cc | 159 |