projects / thirdparty / squid.git / blame
| Commit | Line | Data |
|---|---|---|
| c8be6d7b | 1 | /* |
| f70aedc4 | 2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors |
| c8be6d7b | 3 | * |
| bbc27441 AJ |
4 | * Squid software is distributed under GPLv2+ license and includes |
| 5 | * contributions from numerous individuals and organizations. | |
| 6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
| c8be6d7b | 7 | */ |
| bbc27441 AJ |
8 | |
| 9 | /* DEBUG: section 89 NAT / IP Interception */ | |
| 10 | ||
| b7ac5457 AJ |
11 | #ifndef SQUID_IP_IPINTERCEPT_H |
| 12 | #define SQUID_IP_IPINTERCEPT_H | |
| 62e76326 | 13 | |
| fc27cd70 AJ |
14 | /* for time_t */ |
| 15 | #include "SquidTime.h" | |
| 16 | ||
| 63bd4bf7 A |
17 | namespace Ip |
| 18 | { | |
| b7ac5457 AJ |
19 | |
| 20 | class Address; | |
| 21 | ||
| 0fc2952e | 22 | /** |
| 85944c1c | 23 | \defgroup IpInterceptAPI IP Interception and Transparent Proxy API |
| 0fc2952e AJ |
24 | \ingroup SquidComponent |
| 25 | \par | |
| 26 | * There is no formal state-machine for transparency and interception | |
| 27 | * instead there is this neutral API which other connection state machines | |
| 28 | * and the comm layer use to co-ordinate their own state for transparency. | |
| 29 | */ | |
| b7ac5457 | 30 | class Intercept |
| 0fc2952e AJ |
31 | { |
| 32 | public: | |
| 40d34a62 | 33 | Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {}; |
| b7ac5457 | 34 | ~Intercept() {}; |
| 04f87469 | 35 | |
| 7b0a0d1f | 36 | /** Perform NAT lookups */ |
| 40d34a62 | 37 | bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn); |
| 34ec5c62 | 38 | |
| 263f84f0 AJ |
39 | /** |
| 40 | * Test system networking calls for TPROXY support. | |
| 41 | * Detects IPv6 and IPv4 level of support matches the address being listened on | |
| 42 | * and if the compiled v2/v4 is usable as far down as a bind()ing. | |
| f54f527e | 43 | * |
| 3cc0f4e7 | 44 | * \param test Address set on the squid.conf *_port being checked. |
| 263f84f0 AJ |
45 | * \retval true TPROXY is available. |
| 46 | * \retval false TPROXY is not available. | |
| 47 | */ | |
| b7ac5457 | 48 | bool ProbeForTproxy(Address &test); |
| 263f84f0 | 49 | |
| 04f87469 | 50 | /** |
| f53969cc | 51 | \retval 0 Full transparency is disabled. |
| 04f87469 AJ |
52 | \retval 1 Full transparency is enabled and active. |
| 53 | */ | |
| 40d34a62 | 54 | inline int TransparentActive() { return transparentActive_; }; |
| 04f87469 AJ |
55 | |
| 56 | /** \par | |
| 57 | * Turn on fully Transparent-Proxy activities. | |
| 58 | * This function should be called during parsing of the squid.conf | |
| 59 | * When any option requiring full-transparency is encountered. | |
| 60 | */ | |
| 40d34a62 | 61 | inline void StartTransparency() { transparentActive_=1; }; |
| 04f87469 AJ |
62 | |
| 63 | /** \par | |
| 64 | * Turn off fully Transparent-Proxy activities on all new connections. | |
| 65 | * Existing transactions and connections are unaffected and will run | |
| 66 | * to their natural completion. | |
| 67 | \param str Reason for stopping. Will be logged to cache.log | |
| 68 | */ | |
| 69 | void StopTransparency(const char *str); | |
| 70 | ||
| 71 | /** | |
| f53969cc | 72 | \retval 0 IP Interception is disabled. |
| 04f87469 AJ |
73 | \retval 1 IP Interception is enabled and active. |
| 74 | */ | |
| 40d34a62 | 75 | inline int InterceptActive() { return interceptActive_; }; |
| 04f87469 AJ |
76 | |
| 77 | /** \par | |
| 78 | * Turn on IP-Interception-Proxy activities. | |
| 79 | * This function should be called during parsing of the squid.conf | |
| 80 | * When any option requiring interception / NAT handling is encountered. | |
| 81 | */ | |
| 40d34a62 | 82 | inline void StartInterception() { interceptActive_=1; }; |
| 04f87469 AJ |
83 | |
| 84 | /** \par | |
| 85 | * Turn off IP-Interception-Proxy activities on all new connections. | |
| 86 | * Existing transactions and connections are unaffected and will run | |
| 87 | * to their natural completion. | |
| 88 | \param str Reason for stopping. Will be logged to cache.log | |
| 89 | */ | |
| 90 | inline void StopInterception(const char *str); | |
| 91 | ||
| 92 | private: | |
| 7b0a0d1f AJ |
93 | |
| 94 | /** | |
| b2192042 AJ |
95 | * perform Lookups on fully-transparent interception targets (TPROXY). |
| 96 | * Supports Netfilter, PF and IPFW. | |
| 7b0a0d1f | 97 | * |
| 40d34a62 AJ |
98 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
| 99 | * \param newConn Details known, to be updated where relevant. | |
| 2f8abb64 | 100 | * \return Whether successfully located the new address. |
| 7b0a0d1f | 101 | */ |
| b2192042 | 102 | bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent); |
| 7b0a0d1f AJ |
103 | |
| 104 | /** | |
| b2192042 | 105 | * perform Lookups on Netfilter interception targets (REDIRECT, DNAT). |
| 7b0a0d1f | 106 | * |
| 40d34a62 AJ |
107 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
| 108 | * \param newConn Details known, to be updated where relevant. | |
| 2f8abb64 | 109 | * \return Whether successfully located the new address. |
| 7b0a0d1f | 110 | */ |
| b2192042 | 111 | bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent); |
| 7b0a0d1f AJ |
112 | |
| 113 | /** | |
| 114 | * perform Lookups on IPFW interception. | |
| 115 | * | |
| 40d34a62 AJ |
116 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
| 117 | * \param newConn Details known, to be updated where relevant. | |
| 2f8abb64 | 118 | * \return Whether successfully located the new address. |
| 7b0a0d1f | 119 | */ |
| 40d34a62 | 120 | bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent); |
| 7b0a0d1f | 121 | |
| 219f8edb AJ |
122 | /** |
| 123 | * perform Lookups on IPF interception. | |
| 124 | * | |
| 40d34a62 AJ |
125 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
| 126 | * \param newConn Details known, to be updated where relevant. | |
| 2f8abb64 | 127 | * \return Whether successfully located the new address. |
| 219f8edb | 128 | */ |
| 40d34a62 | 129 | bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); |
| 219f8edb | 130 | |
| 51f4d36b | 131 | /** |
| 1125ea7b | 132 | * perform Lookups on PF interception target (REDIRECT). |
| 51f4d36b | 133 | * |
| 40d34a62 AJ |
134 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. |
| 135 | * \param newConn Details known, to be updated where relevant. | |
| 2f8abb64 | 136 | * \return Whether successfully located the new address. |
| 51f4d36b | 137 | */ |
| 40d34a62 | 138 | bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); |
| 51f4d36b | 139 | |
| 40d34a62 AJ |
140 | int transparentActive_; |
| 141 | int interceptActive_; | |
| 142 | time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ | |
| 04f87469 | 143 | }; |
| 0fc2952e | 144 | |
| 7b0a0d1f | 145 | #if LINUX_NETFILTER && !defined(IP_TRANSPARENT) |
| 85944c1c | 146 | /// \ingroup IpInterceptAPI |
| f1e0717c AJ |
147 | #define IP_TRANSPARENT 19 |
| 148 | #endif | |
| 149 | ||
| 0fc2952e | 150 | /** |
| 85944c1c | 151 | \ingroup IpInterceptAPI |
| 0fc2952e AJ |
152 | * Globally available instance of the IP Interception manager. |
| 153 | */ | |
| b7ac5457 AJ |
154 | extern Intercept Interceptor; |
| 155 | ||
| e5519212 | 156 | } // namespace Ip |
| c8be6d7b | 157 | |
| b7ac5457 | 158 | #endif /* SQUID_IP_IPINTERCEPT_H */ |
| f53969cc | 159 |