src/ip/Intercept.cc

   1 /*
   2  * DEBUG: section 89    NAT / IP Interception
   3  * AUTHOR: Robert Collins
   4  * AUTHOR: Amos Jeffries
   5  *
   6  * SQUID Web Proxy Cache          http://www.squid-cache.org/
   7  * ----------------------------------------------------------
   8  *
   9  *  Squid is the result of efforts by numerous individuals from
  10  *  the Internet community; see the CONTRIBUTORS file for full
  11  *  details.   Many organizations have provided support for Squid's
  12  *  development; see the SPONSORS file for full details.  Squid is
  13  *  Copyrighted (C) 2001 by the Regents of the University of
  14  *  California; see the COPYRIGHT file for full details.  Squid
  15  *  incorporates software developed and/or copyrighted by other
  16  *  sources; see the CREDITS file for full details.
  17  *
  18  *  This program is free software; you can redistribute it and/or modify
  19  *  it under the terms of the GNU General Public License as published by
  20  *  the Free Software Foundation; either version 2 of the License, or
  21  *  (at your option) any later version.
  22  *
  23  *  This program is distributed in the hope that it will be useful,
  24  *  but WITHOUT ANY WARRANTY; without even the implied warranty of
  25  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  26  *  GNU General Public License for more details.
  27  *
  28  *  You should have received a copy of the GNU General Public License
  29  *  along with this program; if not, write to the Free Software
  30  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
  31  *
  32  */
  33 #include "squid.h"
  34 #include "comm/Connection.h"
  35 #include "fde.h"
  36 #include "ip/Intercept.h"
  37 #include "src/tools.h"
  38
  39 #if IPF_TRANSPARENT
  40
  41 #if HAVE_SYS_IOCTL_H
  42 #include <sys/ioctl.h>
  43 #endif
  44 #if HAVE_NETINET_TCP_H
  45 #include <netinet/tcp.h>
  46 #endif
  47 #if HAVE_NET_IF_H
  48 #include <net/if.h>
  49 #endif
  50 #if HAVE_IPL_H
  51 #include <ipl.h>
  52 #elif HAVE_NETINET_IPL_H
  53 #include <netinet/ipl.h>
  54 #endif
  55 #if HAVE_IP_FIL_COMPAT_H
  56 #include <ip_fil_compat.h>
  57 #elif HAVE_NETINET_IP_FIL_COMPAT_H
  58 #include <netinet/ip_fil_compat.h>
  59 #elif HAVE_IP_COMPAT_H
  60 #include <ip_compat.h>
  61 #elif HAVE_NETINET_IP_COMPAT_H
  62 #include <netinet/ip_compat.h>
  63 #endif
  64 #if HAVE_IP_FIL_H
  65 #include <ip_fil.h>
  66 #elif HAVE_NETINET_IP_FIL_H
  67 #include <netinet/ip_fil.h>
  68 #endif
  69 #if HAVE_IP_NAT_H
  70 #include <ip_nat.h>
  71 #elif HAVE_NETINET_IP_NAT_H
  72 #include <netinet/ip_nat.h>
  73 #endif
  74 #if HAVE_ERRNO_H
  75 #include <errno.h>
  76 #endif
  77
  78 #endif /* IPF_TRANSPARENT required headers */
  79
  80 #if PF_TRANSPARENT
  81 #include <sys/socket.h>
  82 #include <sys/ioctl.h>
  83 #include <sys/fcntl.h>
  84 #include <net/if.h>
  85 #include <netinet/in.h>
  86 #if HAVE_NET_PF_PFVAR_H
  87 #include <net/pf/pfvar.h>
  88 #endif /* HAVE_NET_PF_PFVAR_H */
  89 #if HAVE_NET_PFVAR_H
  90 #include <net/pfvar.h>
  91 #endif /* HAVE_NET_PFVAR_H */
  92 #endif /* PF_TRANSPARENT required headers */
  93
  94 #if LINUX_NETFILTER
  95 #if HAVE_LIMITS_H
  96 /* must be before including netfilter_ipv4.h */
  97 #include <limits.h>
  98 #endif
  99 #include <linux/if.h>
 100 #include <linux/netfilter_ipv4.h>
 101 #if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
 102 /* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches
 103  * which will enable C++ compilers to build the Netfilter public headers.
 104  * We can auto-detect its presence and attempt to use in case he ever
 105  * changes his mind or things get cleaned up some other way.
 106  * But until then are usually forced to hard-code the getsockopt() code
 107  * for IPv6 NAT lookups.
 108  */
 109 #include <linux/netfilter_ipv6/ip6_tables.h>
 110 #endif
 111 #if !defined(IP6T_SO_ORIGINAL_DST)
 112 #define IP6T_SO_ORIGINAL_DST    80      // stolen with prejudice from the above file.
 113 #endif
 114 #endif /* LINUX_NETFILTER required headers */
 115
 116 // single global instance for access by other components.
 117 Ip::Intercept Ip::Interceptor;
 118
 119 void
 120 Ip::Intercept::StopTransparency(const char *str)
 121 {
 122     if (transparentActive_) {
 123         debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
 124         transparentActive_ = 0;
 125     }
 126 }
 127
 128 void
 129 Ip::Intercept::StopInterception(const char *str)
 130 {
 131     if (interceptActive_) {
 132         debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
 133         interceptActive_ = 0;
 134     }
 135 }
 136
 137 bool
 138 Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
 139 {
 140 #if LINUX_NETFILTER
 141     struct sockaddr_storage lookup;
 142     socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in);
 143     newConn->local.getSockAddr(lookup, AF_UNSPEC);
 144
 145     /** \par
 146      * Try NAT lookup for REDIRECT or DNAT targets. */
 147     if ( getsockopt(newConn->fd,
 148                     newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP,
 149                     newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
 150                     &lookup,
 151                     &len) != 0) {
 152         if (!silent) {
 153             debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
 154             lastReported_ = squid_curtime;
 155         }
 156         debugs(89, 9, "address: " << newConn);
 157         return false;
 158     } else {
 159         newConn->local = lookup;
 160         debugs(89, 5, "address NAT: " << newConn);
 161         return true;
 162     }
 163 #endif
 164     return false;
 165 }
 166
 167 bool
 168 Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent)
 169 {
 170 #if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \
 171     (PF_TRANSPARENT && defined(SO_BINDANY)) || \
 172     (IPFW_TRANSPARENT && defined(IP_BINDANY))
 173
 174     /* Trust the user configured properly. If not no harm done.
 175      * We will simply attempt a bind outgoing on our own IP.
 176      */
 177     newConn->remote.port(0); // allow random outgoing port to prevent address clashes
 178     debugs(89, 5, HERE << "address TPROXY: " << newConn);
 179     return true;
 180 #else
 181     return false;
 182 #endif
 183 }
 184
 185 bool
 186 Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int silent)
 187 {
 188 #if IPFW_TRANSPARENT
 189     /* The getsockname() call performed already provided the TCP packet details.
 190      * There is no way to identify whether they came from NAT or not.
 191      * Trust the user configured properly.
 192      */
 193     debugs(89, 5, HERE << "address NAT: " << newConn);
 194     return true;
 195 #else
 196     return false;
 197 #endif
 198 }
 199
 200 bool
 201 Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
 202 {
 203 #if IPF_TRANSPARENT  /* --enable-ipf-transparent */
 204
 205     struct natlookup natLookup;
 206     static int natfd = -1;
 207     int x;
 208
 209     // all fields must be set to 0
 210     memset(&natLookup, 0, sizeof(natLookup));
 211     // for NAT lookup set local and remote IP:port's
 212     natLookup.nl_inport = htons(newConn->local.port());
 213     newConn->local.getInAddr(natLookup.nl_inip);
 214     natLookup.nl_outport = htons(newConn->remote.port());
 215     newConn->remote.getInAddr(natLookup.nl_outip);
 216     // ... and the TCP flag
 217     natLookup.nl_flags = IPN_TCP;
 218
 219     if (natfd < 0) {
 220         int save_errno;
 221         enter_suid();
 222 #ifdef IPNAT_NAME
 223         natfd = open(IPNAT_NAME, O_RDONLY, 0);
 224 #else
 225         natfd = open(IPL_NAT, O_RDONLY, 0);
 226 #endif
 227         save_errno = errno;
 228         leave_suid();
 229         errno = save_errno;
 230     }
 231
 232     if (natfd < 0) {
 233         if (!silent) {
 234             debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
 235             lastReported_ = squid_curtime;
 236             return false;
 237         }
 238     }
 239
 240 #if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
 241     struct ipfobj obj;
 242     memset(&obj, 0, sizeof(obj));
 243     obj.ipfo_rev = IPFILTER_VERSION;
 244     obj.ipfo_size = sizeof(natLookup);
 245     obj.ipfo_ptr = &natLookup;
 246     obj.ipfo_type = IPFOBJ_NATLOOKUP;
 247
 248     x = ioctl(natfd, SIOCGNATL, &obj);
 249 #else
 250     /*
 251     * IP-Filter changed the type for SIOCGNATL between
 252     * 3.3 and 3.4.  It also changed the cmd value for
 253     * SIOCGNATL, so at least we can detect it.  We could
 254     * put something in configure and use ifdefs here, but
 255     * this seems simpler.
 256     */
 257     static int siocgnatl_cmd = SIOCGNATL & 0xff;
 258     if (63 == siocgnatl_cmd) {
 259         struct natlookup *nlp = &natLookup;
 260         x = ioctl(natfd, SIOCGNATL, &nlp);
 261     } else {
 262         x = ioctl(natfd, SIOCGNATL, &natLookup);
 263     }
 264
 265 #endif
 266     if (x < 0) {
 267         if (errno != ESRCH) {
 268             if (!silent) {
 269                 debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
 270                 lastReported_ = squid_curtime;
 271             }
 272
 273             close(natfd);
 274             natfd = -1;
 275         }
 276
 277         debugs(89, 9, HERE << "address: " << newConn);
 278         return false;
 279     } else {
 280         newConn->local = natLookup.nl_realip;
 281         newConn->local.port(ntohs(natLookup.nl_realport));
 282         debugs(89, 5, HERE << "address NAT: " << newConn);
 283         return true;
 284     }
 285
 286 #endif /* --enable-ipf-transparent */
 287     return false;
 288 }
 289
 290 bool
 291 Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
 292 {
 293 #if PF_TRANSPARENT  /* --enable-pf-transparent */
 294
 295 #if !USE_NAT_DEVPF
 296     /* On recent PF versions the getsockname() call performed already provided
 297      * the required TCP packet details.
 298      * There is no way to identify whether they came from NAT or not.
 299      *
 300      * Trust the user configured properly.
 301      */
 302     debugs(89, 5, HERE << "address NAT divert-to: " << newConn);
 303     return true;
 304
 305 #else /* USE_NAT_DEVPF / --with-nat-devpf */
 306
 307     struct pfioc_natlook nl;
 308     static int pffd = -1;
 309
 310     if (pffd < 0)
 311         pffd = open("/dev/pf", O_RDONLY);
 312
 313     if (pffd < 0) {
 314         if (!silent) {
 315             debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
 316             lastReported_ = squid_curtime;
 317         }
 318         return false;
 319     }
 320
 321     memset(&nl, 0, sizeof(struct pfioc_natlook));
 322     newConn->remote.getInAddr(nl.saddr.v4);
 323     nl.sport = htons(newConn->remote.port());
 324
 325     newConn->local.getInAddr(nl.daddr.v4);
 326     nl.dport = htons(newConn->local.port());
 327
 328     nl.af = AF_INET;
 329     nl.proto = IPPROTO_TCP;
 330     nl.direction = PF_OUT;
 331
 332     if (ioctl(pffd, DIOCNATLOOK, &nl)) {
 333         if (errno != ENOENT) {
 334             if (!silent) {
 335                 debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
 336                 lastReported_ = squid_curtime;
 337             }
 338             close(pffd);
 339             pffd = -1;
 340         }
 341         debugs(89, 9, HERE << "address: " << newConn);
 342         return false;
 343     } else {
 344         newConn->local = nl.rdaddr.v4;
 345         newConn->local.port(ntohs(nl.rdport));
 346         debugs(89, 5, HERE << "address NAT: " << newConn);
 347         return true;
 348     }
 349 #endif /* --with-nat-devpf */
 350 #endif /* --enable-pf-transparent */
 351     return false;
 352 }
 353
 354 bool
 355 Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
 356 {
 357     /* --enable-linux-netfilter    */
 358     /* --enable-ipfw-transparent   */
 359     /* --enable-ipf-transparent    */
 360     /* --enable-pf-transparent     */
 361 #if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
 362
 363 #if 0
 364     // Crop interception errors down to one per minute.
 365     int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
 366 #else
 367     // Show all interception errors.
 368     int silent = 0;
 369 #endif
 370
 371     debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);
 372
 373     newConn->flags |= (listenConn->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));
 374
 375     /* NP: try TPROXY first, its much quieter than NAT when non-matching */
 376     if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
 377         if (TproxyTransparent(newConn, silent)) return true;
 378     }
 379
 380     if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
 381         /* NAT methods that use sock-opts to return client address */
 382         if (NetfilterInterception(newConn, silent)) return true;
 383         if (IpfwInterception(newConn, silent)) return true;
 384
 385         /* NAT methods that use ioctl to return client address AND destination address */
 386         if (PfInterception(newConn, silent)) return true;
 387         if (IpfInterception(newConn, silent)) return true;
 388     }
 389
 390 #else /* none of the transparent options configured */
 391     debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
 392 #endif
 393
 394     return false;
 395 }
 396
 397 bool
 398 Ip::Intercept::ProbeForTproxy(Ip::Address &test)
 399 {
 400     bool doneSuid = false;
 401
 402 #if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux
 403 # define soLevel SOL_IP
 404 # define soFlag  IP_TRANSPARENT
 405
 406 #elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF
 407 # define soLevel SOL_SOCKET
 408 # define soFlag  SO_BINDANY
 409     enter_suid();
 410     doneSuid = true;
 411
 412 #elif defined(IP_BINDANY) // FreeBSD with IPFW
 413 # define soLevel IPPROTO_IP
 414 # define soFlag  IP_BINDANY
 415     enter_suid();
 416     doneSuid = true;
 417
 418 #endif
 419
 420 #if defined(soLevel) && defined(soFlag)
 421
 422     debugs(3, 3, "Detect TPROXY support on port " << test);
 423
 424     int tos = 1;
 425     int tmp_sock = -1;
 426
 427     /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
 428     if (test.isIPv6()) {
 429         debugs(3, 3, "...Probing for IPv6 TPROXY support.");
 430
 431         struct sockaddr_in6 tmp_ip6;
 432         Ip::Address tmp = "::2";
 433         tmp.port(0);
 434         tmp.getSockAddr(tmp_ip6);
 435
 436         if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
 437                 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
 438                 bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
 439
 440             debugs(3, 3, "IPv6 TPROXY support detected. Using.");
 441             close(tmp_sock);
 442             if (doneSuid)
 443                 leave_suid();
 444             return true;
 445         }
 446         if (tmp_sock >= 0) {
 447             close(tmp_sock);
 448             tmp_sock = -1;
 449         }
 450     }
 451
 452     if ( test.isIPv6() && !test.setIPv4() ) {
 453         debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
 454         if (doneSuid)
 455             leave_suid();
 456         return false;
 457     }
 458
 459     /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
 460     if (test.isIPv4()) {
 461         debugs(3, 3, "...Probing for IPv4 TPROXY support.");
 462
 463         struct sockaddr_in tmp_ip4;
 464         Ip::Address tmp = "127.0.0.2";
 465         tmp.port(0);
 466         tmp.getSockAddr(tmp_ip4);
 467
 468         if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
 469                 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
 470                 bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
 471
 472             debugs(3, 3, "IPv4 TPROXY support detected. Using.");
 473             close(tmp_sock);
 474             if (doneSuid)
 475                 leave_suid();
 476             return true;
 477         }
 478         if (tmp_sock >= 0) {
 479             close(tmp_sock);
 480         }
 481     }
 482
 483 #else
 484     debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY.");
 485
 486 #endif
 487     if (doneSuid)
 488         leave_suid();
 489     return false;
 490 }