[thirdparty/squid.git] / src / IPInterception.cc

/*
 * $Id: IPInterception.cc,v 1.20 2008/02/05 22:38:24 amosjeffries Exp $
 *
 * DEBUG: section 89    NAT / IP Interception 
 * AUTHOR: Robert Collins
 * AUTHOR: Amos Jeffries
 *
 * SQUID Web Proxy Cache          http://www.squid-cache.org/
 * ----------------------------------------------------------
 *
 *  Squid is the result of efforts by numerous individuals from
 *  the Internet community; see the CONTRIBUTORS file for full
 *  details.   Many organizations have provided support for Squid's
 *  development; see the SPONSORS file for full details.  Squid is
 *  Copyrighted (C) 2001 by the Regents of the University of
 *  California; see the COPYRIGHT file for full details.  Squid
 *  incorporates software developed and/or copyrighted by other
 *  sources; see the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *  
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *  
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */
#include "config.h"
#include "IPInterception.h"
#include "fde.h"

#if 0
#include "squid.h"
#include "clientStream.h"
#endif

#if IPF_TRANSPARENT

#if HAVE_SYS_IOCTL_H
#include <sys/ioctl.h>
#endif
#if HAVE_NETINET_TCP_H
#include <netinet/tcp.h>
#endif
#if HAVE_NET_IF_H
#include <net/if.h>
#endif
#ifdef HAVE_IPL_H
#include <ipl.h>
#elif HAVE_NETINET_IPL_H
#include <netinet/ipl.h>
#endif
#if HAVE_IP_FIL_COMPAT_H
#include <ip_fil_compat.h>
#elif HAVE_NETINET_IP_FIL_COMPAT_H
#include <netinet/ip_fil_compat.h>
#elif HAVE_IP_COMPAT_H
#include <ip_compat.h>
#elif HAVE_NETINET_IP_COMPAT_H
#include <netinet/ip_compat.h>
#endif
#if HAVE_IP_FIL_H
#include <ip_fil.h>
#elif HAVE_NETINET_IP_FIL_H
#include <netinet/ip_fil.h>
#endif
#if HAVE_IP_NAT_H
#include <ip_nat.h>
#elif HAVE_NETINET_IP_NAT_H
#include <netinet/ip_nat.h>
#endif

#endif /* IPF_TRANSPARENT required headers */

#if PF_TRANSPARENT
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/ioctl.h>
#include <sys/fcntl.h>
#include <net/if.h>
#include <netinet/in.h>
#include <net/pfvar.h>
#endif /* PF_TRANSPARENT required headers */

#if LINUX_NETFILTER
#include <linux/types.h>
#include <linux/netfilter_ipv4.h>
#endif

#if LINUX_TPROXY2
#ifdef HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
#include <linux/netfilter_ipv4/ip_tproxy.h>
#else
#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
#endif
#endif


// single global instance for access by other components.
IPIntercept IPInterceptor;

void
IPIntercept::StopTransparency(const char *str) {
    if(transparent_active) {
        debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
        transparent_active = 0;
    }
}

void
IPIntercept::StopInterception(const char *str) {
    if(intercept_active) {
        debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
        intercept_active = 0;
    }
}

int
IPIntercept::NetfilterInterception(int fd, const IPAddress &me, IPAddress &dst, int silent)
{
#if LINUX_NETFILTER
    struct addrinfo *lookup = NULL;

    dst.GetAddrInfo(lookup,AF_INET);

    /** \par
     * Try NAT lookup for REDIRECT or DNAT targets. */
    if( getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, lookup->ai_addr, &lookup->ai_addrlen) == 0) {
        if(!silent) {
            debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on FD " << fd << ": " << xstrerror());
            last_reported = squid_curtime;
        }
    }
    else {
        dst = *lookup;
    }

    dst.FreeAddrInfo(lookup);

    if(me != dst) {
        debugs(89, 5, HERE << "address: " << dst);
        return 0;
    }

    debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst);
#endif
    return -1;
}

int
IPIntercept::NetfilterTransparent(int fd, const IPAddress &me, IPAddress &client, int silent)
{
#if LINUX_NETFILTER

    /* Trust the user configured properly. If not no harm done.
     * We will simply attempt a bind outgoing on our own IP.
     */
    if(fd_table[fd].flags.transparent) {
        client.SetPort(0); // allow random outgoing port to prevent address clashes
        return 0;
    }
#endif
    return -1;
}

int
IPIntercept::IPFWInterception(int fd, const IPAddress &me, IPAddress &dst, int silent)
{
#if IPFW_TRANSPARENT
    struct addrinfo *lookup = NULL;

    dst.GetAddrInfo(lookup,AF_INET);

    /** \par
     * Try lookup for IPFW interception. */
    if( getsockname(fd, lookup->ai_addr, &lookup->ai_addrlen) != 0 ) {
        if( !silent ) {
            debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
            last_reported = squid_curtime;
        }
    }
    else {
        dst = *lookup;
    }

    dst.FreeAddrInfo(lookup);

    if(me != dst) {
        debugs(89, 5, HERE << "address: " << dst);
        return 0;
    }

    debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst);
#endif
    return -1;
}

int
IPIntercept::NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAddress &client, IPAddress &dst)
{
#if IPF_TRANSPARENT  /* --enable-ipf-transparent */
    client = me;
    if( !me.IsIPv4() ) return -1;
    if( !peer.IsIPv4() ) return -1;

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)

    struct ipfobj obj;
#else

    static int siocgnatl_cmd = SIOCGNATL & 0xff;

#endif

    struct natlookup natLookup;
    static int natfd = -1;
    int x;

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)

    obj.ipfo_rev = IPFILTER_VERSION;
    obj.ipfo_size = sizeof(natLookup);
    obj.ipfo_ptr = &natLookup;
    obj.ipfo_type = IPFOBJ_NATLOOKUP;
    obj.ipfo_offset = 0;
#endif

    natLookup.nl_inport = htons(me.GetPort());
    natLookup.nl_outport = htons(peer.GetPort());
    me.GetInAddr(natLookup.nl_inip);
    peer.GetInAddr(natLookup.nl_outip);
    natLookup.nl_flags = IPN_TCP;

    if (natfd < 0)
    {
        int save_errno;
        enter_suid();
#ifdef IPNAT_NAME

        natfd = open(IPNAT_NAME, O_RDONLY, 0);
#else

        natfd = open(IPL_NAT, O_RDONLY, 0);
#endif

        save_errno = errno;
        leave_suid();
        errno = save_errno;
    }

    if (natfd < 0)
    {
        if (squid_curtime - last_reported > 60) {
            debugs(89, 1, "clientNatLookup: NAT open failed: " << xstrerror());
            last_reported = squid_curtime;
            return -1;
        }
    }

#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
    x = ioctl(natfd, SIOCGNATL, &obj);

#else
    /*
    * IP-Filter changed the type for SIOCGNATL between
    * 3.3 and 3.4.  It also changed the cmd value for
    * SIOCGNATL, so at least we can detect it.  We could
    * put something in configure and use ifdefs here, but
    * this seems simpler.
    */
    if (63 == siocgnatl_cmd)
    {

        struct natlookup *nlp = &natLookup;
        x = ioctl(natfd, SIOCGNATL, &nlp);
    } else
    {
        x = ioctl(natfd, SIOCGNATL, &natLookup);
    }

#endif
    if (x < 0)
    {
        if (errno != ESRCH) {
            if (squid_curtime - last_reported > 60) {
                debugs(89, 1, "clientNatLookup: NAT lookup failed: ioctl(SIOCGNATL)");
                last_reported = squid_curtime;
            }

            close(natfd);
            natfd = -1;
        }

        return -1;
    } else
    {
        if (me != natLookup.nl_realip) {
            client = natLookup.nl_realip;

            client.SetPort(ntohs(natLookup.nl_realport));
        }
        // else. we already copied it.

        return 0;
    }


#elif LINUX_NETFILTER || IPFW_TRANSPARENT /* --enable-linux-netfilter OR --enable-ipfw-transparent */

    /* Netfilter and IPFW share almost identical lookup methods for their NAT tables.
     * This allows us to perform a nice clean failover sequence for them.
     */

    client = me;
    dst = peer;

    if( !me.IsIPv4()   ) return -1;
    if( !peer.IsIPv4() ) return -1;

#if 0
    // Crop interception errors down to one per minute.
    int silent = (squid_curtime - last_reported > 60 ? 0 : 1);
#else
    // Show all interception errors.
    int silent = 0;
#endif

    if(intercept_active) {
        if( NetfilterInterception(fd, me, client, silent) == 0) return 0;
        if( IPFWInterception(fd, me, client, silent) == 0) return 0;
    }
    if(transparent_active) {
        if( NetfilterTransparent(fd, me, dst, silent) == 0) return 0;
    }

    return -1;

#elif PF_TRANSPARENT  /* --enable-pf-transparent */

    struct pfioc_natlook nl;
    static int pffd = -1;

    if( !me.IsIPv4() ) return -1;
    if( !peer.IsIPv4() ) return -1;

    if (pffd < 0)
        pffd = open("/dev/pf", O_RDONLY);

    if (pffd < 0)
    {
        if (squid_curtime - last_reported > 60) {
            debugs(89, 1, "clientNatLookup: PF open failed: " << xstrerror());
            last_reported = squid_curtime;
        }

        return -1;

    }

    client.SetEmpty();

    memset(&nl, 0, sizeof(struct pfioc_natlook));
    peer.GetInAddr(nl.saddr.v4);
    nl.sport = htons(peer.GetPort());

    me.GetInAddr(nl.daddr.v4);
    nl.dport = htons(me.GetPort());

    nl.af = AF_INET;
    nl.proto = IPPROTO_TCP;
    nl.direction = PF_OUT;

    if (ioctl(pffd, DIOCNATLOOK, &nl))
    {
        if (errno != ENOENT) {
            if (squid_curtime - last_reported > 60) {
                debugs(89, 1, "clientNatLookup: PF lookup failed: ioctl(DIOCNATLOOK)");
                last_reported = squid_curtime;
            }

            close(pffd);
            pffd = -1;
        }

        return -1;
    } else
    {
        int natted = (me != nl.rdaddr.v4);
        client = nl.rdaddr.v4;
        client.SetPort(ntohs(nl.rdport));

        if (natted)
            return 0;
        else
            return -1;
    }


#else /* none of the transparent options configured */

    debugs(89, 1, "WARNING: transparent proxying not supported");
    return -1;

#endif

}

#if LINUX_TPROXY2
IPIntercept::SetTproxy2OutgoingAddr(int fd, const IPAddress &src)
{
    IPAddress addr;
    struct in_tproxy itp;

    src.GetInAddr(itp.v.addr.faddr);
    itp.v.addr.fport = 0;

    /* If these syscalls fail then we just fallback to connecting
     * normally by simply ignoring the errors...
     */
    itp.op = TPROXY_ASSIGN;

    addr = (struct in_addr)itp.v.addr.faddr;
    addr.SetPort(itp.v.addr.fport);

    if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
        debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
        return -1;
    } else {
        itp.op = TPROXY_FLAGS;
        itp.v.flags = ITP_CONNECT;

        if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
            debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
            return -1;
        }
    }

    return 0;
}
#endif
Commit	Line	Data
c8be6d7b	1	/*
6d96c80d	2	* $Id: IPInterception.cc,v 1.20 2008/02/05 22:38:24 amosjeffries Exp $
c8be6d7b	3	*
	4	* DEBUG: section 89 NAT / IP Interception
	5	* AUTHOR: Robert Collins
04f87469	6	* AUTHOR: Amos Jeffries
c8be6d7b	7	*
	8	* SQUID Web Proxy Cache http://www.squid-cache.org/
	9	* ----------------------------------------------------------
	10	*
	11	* Squid is the result of efforts by numerous individuals from
	12	* the Internet community; see the CONTRIBUTORS file for full
	13	* details. Many organizations have provided support for Squid's
	14	* development; see the SPONSORS file for full details. Squid is
	15	* Copyrighted (C) 2001 by the Regents of the University of
	16	* California; see the COPYRIGHT file for full details. Squid
	17	* incorporates software developed and/or copyrighted by other
	18	* sources; see the CREDITS file for full details.
	19	*
	20	* This program is free software; you can redistribute it and/or modify
	21	* it under the terms of the GNU General Public License as published by
	22	* the Free Software Foundation; either version 2 of the License, or
	23	* (at your option) any later version.
	24	*
	25	* This program is distributed in the hope that it will be useful,
	26	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	27	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	28	* GNU General Public License for more details.
	29	*
	30	* You should have received a copy of the GNU General Public License
	31	* along with this program; if not, write to the Free Software
	32	* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
	33	*
	34	*/
a74968c2	35	#include "config.h"
fc27cd70	36	#include "IPInterception.h"
b3166404	37	#include "fde.h"
fc27cd70	38
b3166404	39	#if 0
c8be6d7b	40	#include "squid.h"
c8be6d7b	41	#include "clientStream.h"
b3166404	42	#endif
34ec5c62	43
c8be6d7b	44	#if IPF_TRANSPARENT
34ec5c62	45
c8be6d7b	46	#if HAVE_SYS_IOCTL_H
	47	#include <sys/ioctl.h>
	48	#endif
e9e7c285	49	#if HAVE_NETINET_TCP_H
c8be6d7b	50	#include <netinet/tcp.h>
e9e7c285	51	#endif
e9e7c285	52	#if HAVE_NET_IF_H
c8be6d7b	53	#include <net/if.h>
e9e7c285	54	#endif
dbc5782a	55	#ifdef HAVE_IPL_H
	56	#include <ipl.h>
	57	#elif HAVE_NETINET_IPL_H
	58	#include <netinet/ipl.h>
	59	#endif
c8be6d7b	60	#if HAVE_IP_FIL_COMPAT_H
	61	#include <ip_fil_compat.h>
	62	#elif HAVE_NETINET_IP_FIL_COMPAT_H
	63	#include <netinet/ip_fil_compat.h>
	64	#elif HAVE_IP_COMPAT_H
	65	#include <ip_compat.h>
	66	#elif HAVE_NETINET_IP_COMPAT_H
	67	#include <netinet/ip_compat.h>
	68	#endif
	69	#if HAVE_IP_FIL_H
	70	#include <ip_fil.h>
	71	#elif HAVE_NETINET_IP_FIL_H
	72	#include <netinet/ip_fil.h>
	73	#endif
	74	#if HAVE_IP_NAT_H
	75	#include <ip_nat.h>
	76	#elif HAVE_NETINET_IP_NAT_H
	77	#include <netinet/ip_nat.h>
	78	#endif
34ec5c62 AJ	79
34ec5c62 AJ	80	#endif /* IPF_TRANSPARENT required headers */
c8be6d7b	81
	82	#if PF_TRANSPARENT
	83	#include <sys/types.h>
	84	#include <sys/socket.h>
	85	#include <sys/ioctl.h>
	86	#include <sys/fcntl.h>
	87	#include <net/if.h>
	88	#include <netinet/in.h>
	89	#include <net/pfvar.h>
34ec5c62	90	#endif /* PF_TRANSPARENT required headers */
c8be6d7b	91
c8be6d7b	92	#if LINUX_NETFILTER
ca6f2174	93	#include <linux/types.h>
c8be6d7b	94	#include <linux/netfilter_ipv4.h>
	95	#endif
	96
34ec5c62 AJ	97	#if LINUX_TPROXY2
	98	#ifdef HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
	99	#include <linux/netfilter_ipv4/ip_tproxy.h>
	100	#else
	101	#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
	102	#endif
	103	#endif
	104
0fc2952e AJ	105
	106	// single global instance for access by other components.
	107	IPIntercept IPInterceptor;
	108
04f87469 AJ	109	void
04f87469 AJ	110	IPIntercept::StopTransparency(const char *str) {
788625af AJ	111	if(transparent_active) {
	112	debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
	113	transparent_active = 0;
	114	}
04f87469 AJ	115	}
	116
	117	void
	118	IPIntercept::StopInterception(const char *str) {
788625af AJ	119	if(intercept_active) {
	120	debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
	121	intercept_active = 0;
	122	}
04f87469	123	}
0fc2952e	124
7b0a0d1f AJ	125	int
	126	IPIntercept::NetfilterInterception(int fd, const IPAddress &me, IPAddress &dst, int silent)
	127	{
	128	#if LINUX_NETFILTER
7b0a0d1f AJ	129	struct addrinfo *lookup = NULL;
	130
	131	dst.GetAddrInfo(lookup,AF_INET);
	132
	133	/** \par
	134	* Try NAT lookup for REDIRECT or DNAT targets. */
	135	if( getsockopt(fd, SOL_IP, SO_ORIGINAL_DST, lookup->ai_addr, &lookup->ai_addrlen) == 0) {
	136	if(!silent) {
d6ae5979	137	debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(SO_ORIGINAL_DST) failed on FD " << fd << ": " << xstrerror());
7b0a0d1f AJ	138	last_reported = squid_curtime;
	139	}
	140	}
	141	else {
	142	dst = *lookup;
	143	}
	144
	145	dst.FreeAddrInfo(lookup);
	146
	147	if(me != dst) {
	148	debugs(89, 5, HERE << "address: " << dst);
	149	return 0;
	150	}
	151
83707d8a	152	debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst);
7b0a0d1f AJ	153	#endif
	154	return -1;
	155	}
	156
	157	int
482a5c64	158	IPIntercept::NetfilterTransparent(int fd, const IPAddress &me, IPAddress &client, int silent)
7b0a0d1f AJ	159	{
7b0a0d1f AJ	160	#if LINUX_NETFILTER
7b0a0d1f	161
acaa7194 AJ	162	/* Trust the user configured properly. If not no harm done.
acaa7194 AJ	163	* We will simply attempt a bind outgoing on our own IP.
acaa7194	164	*/
68d57d84	165	if(fd_table[fd].flags.transparent) {
482a5c64	166	client.SetPort(0); // allow random outgoing port to prevent address clashes
68d57d84 AJ	167	return 0;
68d57d84 AJ	168	}
acaa7194	169	#endif
68d57d84	170	return -1;
7b0a0d1f AJ	171	}
7b0a0d1f AJ	172
d8b5bcbc AJ	173	int
	174	IPIntercept::IPFWInterception(int fd, const IPAddress &me, IPAddress &dst, int silent)
	175	{
	176	#if IPFW_TRANSPARENT
	177	struct addrinfo *lookup = NULL;
	178
	179	dst.GetAddrInfo(lookup,AF_INET);
	180
	181	/** \par
	182	* Try lookup for IPFW interception. */
	183	if( getsockname(fd, lookup->ai_addr, &lookup->ai_addrlen) != 0 ) {
	184	if( !silent ) {
	185	debugs(89, DBG_IMPORTANT, HERE << " IPFW getsockname(...) failed: " << xstrerror());
	186	last_reported = squid_curtime;
	187	}
	188	}
	189	else {
	190	dst = *lookup;
	191	}
	192
	193	dst.FreeAddrInfo(lookup);
	194
	195	if(me != dst) {
	196	debugs(89, 5, HERE << "address: " << dst);
	197	return 0;
	198	}
	199
	200	debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst);
	201	#endif
	202	return -1;
	203	}
0fc2952e	204
3f38a55e	205	int
482a5c64	206	IPIntercept::NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAddress &client, IPAddress &dst)
3f38a55e	207	{
f1e0717c	208	#if IPF_TRANSPARENT /* --enable-ipf-transparent */
482a5c64	209	client = me;
cc192b50	210	if( !me.IsIPv4() ) return -1;
cc192b50	211	if( !peer.IsIPv4() ) return -1;
62e76326	212
dbc5782a	213	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
	214
	215	struct ipfobj obj;
08a746ab	216	#else
	217
	218	static int siocgnatl_cmd = SIOCGNATL & 0xff;
	219
dbc5782a	220	#endif
dbc5782a	221
c8be6d7b	222	struct natlookup natLookup;
c8be6d7b	223	static int natfd = -1;
c8be6d7b	224	int x;
3f38a55e	225
dbc5782a	226	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
	227
	228	obj.ipfo_rev = IPFILTER_VERSION;
	229	obj.ipfo_size = sizeof(natLookup);
	230	obj.ipfo_ptr = &natLookup;
	231	obj.ipfo_type = IPFOBJ_NATLOOKUP;
	232	obj.ipfo_offset = 0;
	233	#endif
	234
cc192b50	235	natLookup.nl_inport = htons(me.GetPort());
	236	natLookup.nl_outport = htons(peer.GetPort());
	237	me.GetInAddr(natLookup.nl_inip);
	238	peer.GetInAddr(natLookup.nl_outip);
c8be6d7b	239	natLookup.nl_flags = IPN_TCP;
62e76326	240
	241	if (natfd < 0)
	242	{
	243	int save_errno;
	244	enter_suid();
dbc5782a	245	#ifdef IPNAT_NAME
98a3bc99	246
dbc5782a	247	natfd = open(IPNAT_NAME, O_RDONLY, 0);
98a3bc99	248	#else
98a3bc99	249
62e76326	250	natfd = open(IPL_NAT, O_RDONLY, 0);
98a3bc99	251	#endif
98a3bc99	252
62e76326	253	save_errno = errno;
	254	leave_suid();
	255	errno = save_errno;
c8be6d7b	256	}
62e76326	257
	258	if (natfd < 0)
	259	{
d6026916	260	if (squid_curtime - last_reported > 60) {
bf8fe701	261	debugs(89, 1, "clientNatLookup: NAT open failed: " << xstrerror());
d6026916	262	last_reported = squid_curtime;
	263	return -1;
	264	}
c8be6d7b	265	}
62e76326	266
dbc5782a	267	#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
	268	x = ioctl(natfd, SIOCGNATL, &obj);
	269
	270	#else
3f38a55e	271	/*
dbc5782a	272	* IP-Filter changed the type for SIOCGNATL between
	273	* 3.3 and 3.4. It also changed the cmd value for
	274	* SIOCGNATL, so at least we can detect it. We could
	275	* put something in configure and use ifdefs here, but
	276	* this seems simpler.
	277	*/
62e76326	278	if (63 == siocgnatl_cmd)
	279	{
	280
	281	struct natlookup *nlp = &natLookup;
	282	x = ioctl(natfd, SIOCGNATL, &nlp);
	283	} else
	284	{
	285	x = ioctl(natfd, SIOCGNATL, &natLookup);
	286	}
	287
dbc5782a	288	#endif
62e76326	289	if (x < 0)
	290	{
	291	if (errno != ESRCH) {
d6026916	292	if (squid_curtime - last_reported > 60) {
bf8fe701	293	debugs(89, 1, "clientNatLookup: NAT lookup failed: ioctl(SIOCGNATL)");
d6026916	294	last_reported = squid_curtime;
	295	}
	296
62e76326	297	close(natfd);
	298	natfd = -1;
	299	}
	300
	301	return -1;
	302	} else
	303	{
cc192b50	304	if (me != natLookup.nl_realip) {
482a5c64	305	client = natLookup.nl_realip;
62e76326	306
482a5c64	307	client.SetPort(ntohs(natLookup.nl_realport));
cc192b50	308	}
cc192b50	309	// else. we already copied it.
62e76326	310
62e76326	311	return 0;
c8be6d7b	312	}
62e76326	313
f1e0717c AJ	314
f1e0717c AJ	315
7b0a0d1f	316	#elif LINUX_NETFILTER \|\| IPFW_TRANSPARENT /* --enable-linux-netfilter OR --enable-ipfw-transparent */
f1e0717c	317
7b0a0d1f AJ	318	/* Netfilter and IPFW share almost identical lookup methods for their NAT tables.
	319	* This allows us to perform a nice clean failover sequence for them.
	320	*/
62e76326	321
482a5c64 AJ	322	client = me;
482a5c64 AJ	323	dst = peer;
cc192b50	324
7b0a0d1f AJ	325	if( !me.IsIPv4() ) return -1;
7b0a0d1f AJ	326	if( !peer.IsIPv4() ) return -1;
d6026916	327
ba8d006b AJ	328	#if 0
	329	// Crop interception errors down to one per minute.
	330	int silent = (squid_curtime - last_reported > 60 ? 0 : 1);
	331	#else
	332	// Show all interception errors.
	333	int silent = 0;
	334	#endif
	335
7b0a0d1f	336	if(intercept_active) {
482a5c64 AJ	337	if( NetfilterInterception(fd, me, client, silent) == 0) return 0;
482a5c64 AJ	338	if( IPFWInterception(fd, me, client, silent) == 0) return 0;
7b0a0d1f AJ	339	}
7b0a0d1f AJ	340	if(transparent_active) {
ca45fe65	341	if( NetfilterTransparent(fd, me, dst, silent) == 0) return 0;
d6026916	342	}
62e76326	343
7b0a0d1f	344	return -1;
62e76326	345
f1e0717c	346	#elif PF_TRANSPARENT /* --enable-pf-transparent */
62e76326	347
3f38a55e	348	struct pfioc_natlook nl;
3f38a55e	349	static int pffd = -1;
62e76326	350
cc192b50	351	if( !me.IsIPv4() ) return -1;
	352	if( !peer.IsIPv4() ) return -1;
	353
62e76326	354	if (pffd < 0)
d14c6ef2	355	pffd = open("/dev/pf", O_RDONLY);
62e76326	356
c8be6d7b	357	if (pffd < 0)
62e76326	358	{
d6026916	359	if (squid_curtime - last_reported > 60) {
bf8fe701	360	debugs(89, 1, "clientNatLookup: PF open failed: " << xstrerror());
d6026916	361	last_reported = squid_curtime;
	362	}
	363
62e76326	364	return -1;
d6026916	365
c8be6d7b	366	}
62e76326	367
482a5c64	368	client.SetEmpty();
62e76326	369
c8be6d7b	370	memset(&nl, 0, sizeof(struct pfioc_natlook));
cc192b50	371	peer.GetInAddr(nl.saddr.v4);
	372	nl.sport = htons(peer.GetPort());
	373
	374	me.GetInAddr(nl.daddr.v4);
	375	nl.dport = htons(me.GetPort());
	376
c8be6d7b	377	nl.af = AF_INET;
	378	nl.proto = IPPROTO_TCP;
	379	nl.direction = PF_OUT;
62e76326	380
	381	if (ioctl(pffd, DIOCNATLOOK, &nl))
	382	{
	383	if (errno != ENOENT) {
d6026916	384	if (squid_curtime - last_reported > 60) {
bf8fe701	385	debugs(89, 1, "clientNatLookup: PF lookup failed: ioctl(DIOCNATLOOK)");
d6026916	386	last_reported = squid_curtime;
	387	}
	388
62e76326	389	close(pffd);
	390	pffd = -1;
	391	}
	392
	393	return -1;
	394	} else
	395	{
cc192b50	396	int natted = (me != nl.rdaddr.v4);
482a5c64 AJ	397	client = nl.rdaddr.v4;
482a5c64 AJ	398	client.SetPort(ntohs(nl.rdport));
62e76326	399
	400	if (natted)
	401	return 0;
	402	else
	403	return -1;
3f38a55e	404	}
62e76326	405
f1e0717c	406
f1e0717c AJ	407	#else /* none of the transparent options configured */
f1e0717c AJ	408
cc192b50	409	debugs(89, 1, "WARNING: transparent proxying not supported");
cc192b50	410	return -1;
f1e0717c	411
3f38a55e	412	#endif
3f38a55e	413
f1e0717c	414	}
34ec5c62 AJ	415
	416	#if LINUX_TPROXY2
	417	IPIntercept::SetTproxy2OutgoingAddr(int fd, const IPAddress &src)
	418	{
	419	IPAddress addr;
	420	struct in_tproxy itp;
	421
	422	src.GetInAddr(itp.v.addr.faddr);
	423	itp.v.addr.fport = 0;
	424
	425	/* If these syscalls fail then we just fallback to connecting
	426	* normally by simply ignoring the errors...
	427	*/
	428	itp.op = TPROXY_ASSIGN;
	429
	430	addr = (struct in_addr)itp.v.addr.faddr;
	431	addr.SetPort(itp.v.addr.fport);
	432
	433	if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
	434	debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
	435	return -1;
	436	} else {
	437	itp.op = TPROXY_FLAGS;
	438	itp.v.flags = ITP_CONNECT;
	439
	440	if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
	441	debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
	442	return -1;
	443	}
	444	}
	445
	446	return 0;
	447	}
	448	#endif