]>
Commit | Line | Data |
---|---|---|
1 | /* | |
2 | * Copyright (C) 1996-2021 The Squid Software Foundation and contributors | |
3 | * | |
4 | * Squid software is distributed under GPLv2+ license and includes | |
5 | * contributions from numerous individuals and organizations. | |
6 | * Please see the COPYING and CONTRIBUTORS files for details. | |
7 | */ | |
8 | ||
9 | /* DEBUG: section 89 NAT / IP Interception */ | |
10 | ||
11 | #ifndef SQUID_IP_IPINTERCEPT_H | |
12 | #define SQUID_IP_IPINTERCEPT_H | |
13 | ||
14 | /* for time_t */ | |
15 | #include "SquidTime.h" | |
16 | ||
17 | namespace Ip | |
18 | { | |
19 | ||
20 | class Address; | |
21 | ||
22 | /** | |
23 | \defgroup IpInterceptAPI IP Interception and Transparent Proxy API | |
24 | \ingroup SquidComponent | |
25 | \par | |
26 | * There is no formal state-machine for transparency and interception | |
27 | * instead there is this neutral API which other connection state machines | |
28 | * and the comm layer use to co-ordinate their own state for transparency. | |
29 | */ | |
30 | class Intercept | |
31 | { | |
32 | public: | |
33 | Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {}; | |
34 | ~Intercept() {}; | |
35 | ||
36 | /** Perform NAT lookups */ | |
37 | bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn); | |
38 | ||
39 | /** | |
40 | * Test system networking calls for TPROXY support. | |
41 | * Detects IPv6 and IPv4 level of support matches the address being listened on | |
42 | * and if the compiled v2/v4 is usable as far down as a bind()ing. | |
43 | * | |
44 | * \param test Address set on the squid.conf *_port being checked. | |
45 | * \retval true TPROXY is available. | |
46 | * \retval false TPROXY is not available. | |
47 | */ | |
48 | bool ProbeForTproxy(Address &test); | |
49 | ||
50 | /** | |
51 | \retval 0 Full transparency is disabled. | |
52 | \retval 1 Full transparency is enabled and active. | |
53 | */ | |
54 | inline int TransparentActive() { return transparentActive_; }; | |
55 | ||
56 | /** \par | |
57 | * Turn on fully Transparent-Proxy activities. | |
58 | * This function should be called during parsing of the squid.conf | |
59 | * When any option requiring full-transparency is encountered. | |
60 | */ | |
61 | inline void StartTransparency() { transparentActive_=1; }; | |
62 | ||
63 | /** \par | |
64 | * Turn off fully Transparent-Proxy activities on all new connections. | |
65 | * Existing transactions and connections are unaffected and will run | |
66 | * to their natural completion. | |
67 | \param str Reason for stopping. Will be logged to cache.log | |
68 | */ | |
69 | void StopTransparency(const char *str); | |
70 | ||
71 | /** | |
72 | \retval 0 IP Interception is disabled. | |
73 | \retval 1 IP Interception is enabled and active. | |
74 | */ | |
75 | inline int InterceptActive() { return interceptActive_; }; | |
76 | ||
77 | /** \par | |
78 | * Turn on IP-Interception-Proxy activities. | |
79 | * This function should be called during parsing of the squid.conf | |
80 | * When any option requiring interception / NAT handling is encountered. | |
81 | */ | |
82 | inline void StartInterception() { interceptActive_=1; }; | |
83 | ||
84 | /** \par | |
85 | * Turn off IP-Interception-Proxy activities on all new connections. | |
86 | * Existing transactions and connections are unaffected and will run | |
87 | * to their natural completion. | |
88 | \param str Reason for stopping. Will be logged to cache.log | |
89 | */ | |
90 | inline void StopInterception(const char *str); | |
91 | ||
92 | private: | |
93 | ||
94 | /** | |
95 | * perform Lookups on fully-transparent interception targets (TPROXY). | |
96 | * Supports Netfilter, PF and IPFW. | |
97 | * | |
98 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. | |
99 | * \param newConn Details known, to be updated where relevant. | |
100 | * \return Whether successfully located the new address. | |
101 | */ | |
102 | bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent); | |
103 | ||
104 | /** | |
105 | * perform Lookups on Netfilter interception targets (REDIRECT, DNAT). | |
106 | * | |
107 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. | |
108 | * \param newConn Details known, to be updated where relevant. | |
109 | * \return Whether successfully located the new address. | |
110 | */ | |
111 | bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent); | |
112 | ||
113 | /** | |
114 | * perform Lookups on IPFW interception. | |
115 | * | |
116 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. | |
117 | * \param newConn Details known, to be updated where relevant. | |
118 | * \return Whether successfully located the new address. | |
119 | */ | |
120 | bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent); | |
121 | ||
122 | /** | |
123 | * perform Lookups on IPF interception. | |
124 | * | |
125 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. | |
126 | * \param newConn Details known, to be updated where relevant. | |
127 | * \return Whether successfully located the new address. | |
128 | */ | |
129 | bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); | |
130 | ||
131 | /** | |
132 | * perform Lookups on PF interception target (REDIRECT). | |
133 | * | |
134 | * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. | |
135 | * \param newConn Details known, to be updated where relevant. | |
136 | * \return Whether successfully located the new address. | |
137 | */ | |
138 | bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); | |
139 | ||
140 | int transparentActive_; | |
141 | int interceptActive_; | |
142 | time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ | |
143 | }; | |
144 | ||
145 | #if LINUX_NETFILTER && !defined(IP_TRANSPARENT) | |
146 | /// \ingroup IpInterceptAPI | |
147 | #define IP_TRANSPARENT 19 | |
148 | #endif | |
149 | ||
150 | /** | |
151 | \ingroup IpInterceptAPI | |
152 | * Globally available instance of the IP Interception manager. | |
153 | */ | |
154 | extern Intercept Interceptor; | |
155 | ||
156 | } // namespace Ip | |
157 | ||
158 | #endif /* SQUID_IP_IPINTERCEPT_H */ | |
159 |