]> git.ipfire.org Git - thirdparty/squid.git/blob - src/ip/Intercept.cc
projects / thirdparty / squid.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
SourceFormat Enforcement
[thirdparty/squid.git] / src / ip / Intercept.cc
1 /*
2 * Copyright (C) 1996-2015 The Squid Software Foundation and contributors
3 *
4 * Squid software is distributed under GPLv2+ license and includes
5 * contributions from numerous individuals and organizations.
6 * Please see the COPYING and CONTRIBUTORS files for details.
7 */
8
9 /* DEBUG: section 89 NAT / IP Interception */
10
11 // Enable hack to workaround Solaris 10 IPFilter breakage
12 #define BUILDING_SQUID_IP_INTERCEPT_CC 1
13
14 #include "squid.h"
15 #include "comm/Connection.h"
16 #include "fde.h"
17 #include "ip/Intercept.h"
18 #include "src/tools.h"
19
20 #include <cerrno>
21
22 #if IPF_TRANSPARENT
23
24 #if !defined(IPFILTER_VERSION)
25 #define IPFILTER_VERSION 5000004
26 #endif
27
28 #if HAVE_SYS_IOCCOM_H
29 #include <sys/ioccom.h>
30 #endif
31 #if HAVE_SYS_IOCTL_H
32 #include <sys/ioctl.h>
33 #endif
34 #if HAVE_NETINET_IP6_H
35 #include <netinet/ip6.h>
36 #endif
37 #if HAVE_NETINET_TCP_H
38 #include <netinet/tcp.h>
39 #endif
40 #if HAVE_NET_IF_H
41 #include <net/if.h>
42 #endif
43 #if HAVE_IPL_H
44 #include <ipl.h>
45 #elif HAVE_NETINET_IPL_H
46 #include <netinet/ipl.h>
47 #endif
48 #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
49 #undef minor_t
50 #endif
51 #if HAVE_IP_FIL_COMPAT_H
52 #include <ip_fil_compat.h>
53 #elif HAVE_NETINET_IP_FIL_COMPAT_H
54 #include <netinet/ip_fil_compat.h>
55 #elif HAVE_IP_COMPAT_H
56 #include <ip_compat.h>
57 #elif HAVE_NETINET_IP_COMPAT_H
58 #include <netinet/ip_compat.h>
59 #endif
60 #if HAVE_IP_FIL_H
61 #include <ip_fil.h>
62 #elif HAVE_NETINET_IP_FIL_H
63 #include <netinet/ip_fil.h>
64 #endif
65 #if HAVE_IP_NAT_H
66 #include <ip_nat.h>
67 #elif HAVE_NETINET_IP_NAT_H
68 #include <netinet/ip_nat.h>
69 #endif
70
71 #endif /* IPF_TRANSPARENT required headers */
72
73 #if PF_TRANSPARENT
74 #include <sys/socket.h>
75 #include <sys/ioctl.h>
76 #include <sys/fcntl.h>
77 #include <net/if.h>
78 #include <netinet/in.h>
79 #if HAVE_NET_PF_PFVAR_H
80 #include <net/pf/pfvar.h>
81 #endif /* HAVE_NET_PF_PFVAR_H */
82 #if HAVE_NET_PFVAR_H
83 #include <net/pfvar.h>
84 #endif /* HAVE_NET_PFVAR_H */
85 #endif /* PF_TRANSPARENT required headers */
86
87 #if LINUX_NETFILTER
88 /* <climits> must be before including netfilter_ipv4.h */
89 #include <climits>
90 #include <linux/if.h>
91 #include <linux/netfilter_ipv4.h>
92 #if HAVE_LINUX_NETFILTER_IPV6_IP6_TABLES_H
93 /* 2013-07-01: Pablo the Netfilter maintainer is rejecting patches
94 * which will enable C++ compilers to build the Netfilter public headers.
95 * We can auto-detect its presence and attempt to use in case he ever
96 * changes his mind or things get cleaned up some other way.
97 * But until then are usually forced to hard-code the getsockopt() code
98 * for IPv6 NAT lookups.
99 */
100 #include <linux/netfilter_ipv6/ip6_tables.h>
101 #endif
102 #if !defined(IP6T_SO_ORIGINAL_DST)
103 #define IP6T_SO_ORIGINAL_DST 80 // stolen with prejudice from the above file.
104 #endif
105 #endif /* LINUX_NETFILTER required headers */
106
107 // single global instance for access by other components.
108 Ip::Intercept Ip::Interceptor;
109
110 void
111 Ip::Intercept::StopTransparency(const char *str)
112 {
113 if (transparentActive_) {
114 debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
115 transparentActive_ = 0;
116 }
117 }
118
119 void
120 Ip::Intercept::StopInterception(const char *str)
121 {
122 if (interceptActive_) {
123 debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
124 interceptActive_ = 0;
125 }
126 }
127
128 bool
129 Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
130 {
131 #if LINUX_NETFILTER
132 struct sockaddr_storage lookup;
133 socklen_t len = newConn->local.isIPv6() ? sizeof(sockaddr_in6) : sizeof(sockaddr_in);
134 newConn->local.getSockAddr(lookup, AF_UNSPEC);
135
136 /** \par
137 * Try NAT lookup for REDIRECT or DNAT targets. */
138 if ( getsockopt(newConn->fd,
139 newConn->local.isIPv6() ? IPPROTO_IPV6 : IPPROTO_IP,
140 newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
141 &lookup,
142 &len) != 0) {
143 if (!silent) {
144 debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerror());
145 lastReported_ = squid_curtime;
146 }
147 debugs(89, 9, "address: " << newConn);
148 return false;
149 } else {
150 newConn->local = lookup;
151 debugs(89, 5, "address NAT: " << newConn);
152 return true;
153 }
154 #endif
155 return false;
156 }
157
158 bool
159 Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int)
160 {
161 #if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \
162 (PF_TRANSPARENT && defined(SO_BINDANY)) || \
163 (IPFW_TRANSPARENT && defined(IP_BINDANY))
164
165 /* Trust the user configured properly. If not no harm done.
166 * We will simply attempt a bind outgoing on our own IP.
167 */
168 newConn->remote.port(0); // allow random outgoing port to prevent address clashes
169 debugs(89, 5, HERE << "address TPROXY: " << newConn);
170 return true;
171 #else
172 return false;
173 #endif
174 }
175
176 bool
177 Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int)
178 {
179 #if IPFW_TRANSPARENT
180 /* The getsockname() call performed already provided the TCP packet details.
181 * There is no way to identify whether they came from NAT or not.
182 * Trust the user configured properly.
183 */
184 debugs(89, 5, HERE << "address NAT: " << newConn);
185 return true;
186 #else
187 return false;
188 #endif
189 }
190
191 bool
192 Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
193 {
194 #if IPF_TRANSPARENT /* --enable-ipf-transparent */
195
196 struct natlookup natLookup;
197 static int natfd = -1;
198 int x;
199
200 // all fields must be set to 0
201 memset(&natLookup, 0, sizeof(natLookup));
202 // for NAT lookup set local and remote IP:port's
203 natLookup.nl_inport = htons(newConn->local.port());
204 newConn->local.getInAddr(natLookup.nl_inip);
205 natLookup.nl_outport = htons(newConn->remote.port());
206 newConn->remote.getInAddr(natLookup.nl_outip);
207 // ... and the TCP flag
208 natLookup.nl_flags = IPN_TCP;
209
210 if (natfd < 0) {
211 int save_errno;
212 enter_suid();
213 #ifdef IPNAT_NAME
214 natfd = open(IPNAT_NAME, O_RDONLY, 0);
215 #else
216 natfd = open(IPL_NAT, O_RDONLY, 0);
217 #endif
218 save_errno = errno;
219 leave_suid();
220 errno = save_errno;
221 }
222
223 if (natfd < 0) {
224 if (!silent) {
225 debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerror());
226 lastReported_ = squid_curtime;
227 return false;
228 }
229 }
230
231 #if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
232 struct ipfobj obj;
233 memset(&obj, 0, sizeof(obj));
234 obj.ipfo_rev = IPFILTER_VERSION;
235 obj.ipfo_size = sizeof(natLookup);
236 obj.ipfo_ptr = &natLookup;
237 obj.ipfo_type = IPFOBJ_NATLOOKUP;
238
239 x = ioctl(natfd, SIOCGNATL, &obj);
240 #else
241 /*
242 * IP-Filter changed the type for SIOCGNATL between
243 * 3.3 and 3.4. It also changed the cmd value for
244 * SIOCGNATL, so at least we can detect it. We could
245 * put something in configure and use ifdefs here, but
246 * this seems simpler.
247 */
248 static int siocgnatl_cmd = SIOCGNATL & 0xff;
249 if (63 == siocgnatl_cmd) {
250 struct natlookup *nlp = &natLookup;
251 x = ioctl(natfd, SIOCGNATL, &nlp);
252 } else {
253 x = ioctl(natfd, SIOCGNATL, &natLookup);
254 }
255
256 #endif
257 if (x < 0) {
258 if (errno != ESRCH) {
259 if (!silent) {
260 debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerror());
261 lastReported_ = squid_curtime;
262 }
263
264 close(natfd);
265 natfd = -1;
266 }
267
268 debugs(89, 9, HERE << "address: " << newConn);
269 return false;
270 } else {
271 newConn->local = natLookup.nl_realip;
272 newConn->local.port(ntohs(natLookup.nl_realport));
273 debugs(89, 5, HERE << "address NAT: " << newConn);
274 return true;
275 }
276
277 #endif /* --enable-ipf-transparent */
278 return false;
279 }
280
281 bool
282 Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
283 {
284 #if PF_TRANSPARENT /* --enable-pf-transparent */
285
286 #if !USE_NAT_DEVPF
287 /* On recent PF versions the getsockname() call performed already provided
288 * the required TCP packet details.
289 * There is no way to identify whether they came from NAT or not.
290 *
291 * Trust the user configured properly.
292 */
293 debugs(89, 5, HERE << "address NAT divert-to: " << newConn);
294 return true;
295
296 #else /* USE_NAT_DEVPF / --with-nat-devpf */
297
298 struct pfioc_natlook nl;
299 static int pffd = -1;
300
301 if (pffd < 0)
302 pffd = open("/dev/pf", O_RDONLY);
303
304 if (pffd < 0) {
305 if (!silent) {
306 debugs(89, DBG_IMPORTANT, HERE << "PF open failed: " << xstrerror());
307 lastReported_ = squid_curtime;
308 }
309 return false;
310 }
311
312 memset(&nl, 0, sizeof(struct pfioc_natlook));
313 newConn->remote.getInAddr(nl.saddr.v4);
314 nl.sport = htons(newConn->remote.port());
315
316 newConn->local.getInAddr(nl.daddr.v4);
317 nl.dport = htons(newConn->local.port());
318
319 nl.af = AF_INET;
320 nl.proto = IPPROTO_TCP;
321 nl.direction = PF_OUT;
322
323 if (ioctl(pffd, DIOCNATLOOK, &nl)) {
324 if (errno != ENOENT) {
325 if (!silent) {
326 debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK)");
327 lastReported_ = squid_curtime;
328 }
329 close(pffd);
330 pffd = -1;
331 }
332 debugs(89, 9, HERE << "address: " << newConn);
333 return false;
334 } else {
335 newConn->local = nl.rdaddr.v4;
336 newConn->local.port(ntohs(nl.rdport));
337 debugs(89, 5, HERE << "address NAT: " << newConn);
338 return true;
339 }
340 #endif /* --with-nat-devpf */
341 #endif /* --enable-pf-transparent */
342 return false;
343 }
344
345 bool
346 Ip::Intercept::Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn)
347 {
348 /* --enable-linux-netfilter */
349 /* --enable-ipfw-transparent */
350 /* --enable-ipf-transparent */
351 /* --enable-pf-transparent */
352 #if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
353
354 #if 0
355 // Crop interception errors down to one per minute.
356 int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
357 #else
358 // Show all interception errors.
359 int silent = 0;
360 #endif
361
362 debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);
363
364 newConn->flags |= (listenConn->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));
365
366 /* NP: try TPROXY first, its much quieter than NAT when non-matching */
367 if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
368 if (TproxyTransparent(newConn, silent)) return true;
369 }
370
371 if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
372 /* NAT methods that use sock-opts to return client address */
373 if (NetfilterInterception(newConn, silent)) return true;
374 if (IpfwInterception(newConn, silent)) return true;
375
376 /* NAT methods that use ioctl to return client address AND destination address */
377 if (PfInterception(newConn, silent)) return true;
378 if (IpfInterception(newConn, silent)) return true;
379 }
380
381 #else /* none of the transparent options configured */
382 debugs(89, DBG_IMPORTANT, "WARNING: transparent proxying not supported");
383 #endif
384
385 return false;
386 }
387
388 bool
389 Ip::Intercept::ProbeForTproxy(Ip::Address &test)
390 {
391 bool doneSuid = false;
392
393 #if _SQUID_LINUX_ && defined(IP_TRANSPARENT) // Linux
394 # define soLevel SOL_IP
395 # define soFlag IP_TRANSPARENT
396
397 #elif defined(SO_BINDANY) // OpenBSD 4.7+ and NetBSD with PF
398 # define soLevel SOL_SOCKET
399 # define soFlag SO_BINDANY
400 enter_suid();
401 doneSuid = true;
402
403 #elif defined(IP_BINDANY) // FreeBSD with IPFW
404 # define soLevel IPPROTO_IP
405 # define soFlag IP_BINDANY
406 enter_suid();
407 doneSuid = true;
408
409 #endif
410
411 #if defined(soLevel) && defined(soFlag)
412
413 debugs(3, 3, "Detect TPROXY support on port " << test);
414
415 int tos = 1;
416 int tmp_sock = -1;
417
418 /* Probe to see if the Kernel TPROXY support is IPv6-enabled */
419 if (test.isIPv6()) {
420 debugs(3, 3, "...Probing for IPv6 TPROXY support.");
421
422 struct sockaddr_in6 tmp_ip6;
423 Ip::Address tmp = "::2";
424 tmp.port(0);
425 tmp.getSockAddr(tmp_ip6);
426
427 if ( (tmp_sock = socket(PF_INET6, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
428 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
429 bind(tmp_sock, (struct sockaddr*)&tmp_ip6, sizeof(struct sockaddr_in6)) == 0 ) {
430
431 debugs(3, 3, "IPv6 TPROXY support detected. Using.");
432 close(tmp_sock);
433 if (doneSuid)
434 leave_suid();
435 return true;
436 }
437 if (tmp_sock >= 0) {
438 close(tmp_sock);
439 tmp_sock = -1;
440 }
441 }
442
443 if ( test.isIPv6() && !test.setIPv4() ) {
444 debugs(3, DBG_CRITICAL, "TPROXY lacks IPv6 support for " << test );
445 if (doneSuid)
446 leave_suid();
447 return false;
448 }
449
450 /* Probe to see if the Kernel TPROXY support is IPv4-enabled (aka present) */
451 if (test.isIPv4()) {
452 debugs(3, 3, "...Probing for IPv4 TPROXY support.");
453
454 struct sockaddr_in tmp_ip4;
455 Ip::Address tmp = "127.0.0.2";
456 tmp.port(0);
457 tmp.getSockAddr(tmp_ip4);
458
459 if ( (tmp_sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP)) >= 0 &&
460 setsockopt(tmp_sock, soLevel, soFlag, (char *)&tos, sizeof(int)) == 0 &&
461 bind(tmp_sock, (struct sockaddr*)&tmp_ip4, sizeof(struct sockaddr_in)) == 0 ) {
462
463 debugs(3, 3, "IPv4 TPROXY support detected. Using.");
464 close(tmp_sock);
465 if (doneSuid)
466 leave_suid();
467 return true;
468 }
469 if (tmp_sock >= 0) {
470 close(tmp_sock);
471 }
472 }
473
474 #else
475 debugs(3, 3, "TPROXY setsockopt() not supported on this platform. Disabling TPROXY.");
476
477 #endif
478 if (doneSuid)
479 leave_suid();
480 return false;
481 }
482
Mirror of https://github.com/squid-cache/squid.git