src/ip/Intercept.h

   1 /*
   2  * DEBUG: section 89    NAT / IP Interception
   3  * AUTHOR: Robert Collins
   4  * AUTHOR: Amos Jeffries
   5  *
   6  */
   7 #ifndef SQUID_IP_IPINTERCEPT_H
   8 #define SQUID_IP_IPINTERCEPT_H
   9
  10 /* for time_t */
  11 #include "SquidTime.h"
  12
  13 namespace Ip
  14 {
  15
  16 class Address;
  17
  18 /**
  19  \defgroup IpInterceptAPI IP Interception and Transparent Proxy API
  20  \ingroup SquidComponent
  21  \par
  22  * There is no formal state-machine for transparency and interception
  23  * instead there is this neutral API which other connection state machines
  24  * and the comm layer use to co-ordinate their own state for transparency.
  25  */
  26 class Intercept
  27 {
  28 public:
  29     Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
  30     ~Intercept() {};
  31
  32     /** Perform NAT lookups */
  33     bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn);
  34
  35     /**
  36      * Test system networking calls for TPROXY support.
  37      * Detects IPv6 and IPv4 level of support matches the address being listened on
  38      * and if the compiled v2/v4 is usable as far down as a bind()ing.
  39      *
  40      * \param test    Address set on the http(s)_port being checked.
  41      * \retval true   TPROXY is available.
  42      * \retval false  TPROXY is not available.
  43      */
  44     bool ProbeForTproxy(Address &test);
  45
  46     /**
  47      \retval 0  Full transparency is disabled.
  48      \retval 1  Full transparency is enabled and active.
  49      */
  50     inline int TransparentActive() { return transparentActive_; };
  51
  52     /** \par
  53      * Turn on fully Transparent-Proxy activities.
  54      * This function should be called during parsing of the squid.conf
  55      * When any option requiring full-transparency is encountered.
  56      */
  57     inline void StartTransparency() { transparentActive_=1; };
  58
  59     /** \par
  60      * Turn off fully Transparent-Proxy activities on all new connections.
  61      * Existing transactions and connections are unaffected and will run
  62      * to their natural completion.
  63      \param str    Reason for stopping. Will be logged to cache.log
  64      */
  65     void StopTransparency(const char *str);
  66
  67     /**
  68      \retval 0  IP Interception is disabled.
  69      \retval 1  IP Interception is enabled and active.
  70      */
  71     inline int InterceptActive() { return interceptActive_; };
  72
  73     /** \par
  74      * Turn on IP-Interception-Proxy activities.
  75      * This function should be called during parsing of the squid.conf
  76      * When any option requiring interception / NAT handling is encountered.
  77      */
  78     inline void StartInterception() { interceptActive_=1; };
  79
  80     /** \par
  81      * Turn off IP-Interception-Proxy activities on all new connections.
  82      * Existing transactions and connections are unaffected and will run
  83      * to their natural completion.
  84      \param str    Reason for stopping. Will be logged to cache.log
  85      */
  86     inline void StopInterception(const char *str);
  87
  88 private:
  89
  90     /**
  91      * perform Lookups on fully-transparent interception targets (TPROXY).
  92      * Supports Netfilter, PF and IPFW.
  93      *
  94      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
  95      * \param newConn  Details known, to be updated where relevant.
  96      * \return         Whether successfuly located the new address.
  97      */
  98     bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent);
  99
 100     /**
 101      * perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
 102      *
 103      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
 104      * \param newConn  Details known, to be updated where relevant.
 105      * \return         Whether successfuly located the new address.
 106      */
 107     bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);
 108
 109     /**
 110      * perform Lookups on IPFW interception.
 111      *
 112      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
 113      * \param newConn  Details known, to be updated where relevant.
 114      * \return         Whether successfuly located the new address.
 115      */
 116     bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);
 117
 118     /**
 119      * perform Lookups on IPF interception.
 120      *
 121      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
 122      * \param newConn  Details known, to be updated where relevant.
 123      * \return         Whether successfuly located the new address.
 124      */
 125     bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);
 126
 127     /**
 128      * perform Lookups on PF interception target (REDIRECT).
 129      *
 130      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
 131      * \param newConn  Details known, to be updated where relevant.
 132      * \return         Whether successfuly located the new address.
 133      */
 134     bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);
 135
 136     int transparentActive_;
 137     int interceptActive_;
 138     time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */
 139 };
 140
 141 #if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
 142 /// \ingroup IpInterceptAPI
 143 #define IP_TRANSPARENT 19
 144 #endif
 145
 146 /**
 147  \ingroup IpInterceptAPI
 148  * Globally available instance of the IP Interception manager.
 149  */
 150 extern Intercept Interceptor;
 151
 152 } // namespace Ip
 153
 154 #endif /* SQUID_IP_IPINTERCEPT_H */