/*
- * DEBUG: section 89 NAT / IP Interception
- * AUTHOR: Robert Collins
- * AUTHOR: Amos Jeffries
+ * Copyright (C) 1996-2017 The Squid Software Foundation and contributors
*
+ * Squid software is distributed under GPLv2+ license and includes
+ * contributions from numerous individuals and organizations.
+ * Please see the COPYING and CONTRIBUTORS files for details.
*/
+
+/* DEBUG: section 89 NAT / IP Interception */
+
#ifndef SQUID_IP_IPINTERCEPT_H
#define SQUID_IP_IPINTERCEPT_H
class Intercept
{
public:
- Intercept() : transparent_active(0), intercept_active(0), last_reported(0) {};
+ Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
~Intercept() {};
/** Perform NAT lookups */
- int NatLookup(int fd, const Address &me, const Address &peer, Address &client, Address &dst);
+ bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn);
/**
* Test system networking calls for TPROXY support.
* Detects IPv6 and IPv4 level of support matches the address being listened on
* and if the compiled v2/v4 is usable as far down as a bind()ing.
*
- * \param test Address set on the http(s)_port being checked.
+ * \param test Address set on the squid.conf *_port being checked.
* \retval true TPROXY is available.
* \retval false TPROXY is not available.
*/
bool ProbeForTproxy(Address &test);
/**
- \retval 0 Full transparency is disabled.
+ \retval 0 Full transparency is disabled.
\retval 1 Full transparency is enabled and active.
*/
- inline int TransparentActive() { return transparent_active; };
+ inline int TransparentActive() { return transparentActive_; };
/** \par
* Turn on fully Transparent-Proxy activities.
* This function should be called during parsing of the squid.conf
* When any option requiring full-transparency is encountered.
*/
- inline void StartTransparency() { transparent_active=1; };
+ inline void StartTransparency() { transparentActive_=1; };
/** \par
* Turn off fully Transparent-Proxy activities on all new connections.
void StopTransparency(const char *str);
/**
- \retval 0 IP Interception is disabled.
+ \retval 0 IP Interception is disabled.
\retval 1 IP Interception is enabled and active.
*/
- inline int InterceptActive() { return intercept_active; };
+ inline int InterceptActive() { return interceptActive_; };
/** \par
* Turn on IP-Interception-Proxy activities.
* This function should be called during parsing of the squid.conf
* When any option requiring interception / NAT handling is encountered.
*/
- inline void StartInterception() { intercept_active=1; };
+ inline void StartInterception() { interceptActive_=1; };
/** \par
* Turn off IP-Interception-Proxy activities on all new connections.
*/
inline void StopInterception(const char *str);
-
private:
/**
- * perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
+ * perform Lookups on fully-transparent interception targets (TPROXY).
+ * Supports Netfilter, PF and IPFW.
*
- \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
- \param fd FD for the current TCP connection being tested.
- \param me IP address Squid received the connection on
- \param client IP address from which Squid received the connection.
- * May be updated by the NAT table information.
- * Default is the same value as the me IP address.
- \retval 0 Successfuly located the new address.
- \retval -1 An error occured during NAT lookups.
+ * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
+ * \param newConn Details known, to be updated where relevant.
+ * \return Whether successfuly located the new address.
*/
- int NetfilterInterception(int fd, const Address &me, Address &client, int silent);
+ bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent);
/**
- * perform Lookups on Netfilter fully-transparent interception targets (TPROXY).
+ * perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
*
- \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
- \param fd FD for the current TCP connection being tested.
- \param me IP address Squid received the connection on
- \param dst IP address to which the request was made.
- * expected to be updated from the NAT table information.
- * Default is the same value as the peer IP address sent to NatLookup().
- \retval 0 Successfuly located the new address.
- \retval -1 An error occured during NAT lookups.
+ * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
+ * \param newConn Details known, to be updated where relevant.
+ * \return Whether successfuly located the new address.
*/
- int NetfilterTransparent(int fd, const Address &me, Address &dst, int silent);
+ bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);
/**
* perform Lookups on IPFW interception.
*
- \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
- \param fd FD for the current TCP connection being tested.
- \param me IP address Squid received the connection on
- \param client IP address from which Squid received the connection.
- * May be updated by the NAT table information.
- * Default is the same value as the me IP address.
- \retval 0 Successfuly located the new address.
- \retval -1 An error occured during NAT lookups.
+ * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
+ * \param newConn Details known, to be updated where relevant.
+ * \return Whether successfuly located the new address.
*/
- int IpfwInterception(int fd, const Address &me, Address &client, int silent);
+ bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);
/**
* perform Lookups on IPF interception.
*
- \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
- \param fd FD for the current TCP connection being tested.
- \param me IP address Squid received the connection on
- \param client IP address from which Squid received the connection.
- * May be updated by the NAT table information.
- * Default is the same value as the me IP address.
- \param dst IP address to which the request was made.
- * expected to be updated from the NAT table information.
- * Default is the same value as the peer IP address sent to NatLookup().
- \retval 0 Successfuly located the new address.
- \retval -1 An error occured during NAT lookups.
+ * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
+ * \param newConn Details known, to be updated where relevant.
+ * \return Whether successfuly located the new address.
*/
- int IpfInterception(int fd, const Address &me, Address &client, Address &dst, int silent);
+ bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);
/**
- * perform Lookups on PF interception.
+ * perform Lookups on PF interception target (REDIRECT).
*
- \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
- \param fd FD for the current TCP connection being tested.
- \param me IP address Squid received the connection on
- \param client IP address from which Squid received the connection.
- * May be updated by the NAT table information.
- * Default is the same value as the me IP address.
- \param dst IP address to which the request was made.
- * expected to be updated from the NAT table information.
- * Default is the same value as the peer IP address sent to NatLookup().
- \retval 0 Successfuly located the new address.
- \retval -1 An error occured during NAT lookups.
+ * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
+ * \param newConn Details known, to be updated where relevant.
+ * \return Whether successfuly located the new address.
*/
- int PfInterception(int fd, const Address &me, Address &client, Address &dst, int silent);
-
+ bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);
- int transparent_active;
- int intercept_active;
- time_t last_reported; /**< Time of last error report. Throttles NAT error display to 1 per minute */
+ int transparentActive_;
+ int interceptActive_;
+ time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */
};
#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
*/
extern Intercept Interceptor;
-}; // namespace Ip
+} // namespace Ip
#endif /* SQUID_IP_IPINTERCEPT_H */
+