~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/include/net/netfilter/nf_tproxy.h

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 #ifndef _NF_TPROXY_H_
  2 #define _NF_TPROXY_H_
  3 
  4 #include <net/tcp.h>
  5 
  6 enum nf_tproxy_lookup_t {
  7          NF_TPROXY_LOOKUP_LISTENER,
  8          NF_TPROXY_LOOKUP_ESTABLISHED,
  9 };
 10 
 11 static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)
 12 {
 13         if (inet_sk_transparent(sk))
 14                 return true;
 15 
 16         sock_gen_put(sk);
 17         return false;
 18 }
 19 
 20 __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);
 21 
 22 /**
 23  * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections
 24  * @skb:        The skb being processed.
 25  * @laddr:      IPv4 address to redirect to or zero.
 26  * @lport:      TCP port to redirect to or zero.
 27  * @sk:         The TIME_WAIT TCP socket found by the lookup.
 28  *
 29  * We have to handle SYN packets arriving to TIME_WAIT sockets
 30  * differently: instead of reopening the connection we should rather
 31  * redirect the new connection to the proxy if there's a listener
 32  * socket present.
 33  *
 34  * nf_tproxy_handle_time_wait4() consumes the socket reference passed in.
 35  *
 36  * Returns the listener socket if there's one, the TIME_WAIT socket if
 37  * no such listener is found, or NULL if the TCP header is incomplete.
 38  */
 39 struct sock *
 40 nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
 41                             __be32 laddr, __be16 lport, struct sock *sk);
 42 
 43 /*
 44  * This is used when the user wants to intercept a connection matching
 45  * an explicit iptables rule. In this case the sockets are assumed
 46  * matching in preference order:
 47  *
 48  *   - match: if there's a fully established connection matching the
 49  *     _packet_ tuple, it is returned, assuming the redirection
 50  *     already took place and we process a packet belonging to an
 51  *     established connection
 52  *
 53  *   - match: if there's a listening socket matching the redirection
 54  *     (e.g. on-port & on-ip of the connection), it is returned,
 55  *     regardless if it was bound to 0.0.0.0 or an explicit
 56  *     address. The reasoning is that if there's an explicit rule, it
 57  *     does not really matter if the listener is bound to an interface
 58  *     or to 0. The user already stated that he wants redirection
 59  *     (since he added the rule).
 60  *
 61  * Please note that there's an overlap between what a TPROXY target
 62  * and a socket match will match. Normally if you have both rules the
 63  * "socket" match will be the first one, effectively all packets
 64  * belonging to established connections going through that one.
 65  */
 66 struct sock *
 67 nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
 68                       const u8 protocol,
 69                       const __be32 saddr, const __be32 daddr,
 70                       const __be16 sport, const __be16 dport,
 71                       const struct net_device *in,
 72                       const enum nf_tproxy_lookup_t lookup_type);
 73 
 74 const struct in6_addr *
 75 nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
 76                  const struct in6_addr *daddr);
 77 
 78 /**
 79  * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections
 80  * @skb:        The skb being processed.
 81  * @tproto:     Transport protocol.
 82  * @thoff:      Transport protocol header offset.
 83  * @net:        Network namespace.
 84  * @laddr:      IPv6 address to redirect to.
 85  * @lport:      TCP port to redirect to or zero.
 86  * @sk:         The TIME_WAIT TCP socket found by the lookup.
 87  *
 88  * We have to handle SYN packets arriving to TIME_WAIT sockets
 89  * differently: instead of reopening the connection we should rather
 90  * redirect the new connection to the proxy if there's a listener
 91  * socket present.
 92  *
 93  * nf_tproxy_handle_time_wait6() consumes the socket reference passed in.
 94  *
 95  * Returns the listener socket if there's one, the TIME_WAIT socket if
 96  * no such listener is found, or NULL if the TCP header is incomplete.
 97  */
 98 struct sock *
 99 nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
100                             struct net *net,
101                             const struct in6_addr *laddr,
102                             const __be16 lport,
103                             struct sock *sk);
104 
105 struct sock *
106 nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
107                       const u8 protocol,
108                       const struct in6_addr *saddr, const struct in6_addr *daddr,
109                       const __be16 sport, const __be16 dport,
110                       const struct net_device *in,
111                       const enum nf_tproxy_lookup_t lookup_type);
112 
113 #endif /* _NF_TPROXY_H_ */
114 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp