~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

TOMOYO Linux Cross Reference
Linux/net/ipv4/netfilter/nf_tproxy_ipv4.c

Version: ~ [ linux-5.11-rc3 ] ~ [ linux-5.10.7 ] ~ [ linux-5.9.16 ] ~ [ linux-5.8.18 ] ~ [ linux-5.7.19 ] ~ [ linux-5.6.19 ] ~ [ linux-5.5.19 ] ~ [ linux-5.4.89 ] ~ [ linux-5.3.18 ] ~ [ linux-5.2.21 ] ~ [ linux-5.1.21 ] ~ [ linux-5.0.21 ] ~ [ linux-4.20.17 ] ~ [ linux-4.19.167 ] ~ [ linux-4.18.20 ] ~ [ linux-4.17.19 ] ~ [ linux-4.16.18 ] ~ [ linux-4.15.18 ] ~ [ linux-4.14.215 ] ~ [ linux-4.13.16 ] ~ [ linux-4.12.14 ] ~ [ linux-4.11.12 ] ~ [ linux-4.10.17 ] ~ [ linux-4.9.251 ] ~ [ linux-4.8.17 ] ~ [ linux-4.7.10 ] ~ [ linux-4.6.7 ] ~ [ linux-4.5.7 ] ~ [ linux-4.4.251 ] ~ [ linux-4.3.6 ] ~ [ linux-4.2.8 ] ~ [ linux-4.1.52 ] ~ [ linux-4.0.9 ] ~ [ linux-3.19.8 ] ~ [ linux-3.18.140 ] ~ [ linux-3.17.8 ] ~ [ linux-3.16.85 ] ~ [ linux-3.15.10 ] ~ [ linux-3.14.79 ] ~ [ linux-3.13.11 ] ~ [ linux-3.12.74 ] ~ [ linux-3.11.10 ] ~ [ linux-3.10.108 ] ~ [ linux-2.6.32.71 ] ~ [ linux-2.6.0 ] ~ [ linux-2.4.37.11 ] ~ [ unix-v6-master ] ~ [ ccs-tools-1.8.5 ] ~ [ policy-sample ] ~
Architecture: ~ [ i386 ] ~ [ alpha ] ~ [ m68k ] ~ [ mips ] ~ [ ppc ] ~ [ sparc ] ~ [ sparc64 ] ~

  1 /*
  2  * Copyright (C) 2007-2008 BalaBit IT Ltd.
  3  * Author: Krisztian Kovacs
  4  *
  5  * This program is free software; you can redistribute it and/or modify
  6  * it under the terms of the GNU General Public License version 2 as
  7  * published by the Free Software Foundation.
  8  *
  9  */
 10 
 11 #include <net/netfilter/nf_tproxy.h>
 12 #include <linux/module.h>
 13 #include <linux/skbuff.h>
 14 #include <net/sock.h>
 15 #include <net/inet_sock.h>
 16 #include <linux/ip.h>
 17 #include <net/checksum.h>
 18 #include <net/udp.h>
 19 #include <net/tcp.h>
 20 #include <linux/inetdevice.h>
 21 
 22 struct sock *
 23 nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
 24                          __be32 laddr, __be16 lport, struct sock *sk)
 25 {
 26         const struct iphdr *iph = ip_hdr(skb);
 27         struct tcphdr _hdr, *hp;
 28 
 29         hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
 30         if (hp == NULL) {
 31                 inet_twsk_put(inet_twsk(sk));
 32                 return NULL;
 33         }
 34 
 35         if (hp->syn && !hp->rst && !hp->ack && !hp->fin) {
 36                 /* SYN to a TIME_WAIT socket, we'd rather redirect it
 37                  * to a listener socket if there's one */
 38                 struct sock *sk2;
 39 
 40                 sk2 = nf_tproxy_get_sock_v4(net, skb, iph->protocol,
 41                                             iph->saddr, laddr ? laddr : iph->daddr,
 42                                             hp->source, lport ? lport : hp->dest,
 43                                             skb->dev, NF_TPROXY_LOOKUP_LISTENER);
 44                 if (sk2) {
 45                         inet_twsk_deschedule_put(inet_twsk(sk));
 46                         sk = sk2;
 47                 }
 48         }
 49 
 50         return sk;
 51 }
 52 EXPORT_SYMBOL_GPL(nf_tproxy_handle_time_wait4);
 53 
 54 __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr)
 55 {
 56         struct in_device *indev;
 57         __be32 laddr;
 58 
 59         if (user_laddr)
 60                 return user_laddr;
 61 
 62         laddr = 0;
 63         indev = __in_dev_get_rcu(skb->dev);
 64         for_primary_ifa(indev) {
 65                 laddr = ifa->ifa_local;
 66                 break;
 67         } endfor_ifa(indev);
 68 
 69         return laddr ? laddr : daddr;
 70 }
 71 EXPORT_SYMBOL_GPL(nf_tproxy_laddr4);
 72 
 73 struct sock *
 74 nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
 75                       const u8 protocol,
 76                       const __be32 saddr, const __be32 daddr,
 77                       const __be16 sport, const __be16 dport,
 78                       const struct net_device *in,
 79                       const enum nf_tproxy_lookup_t lookup_type)
 80 {
 81         struct sock *sk;
 82 
 83         switch (protocol) {
 84         case IPPROTO_TCP: {
 85                 struct tcphdr _hdr, *hp;
 86 
 87                 hp = skb_header_pointer(skb, ip_hdrlen(skb),
 88                                         sizeof(struct tcphdr), &_hdr);
 89                 if (hp == NULL)
 90                         return NULL;
 91 
 92                 switch (lookup_type) {
 93                 case NF_TPROXY_LOOKUP_LISTENER:
 94                         sk = inet_lookup_listener(net, &tcp_hashinfo, skb,
 95                                                     ip_hdrlen(skb) +
 96                                                       __tcp_hdrlen(hp),
 97                                                     saddr, sport,
 98                                                     daddr, dport,
 99                                                     in->ifindex, 0);
100 
101                         if (sk && !refcount_inc_not_zero(&sk->sk_refcnt))
102                                 sk = NULL;
103                         /* NOTE: we return listeners even if bound to
104                          * 0.0.0.0, those are filtered out in
105                          * xt_socket, since xt_TPROXY needs 0 bound
106                          * listeners too
107                          */
108                         break;
109                 case NF_TPROXY_LOOKUP_ESTABLISHED:
110                         sk = inet_lookup_established(net, &tcp_hashinfo,
111                                                     saddr, sport, daddr, dport,
112                                                     in->ifindex);
113                         break;
114                 default:
115                         BUG();
116                 }
117                 break;
118                 }
119         case IPPROTO_UDP:
120                 sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
121                                      in->ifindex);
122                 if (sk) {
123                         int connected = (sk->sk_state == TCP_ESTABLISHED);
124                         int wildcard = (inet_sk(sk)->inet_rcv_saddr == 0);
125 
126                         /* NOTE: we return listeners even if bound to
127                          * 0.0.0.0, those are filtered out in
128                          * xt_socket, since xt_TPROXY needs 0 bound
129                          * listeners too
130                          */
131                         if ((lookup_type == NF_TPROXY_LOOKUP_ESTABLISHED &&
132                               (!connected || wildcard)) ||
133                             (lookup_type == NF_TPROXY_LOOKUP_LISTENER && connected)) {
134                                 sock_put(sk);
135                                 sk = NULL;
136                         }
137                 }
138                 break;
139         default:
140                 WARN_ON(1);
141                 sk = NULL;
142         }
143 
144         pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, lookup type: %d, sock %p\n",
145                  protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), lookup_type, sk);
146 
147         return sk;
148 }
149 EXPORT_SYMBOL_GPL(nf_tproxy_get_sock_v4);
150 
151 MODULE_LICENSE("GPL");
152 MODULE_AUTHOR("Balazs Scheidler, Krisztian Kovacs");
153 MODULE_DESCRIPTION("Netfilter IPv4 transparent proxy support");
154 

~ [ source navigation ] ~ [ diff markup ] ~ [ identifier search ] ~

kernel.org | git.kernel.org | LWN.net | Project Home | Wiki (Japanese) | Wiki (English) | SVN repository | Mail admin

Linux® is a registered trademark of Linus Torvalds in the United States and other countries.
TOMOYO® is a registered trademark of NTT DATA CORPORATION.

osdn.jp