root/include/net/netfilter/nf_tproxy.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM


DEFINITIONS

This source file includes following definitions.
  1. nf_tproxy_sk_is_transparent
  2. nf_tproxy_assign_sock

   1 #ifndef _NF_TPROXY_H_
   2 #define _NF_TPROXY_H_
   3 
   4 #include <net/tcp.h>
   5 
   6 enum nf_tproxy_lookup_t {
   7          NF_TPROXY_LOOKUP_LISTENER,
   8          NF_TPROXY_LOOKUP_ESTABLISHED,
   9 };
  10 
  11 static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)
  12 {
  13         if (inet_sk_transparent(sk))
  14                 return true;
  15 
  16         sock_gen_put(sk);
  17         return false;
  18 }
  19 
  20 /* assign a socket to the skb -- consumes sk */
  21 static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
  22 {
  23         skb_orphan(skb);
  24         skb->sk = sk;
  25         skb->destructor = sock_edemux;
  26 }
  27 
  28 __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);
  29 
  30 /**
  31  * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections
  32  * @skb:        The skb being processed.
  33  * @laddr:      IPv4 address to redirect to or zero.
  34  * @lport:      TCP port to redirect to or zero.
  35  * @sk:         The TIME_WAIT TCP socket found by the lookup.
  36  *
  37  * We have to handle SYN packets arriving to TIME_WAIT sockets
  38  * differently: instead of reopening the connection we should rather
  39  * redirect the new connection to the proxy if there's a listener
  40  * socket present.
  41  *
  42  * nf_tproxy_handle_time_wait4() consumes the socket reference passed in.
  43  *
  44  * Returns the listener socket if there's one, the TIME_WAIT socket if
  45  * no such listener is found, or NULL if the TCP header is incomplete.
  46  */
  47 struct sock *
  48 nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
  49                             __be32 laddr, __be16 lport, struct sock *sk);
  50 
  51 /*
  52  * This is used when the user wants to intercept a connection matching
  53  * an explicit iptables rule. In this case the sockets are assumed
  54  * matching in preference order:
  55  *
  56  *   - match: if there's a fully established connection matching the
  57  *     _packet_ tuple, it is returned, assuming the redirection
  58  *     already took place and we process a packet belonging to an
  59  *     established connection
  60  *
  61  *   - match: if there's a listening socket matching the redirection
  62  *     (e.g. on-port & on-ip of the connection), it is returned,
  63  *     regardless if it was bound to 0.0.0.0 or an explicit
  64  *     address. The reasoning is that if there's an explicit rule, it
  65  *     does not really matter if the listener is bound to an interface
  66  *     or to 0. The user already stated that he wants redirection
  67  *     (since he added the rule).
  68  *
  69  * Please note that there's an overlap between what a TPROXY target
  70  * and a socket match will match. Normally if you have both rules the
  71  * "socket" match will be the first one, effectively all packets
  72  * belonging to established connections going through that one.
  73  */
  74 struct sock *
  75 nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
  76                       const u8 protocol,
  77                       const __be32 saddr, const __be32 daddr,
  78                       const __be16 sport, const __be16 dport,
  79                       const struct net_device *in,
  80                       const enum nf_tproxy_lookup_t lookup_type);
  81 
  82 const struct in6_addr *
  83 nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
  84                  const struct in6_addr *daddr);
  85 
  86 /**
  87  * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections
  88  * @skb:        The skb being processed.
  89  * @tproto:     Transport protocol.
  90  * @thoff:      Transport protocol header offset.
  91  * @net:        Network namespace.
  92  * @laddr:      IPv6 address to redirect to.
  93  * @lport:      TCP port to redirect to or zero.
  94  * @sk:         The TIME_WAIT TCP socket found by the lookup.
  95  *
  96  * We have to handle SYN packets arriving to TIME_WAIT sockets
  97  * differently: instead of reopening the connection we should rather
  98  * redirect the new connection to the proxy if there's a listener
  99  * socket present.
 100  *
 101  * nf_tproxy_handle_time_wait6() consumes the socket reference passed in.
 102  *
 103  * Returns the listener socket if there's one, the TIME_WAIT socket if
 104  * no such listener is found, or NULL if the TCP header is incomplete.
 105  */
 106 struct sock *
 107 nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
 108                             struct net *net,
 109                             const struct in6_addr *laddr,
 110                             const __be16 lport,
 111                             struct sock *sk);
 112 
 113 struct sock *
 114 nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
 115                       const u8 protocol,
 116                       const struct in6_addr *saddr, const struct in6_addr *daddr,
 117                       const __be16 sport, const __be16 dport,
 118                       const struct net_device *in,
 119                       const enum nf_tproxy_lookup_t lookup_type);
 120 
 121 #endif /* _NF_TPROXY_H_ */

/* [<][>][^][v][top][bottom][index][help] */