1 #ifndef _NF_TPROXY_H_ 2 #define _NF_TPROXY_H_ 3 4 #include <net/tcp.h> 5 6 enum nf_tproxy_lookup_t { 7 NF_TPROXY_LOOKUP_LISTENER, 8 NF_TPROXY_LOOKUP_ESTABLISHED, 9 }; 10 11 static inline bool nf_tproxy_sk_is_transparent(struct sock *sk) 12 { 13 if (inet_sk_transparent(sk)) 14 return true; 15 16 sock_gen_put(sk); 17 return false; 18 } 19 20 /* assign a socket to the skb -- consumes sk */ 21 static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk) 22 { 23 skb_orphan(skb); 24 skb->sk = sk; 25 skb->destructor = sock_edemux; 26 } 27 28 __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr); 29 30 /** 31 * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections 32 * @skb: The skb being processed. 33 * @laddr: IPv4 address to redirect to or zero. 34 * @lport: TCP port to redirect to or zero. 35 * @sk: The TIME_WAIT TCP socket found by the lookup. 36 * 37 * We have to handle SYN packets arriving to TIME_WAIT sockets 38 * differently: instead of reopening the connection we should rather 39 * redirect the new connection to the proxy if there's a listener 40 * socket present. 41 * 42 * nf_tproxy_handle_time_wait4() consumes the socket reference passed in. 43 * 44 * Returns the listener socket if there's one, the TIME_WAIT socket if 45 * no such listener is found, or NULL if the TCP header is incomplete. 46 */ 47 struct sock * 48 nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb, 49 __be32 laddr, __be16 lport, struct sock *sk); 50 51 /* 52 * This is used when the user wants to intercept a connection matching 53 * an explicit iptables rule. In this case the sockets are assumed 54 * matching in preference order: 55 * 56 * - match: if there's a fully established connection matching the 57 * _packet_ tuple, it is returned, assuming the redirection 58 * already took place and we process a packet belonging to an 59 * established connection 60 * 61 * - match: if there's a listening socket matching the redirection 62 * (e.g. on-port & on-ip of the connection), it is returned, 63 * regardless if it was bound to 0.0.0.0 or an explicit 64 * address. The reasoning is that if there's an explicit rule, it 65 * does not really matter if the listener is bound to an interface 66 * or to 0. The user already stated that he wants redirection 67 * (since he added the rule). 68 * 69 * Please note that there's an overlap between what a TPROXY target 70 * and a socket match will match. Normally if you have both rules the 71 * "socket" match will be the first one, effectively all packets 72 * belonging to established connections going through that one. 73 */ 74 struct sock * 75 nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb, 76 const u8 protocol, 77 const __be32 saddr, const __be32 daddr, 78 const __be16 sport, const __be16 dport, 79 const struct net_device *in, 80 const enum nf_tproxy_lookup_t lookup_type); 81 82 const struct in6_addr * 83 nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr, 84 const struct in6_addr *daddr); 85 86 /** 87 * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections 88 * @skb: The skb being processed. 89 * @tproto: Transport protocol. 90 * @thoff: Transport protocol header offset. 91 * @net: Network namespace. 92 * @laddr: IPv6 address to redirect to. 93 * @lport: TCP port to redirect to or zero. 94 * @sk: The TIME_WAIT TCP socket found by the lookup. 95 * 96 * We have to handle SYN packets arriving to TIME_WAIT sockets 97 * differently: instead of reopening the connection we should rather 98 * redirect the new connection to the proxy if there's a listener 99 * socket present. 100 * 101 * nf_tproxy_handle_time_wait6() consumes the socket reference passed in. 102 * 103 * Returns the listener socket if there's one, the TIME_WAIT socket if 104 * no such listener is found, or NULL if the TCP header is incomplete. 105 */ 106 struct sock * 107 nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff, 108 struct net *net, 109 const struct in6_addr *laddr, 110 const __be16 lport, 111 struct sock *sk); 112 113 struct sock * 114 nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff, 115 const u8 protocol, 116 const struct in6_addr *saddr, const struct in6_addr *daddr, 117 const __be16 sport, const __be16 dport, 118 const struct net_device *in, 119 const enum nf_tproxy_lookup_t lookup_type); 120 121 #endif /* _NF_TPROXY_H_ */