2008-10-08 09:35:12 +00:00
|
|
|
/*
|
|
|
|
|
* Transparent proxy support for Linux/iptables
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2006-2007 BalaBit IT Ltd.
|
|
|
|
|
* Author: Balazs Scheidler, Krisztian Kovacs
|
|
|
|
|
*
|
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
|
*
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
|
|
|
|
|
#include <linux/net.h>
|
|
|
|
|
#include <linux/if.h>
|
|
|
|
|
#include <linux/netdevice.h>
|
|
|
|
|
#include <net/udp.h>
|
|
|
|
|
#include <net/netfilter/nf_tproxy_core.h>
|
|
|
|
|
|
|
|
|
|
struct sock *
|
|
|
|
|
nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
|
|
|
|
|
const __be32 saddr, const __be32 daddr,
|
|
|
|
|
const __be16 sport, const __be16 dport,
|
|
|
|
|
const struct net_device *in, bool listening_only)
|
|
|
|
|
{
|
|
|
|
|
struct sock *sk;
|
|
|
|
|
|
|
|
|
|
/* look up socket */
|
|
|
|
|
switch (protocol) {
|
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
|
if (listening_only)
|
|
|
|
|
sk = __inet_lookup_listener(net, &tcp_hashinfo,
|
|
|
|
|
daddr, ntohs(dport),
|
|
|
|
|
in->ifindex);
|
|
|
|
|
else
|
|
|
|
|
sk = __inet_lookup(net, &tcp_hashinfo,
|
|
|
|
|
saddr, sport, daddr, dport,
|
|
|
|
|
in->ifindex);
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_UDP:
|
|
|
|
|
sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
|
|
|
|
|
in->ifindex);
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
WARN_ON(1);
|
|
|
|
|
sk = NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, listener only: %d, sock %p\n",
|
|
|
|
|
protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), listening_only, sk);
|
|
|
|
|
|
|
|
|
|
return sk;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_tproxy_get_sock_v4);
|
|
|
|
|
|
|
|
|
|
static void
|
|
|
|
|
nf_tproxy_destructor(struct sk_buff *skb)
|
|
|
|
|
{
|
|
|
|
|
struct sock *sk = skb->sk;
|
|
|
|
|
|
|
|
|
|
skb->sk = NULL;
|
|
|
|
|
skb->destructor = NULL;
|
|
|
|
|
|
|
|
|
|
if (sk)
|
|
|
|
|
nf_tproxy_put_sock(sk);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* consumes sk */
|
|
|
|
|
int
|
|
|
|
|
nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
|
|
|
|
|
{
|
|
|
|
|
if (inet_sk(sk)->transparent) {
|
net: Partially allow skb destructors to be used on receive path
As it currently stands, skb destructors are forbidden on the
receive path because the protocol end-points will overwrite
any existing destructor with their own.
This is the reason why we have to call skb_orphan in the loopback
driver before we reinject the packet back into the stack, thus
creating a period during which loopback traffic isn't charged
to any socket.
With virtualisation, we have a similar problem in that traffic
is reinjected into the stack without being associated with any
socket entity, thus providing no natural congestion push-back
for those poor folks still stuck with UDP.
Now had we been consistent in telling them that UDP simply has
no congestion feedback, I could just fob them off. Unfortunately,
we appear to have gone to some length in catering for this on
the standard UDP path, with skb/socket accounting so that has
created a very unhealthy dependency.
Alas habits are difficult to break out of, so we may just have
to allow skb destructors on the receive path.
It turns out that making skb destructors useable on the receive path
isn't as easy as it seems. For instance, simply adding skb_orphan
to skb_set_owner_r isn't enough. This is because we assume all
over the IP stack that skb->sk is an IP socket if present.
The new transparent proxy code goes one step further and assumes
that skb->sk is the receiving socket if present.
Now all of this can be dealt with by adding simple checks such
as only treating skb->sk as an IP socket if skb->sk->sk_family
matches. However, it turns out that for bridging at least we
don't need to do all of this work.
This is of interest because most virtualisation setups use bridging
so we don't actually go through the IP stack on the host (with
the exception of our old nemesis the bridge netfilter, but that's
easily taken care of).
So this patch simply adds skb_orphan to the point just before we
enter the IP stack, but after we've gone through the bridge on the
receive path. It also adds an skb_orphan to the one place in
netfilter that touches skb->sk/skb->destructor, that is, tproxy.
One word of caution, because of the internal code structure, anyone
wishing to deploy this must use skb_set_owner_w as opposed to
skb_set_owner_r since many functions that create a new skb from
an existing one will invoke skb_set_owner_w on the new skb.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-02-05 00:55:27 +00:00
|
|
|
skb_orphan(skb);
|
2008-10-08 09:35:12 +00:00
|
|
|
skb->sk = sk;
|
|
|
|
|
skb->destructor = nf_tproxy_destructor;
|
|
|
|
|
return 1;
|
|
|
|
|
} else
|
|
|
|
|
nf_tproxy_put_sock(sk);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
EXPORT_SYMBOL_GPL(nf_tproxy_assign_sock);
|
|
|
|
|
|
|
|
|
|
static int __init nf_tproxy_init(void)
|
|
|
|
|
{
|
|
|
|
|
pr_info("NF_TPROXY: Transparent proxy support initialized, version 4.1.0\n");
|
|
|
|
|
pr_info("NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_init(nf_tproxy_init);
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
MODULE_AUTHOR("Krisztian Kovacs");
|
|
|
|
|
MODULE_DESCRIPTION("Transparent proxy support core routines");
|