1d2912cb1SThomas Gleixner // SPDX-License-Identifier: GPL-2.0-only
2136cdc71SKOVACS Krisztian /*
3136cdc71SKOVACS Krisztian * Transparent proxy support for Linux/iptables
4136cdc71SKOVACS Krisztian *
5136cdc71SKOVACS Krisztian * Copyright (C) 2007-2008 BalaBit IT Ltd.
6136cdc71SKOVACS Krisztian * Author: Krisztian Kovacs
7136cdc71SKOVACS Krisztian */
8ff67e4e4SJan Engelhardt #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9136cdc71SKOVACS Krisztian #include <linux/module.h>
10136cdc71SKOVACS Krisztian #include <linux/skbuff.h>
11136cdc71SKOVACS Krisztian #include <linux/netfilter/x_tables.h>
12136cdc71SKOVACS Krisztian #include <linux/netfilter_ipv4/ip_tables.h>
13136cdc71SKOVACS Krisztian #include <net/tcp.h>
14136cdc71SKOVACS Krisztian #include <net/udp.h>
15136cdc71SKOVACS Krisztian #include <net/icmp.h>
16136cdc71SKOVACS Krisztian #include <net/sock.h>
17136cdc71SKOVACS Krisztian #include <net/inet_sock.h>
18136cdc71SKOVACS Krisztian #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
19f6318e55SKOVACS Krisztian
20c0cd1156SIgor Maravić #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
21f6318e55SKOVACS Krisztian #include <linux/netfilter_ipv6/ip6_tables.h>
2293742cf8SFlorian Westphal #include <net/inet6_hashtables.h>
23b64c9256SBalazs Scheidler #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
24f6318e55SKOVACS Krisztian #endif
25136cdc71SKOVACS Krisztian
268db4c5beSPablo Neira Ayuso #include <net/netfilter/nf_socket.h>
27a31e1ffdSLaszlo Attila Toth #include <linux/netfilter/xt_socket.h>
28a31e1ffdSLaszlo Attila Toth
2993742cf8SFlorian Westphal /* "socket" match based redirection (no specific rule)
3093742cf8SFlorian Westphal * ===================================================
3193742cf8SFlorian Westphal *
3293742cf8SFlorian Westphal * There are connections with dynamic endpoints (e.g. FTP data
3393742cf8SFlorian Westphal * connection) that the user is unable to add explicit rules
3493742cf8SFlorian Westphal * for. These are taken care of by a generic "socket" rule. It is
3593742cf8SFlorian Westphal * assumed that the proxy application is trusted to open such
3693742cf8SFlorian Westphal * connections without explicit iptables rule (except of course the
3793742cf8SFlorian Westphal * generic 'socket' rule). In this case the following sockets are
3893742cf8SFlorian Westphal * matched in preference order:
3993742cf8SFlorian Westphal *
4093742cf8SFlorian Westphal * - match: if there's a fully established connection matching the
4193742cf8SFlorian Westphal * _packet_ tuple
4293742cf8SFlorian Westphal *
4393742cf8SFlorian Westphal * - match: if there's a non-zero bound listener (possibly with a
4493742cf8SFlorian Westphal * non-local address) We don't accept zero-bound listeners, since
4593742cf8SFlorian Westphal * then local services could intercept traffic going through the
4693742cf8SFlorian Westphal * box.
4793742cf8SFlorian Westphal */
48d64d80a2SDaniel Borkmann static bool
socket_match(const struct sk_buff * skb,struct xt_action_param * par,const struct xt_socket_mtinfo1 * info)49d64d80a2SDaniel Borkmann socket_match(const struct sk_buff *skb, struct xt_action_param *par,
50d64d80a2SDaniel Borkmann const struct xt_socket_mtinfo1 *info)
51d64d80a2SDaniel Borkmann {
5201555e74SHarout Hedeshian struct sk_buff *pskb = (struct sk_buff *)skb;
53d64d80a2SDaniel Borkmann struct sock *sk = skb->sk;
54d64d80a2SDaniel Borkmann
5540e4f26eSFlavio Leitner if (sk && !net_eq(xt_net(par), sock_net(sk)))
56f5646501SFlavio Leitner sk = NULL;
57f5646501SFlavio Leitner
5800028aa3SEric Dumazet if (!sk)
59613dbd95SPablo Neira Ayuso sk = nf_sk_lookup_slow_v4(xt_net(par), skb, xt_in(par));
60f5646501SFlavio Leitner
6100028aa3SEric Dumazet if (sk) {
62a31e1ffdSLaszlo Attila Toth bool wildcard;
63a31e1ffdSLaszlo Attila Toth bool transparent = true;
64a31e1ffdSLaszlo Attila Toth
65681f130fSEric Dumazet /* Ignore sockets listening on INADDR_ANY,
66681f130fSEric Dumazet * unless XT_SOCKET_NOWILDCARD is set
67681f130fSEric Dumazet */
68681f130fSEric Dumazet wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
69a9407000SEric Dumazet sk_fullsock(sk) &&
70c720c7e8SEric Dumazet inet_sk(sk)->inet_rcv_saddr == 0);
71a31e1ffdSLaszlo Attila Toth
72a31e1ffdSLaszlo Attila Toth /* Ignore non-transparent sockets,
73a9407000SEric Dumazet * if XT_SOCKET_TRANSPARENT is used
74a9407000SEric Dumazet */
75baf60efaSEric Dumazet if (info->flags & XT_SOCKET_TRANSPARENT)
768d6e5557SMáté Eckl transparent = inet_sk_transparent(sk);
77136cdc71SKOVACS Krisztian
7801555e74SHarout Hedeshian if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
7989fcbb56SSubash Abhinov Kasiviswanathan transparent && sk_fullsock(sk))
80*3c5b4d69SEric Dumazet pskb->mark = READ_ONCE(sk->sk_mark);
8101555e74SHarout Hedeshian
8200028aa3SEric Dumazet if (sk != skb->sk)
831a8bf6eeSEric Dumazet sock_gen_put(sk);
84a31e1ffdSLaszlo Attila Toth
85a31e1ffdSLaszlo Attila Toth if (wildcard || !transparent)
86136cdc71SKOVACS Krisztian sk = NULL;
87136cdc71SKOVACS Krisztian }
88136cdc71SKOVACS Krisztian
89d64d80a2SDaniel Borkmann return sk != NULL;
90136cdc71SKOVACS Krisztian }
91136cdc71SKOVACS Krisztian
92a31e1ffdSLaszlo Attila Toth static bool
socket_mt4_v0(const struct sk_buff * skb,struct xt_action_param * par)93b64c9256SBalazs Scheidler socket_mt4_v0(const struct sk_buff *skb, struct xt_action_param *par)
94a31e1ffdSLaszlo Attila Toth {
95baf60efaSEric Dumazet static struct xt_socket_mtinfo1 xt_info_v0 = {
96baf60efaSEric Dumazet .flags = 0,
97baf60efaSEric Dumazet };
98baf60efaSEric Dumazet
99baf60efaSEric Dumazet return socket_match(skb, par, &xt_info_v0);
100a31e1ffdSLaszlo Attila Toth }
101a31e1ffdSLaszlo Attila Toth
102a31e1ffdSLaszlo Attila Toth static bool
socket_mt4_v1_v2_v3(const struct sk_buff * skb,struct xt_action_param * par)10301555e74SHarout Hedeshian socket_mt4_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
104a31e1ffdSLaszlo Attila Toth {
105a31e1ffdSLaszlo Attila Toth return socket_match(skb, par, par->matchinfo);
106a31e1ffdSLaszlo Attila Toth }
107a31e1ffdSLaszlo Attila Toth
1088db4c5beSPablo Neira Ayuso #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
109d64d80a2SDaniel Borkmann static bool
socket_mt6_v1_v2_v3(const struct sk_buff * skb,struct xt_action_param * par)11001555e74SHarout Hedeshian socket_mt6_v1_v2_v3(const struct sk_buff *skb, struct xt_action_param *par)
111d64d80a2SDaniel Borkmann {
112d64d80a2SDaniel Borkmann const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
11301555e74SHarout Hedeshian struct sk_buff *pskb = (struct sk_buff *)skb;
114d64d80a2SDaniel Borkmann struct sock *sk = skb->sk;
115d64d80a2SDaniel Borkmann
11640e4f26eSFlavio Leitner if (sk && !net_eq(xt_net(par), sock_net(sk)))
117f5646501SFlavio Leitner sk = NULL;
118f5646501SFlavio Leitner
11900028aa3SEric Dumazet if (!sk)
120613dbd95SPablo Neira Ayuso sk = nf_sk_lookup_slow_v6(xt_net(par), skb, xt_in(par));
121f5646501SFlavio Leitner
12200028aa3SEric Dumazet if (sk) {
123b64c9256SBalazs Scheidler bool wildcard;
124b64c9256SBalazs Scheidler bool transparent = true;
125b64c9256SBalazs Scheidler
126681f130fSEric Dumazet /* Ignore sockets listening on INADDR_ANY
127681f130fSEric Dumazet * unless XT_SOCKET_NOWILDCARD is set
128681f130fSEric Dumazet */
129681f130fSEric Dumazet wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
130a9407000SEric Dumazet sk_fullsock(sk) &&
131efe4208fSEric Dumazet ipv6_addr_any(&sk->sk_v6_rcv_saddr));
132b64c9256SBalazs Scheidler
133b64c9256SBalazs Scheidler /* Ignore non-transparent sockets,
134a9407000SEric Dumazet * if XT_SOCKET_TRANSPARENT is used
135a9407000SEric Dumazet */
136baf60efaSEric Dumazet if (info->flags & XT_SOCKET_TRANSPARENT)
1378d6e5557SMáté Eckl transparent = inet_sk_transparent(sk);
138b64c9256SBalazs Scheidler
13901555e74SHarout Hedeshian if (info->flags & XT_SOCKET_RESTORESKMARK && !wildcard &&
14089fcbb56SSubash Abhinov Kasiviswanathan transparent && sk_fullsock(sk))
141*3c5b4d69SEric Dumazet pskb->mark = READ_ONCE(sk->sk_mark);
14201555e74SHarout Hedeshian
14300028aa3SEric Dumazet if (sk != skb->sk)
1441a8bf6eeSEric Dumazet sock_gen_put(sk);
145b64c9256SBalazs Scheidler
146b64c9256SBalazs Scheidler if (wildcard || !transparent)
147b64c9256SBalazs Scheidler sk = NULL;
148b64c9256SBalazs Scheidler }
149b64c9256SBalazs Scheidler
150d64d80a2SDaniel Borkmann return sk != NULL;
151b64c9256SBalazs Scheidler }
152b64c9256SBalazs Scheidler #endif
153b64c9256SBalazs Scheidler
socket_mt_enable_defrag(struct net * net,int family)154834184b1SFlorian Westphal static int socket_mt_enable_defrag(struct net *net, int family)
155834184b1SFlorian Westphal {
156834184b1SFlorian Westphal switch (family) {
157834184b1SFlorian Westphal case NFPROTO_IPV4:
158834184b1SFlorian Westphal return nf_defrag_ipv4_enable(net);
1596bd3d192SPeter Tirsek #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
160834184b1SFlorian Westphal case NFPROTO_IPV6:
161834184b1SFlorian Westphal return nf_defrag_ipv6_enable(net);
162834184b1SFlorian Westphal #endif
163834184b1SFlorian Westphal }
164834184b1SFlorian Westphal WARN_ONCE(1, "Unknown family %d\n", family);
165834184b1SFlorian Westphal return 0;
166834184b1SFlorian Westphal }
167834184b1SFlorian Westphal
socket_mt_v1_check(const struct xt_mtchk_param * par)168681f130fSEric Dumazet static int socket_mt_v1_check(const struct xt_mtchk_param *par)
169681f130fSEric Dumazet {
170681f130fSEric Dumazet const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo;
171834184b1SFlorian Westphal int err;
172834184b1SFlorian Westphal
173834184b1SFlorian Westphal err = socket_mt_enable_defrag(par->net, par->family);
174834184b1SFlorian Westphal if (err)
175834184b1SFlorian Westphal return err;
176681f130fSEric Dumazet
177681f130fSEric Dumazet if (info->flags & ~XT_SOCKET_FLAGS_V1) {
178b2606644SFlorian Westphal pr_info_ratelimited("unknown flags 0x%x\n",
179b2606644SFlorian Westphal info->flags & ~XT_SOCKET_FLAGS_V1);
180681f130fSEric Dumazet return -EINVAL;
181681f130fSEric Dumazet }
182681f130fSEric Dumazet return 0;
183681f130fSEric Dumazet }
184681f130fSEric Dumazet
socket_mt_v2_check(const struct xt_mtchk_param * par)185681f130fSEric Dumazet static int socket_mt_v2_check(const struct xt_mtchk_param *par)
186681f130fSEric Dumazet {
187681f130fSEric Dumazet const struct xt_socket_mtinfo2 *info = (struct xt_socket_mtinfo2 *) par->matchinfo;
188834184b1SFlorian Westphal int err;
189834184b1SFlorian Westphal
190834184b1SFlorian Westphal err = socket_mt_enable_defrag(par->net, par->family);
191834184b1SFlorian Westphal if (err)
192834184b1SFlorian Westphal return err;
193681f130fSEric Dumazet
194681f130fSEric Dumazet if (info->flags & ~XT_SOCKET_FLAGS_V2) {
195b2606644SFlorian Westphal pr_info_ratelimited("unknown flags 0x%x\n",
196b2606644SFlorian Westphal info->flags & ~XT_SOCKET_FLAGS_V2);
197681f130fSEric Dumazet return -EINVAL;
198681f130fSEric Dumazet }
199681f130fSEric Dumazet return 0;
200681f130fSEric Dumazet }
201681f130fSEric Dumazet
socket_mt_v3_check(const struct xt_mtchk_param * par)20201555e74SHarout Hedeshian static int socket_mt_v3_check(const struct xt_mtchk_param *par)
20301555e74SHarout Hedeshian {
20401555e74SHarout Hedeshian const struct xt_socket_mtinfo3 *info =
20501555e74SHarout Hedeshian (struct xt_socket_mtinfo3 *)par->matchinfo;
206834184b1SFlorian Westphal int err;
20701555e74SHarout Hedeshian
208834184b1SFlorian Westphal err = socket_mt_enable_defrag(par->net, par->family);
209834184b1SFlorian Westphal if (err)
210834184b1SFlorian Westphal return err;
21101555e74SHarout Hedeshian if (info->flags & ~XT_SOCKET_FLAGS_V3) {
212b2606644SFlorian Westphal pr_info_ratelimited("unknown flags 0x%x\n",
21301555e74SHarout Hedeshian info->flags & ~XT_SOCKET_FLAGS_V3);
21401555e74SHarout Hedeshian return -EINVAL;
21501555e74SHarout Hedeshian }
21601555e74SHarout Hedeshian return 0;
21701555e74SHarout Hedeshian }
21801555e74SHarout Hedeshian
socket_mt_destroy(const struct xt_mtdtor_param * par)219de8c1211SFlorian Westphal static void socket_mt_destroy(const struct xt_mtdtor_param *par)
220de8c1211SFlorian Westphal {
221de8c1211SFlorian Westphal if (par->family == NFPROTO_IPV4)
222de8c1211SFlorian Westphal nf_defrag_ipv4_disable(par->net);
2232874b791SPablo Neira Ayuso #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
224de8c1211SFlorian Westphal else if (par->family == NFPROTO_IPV6)
22575063c92SEric Dumazet nf_defrag_ipv6_disable(par->net);
2262874b791SPablo Neira Ayuso #endif
227de8c1211SFlorian Westphal }
228de8c1211SFlorian Westphal
229a31e1ffdSLaszlo Attila Toth static struct xt_match socket_mt_reg[] __read_mostly = {
230a31e1ffdSLaszlo Attila Toth {
231136cdc71SKOVACS Krisztian .name = "socket",
232a31e1ffdSLaszlo Attila Toth .revision = 0,
233a31e1ffdSLaszlo Attila Toth .family = NFPROTO_IPV4,
234b64c9256SBalazs Scheidler .match = socket_mt4_v0,
235aa3c487fSJan Engelhardt .hooks = (1 << NF_INET_PRE_ROUTING) |
236aa3c487fSJan Engelhardt (1 << NF_INET_LOCAL_IN),
237136cdc71SKOVACS Krisztian .me = THIS_MODULE,
238a31e1ffdSLaszlo Attila Toth },
239a31e1ffdSLaszlo Attila Toth {
240a31e1ffdSLaszlo Attila Toth .name = "socket",
241a31e1ffdSLaszlo Attila Toth .revision = 1,
242a31e1ffdSLaszlo Attila Toth .family = NFPROTO_IPV4,
24301555e74SHarout Hedeshian .match = socket_mt4_v1_v2_v3,
244de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
245681f130fSEric Dumazet .checkentry = socket_mt_v1_check,
246a31e1ffdSLaszlo Attila Toth .matchsize = sizeof(struct xt_socket_mtinfo1),
247aa3c487fSJan Engelhardt .hooks = (1 << NF_INET_PRE_ROUTING) |
248aa3c487fSJan Engelhardt (1 << NF_INET_LOCAL_IN),
249a31e1ffdSLaszlo Attila Toth .me = THIS_MODULE,
250a31e1ffdSLaszlo Attila Toth },
2518db4c5beSPablo Neira Ayuso #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
252b64c9256SBalazs Scheidler {
253b64c9256SBalazs Scheidler .name = "socket",
254b64c9256SBalazs Scheidler .revision = 1,
255b64c9256SBalazs Scheidler .family = NFPROTO_IPV6,
25601555e74SHarout Hedeshian .match = socket_mt6_v1_v2_v3,
257681f130fSEric Dumazet .checkentry = socket_mt_v1_check,
258681f130fSEric Dumazet .matchsize = sizeof(struct xt_socket_mtinfo1),
259de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
260681f130fSEric Dumazet .hooks = (1 << NF_INET_PRE_ROUTING) |
261681f130fSEric Dumazet (1 << NF_INET_LOCAL_IN),
262681f130fSEric Dumazet .me = THIS_MODULE,
263681f130fSEric Dumazet },
264681f130fSEric Dumazet #endif
265681f130fSEric Dumazet {
266681f130fSEric Dumazet .name = "socket",
267681f130fSEric Dumazet .revision = 2,
268681f130fSEric Dumazet .family = NFPROTO_IPV4,
26901555e74SHarout Hedeshian .match = socket_mt4_v1_v2_v3,
270681f130fSEric Dumazet .checkentry = socket_mt_v2_check,
271de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
272681f130fSEric Dumazet .matchsize = sizeof(struct xt_socket_mtinfo1),
273681f130fSEric Dumazet .hooks = (1 << NF_INET_PRE_ROUTING) |
274681f130fSEric Dumazet (1 << NF_INET_LOCAL_IN),
275681f130fSEric Dumazet .me = THIS_MODULE,
276681f130fSEric Dumazet },
2778db4c5beSPablo Neira Ayuso #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
278681f130fSEric Dumazet {
279681f130fSEric Dumazet .name = "socket",
280681f130fSEric Dumazet .revision = 2,
281681f130fSEric Dumazet .family = NFPROTO_IPV6,
28201555e74SHarout Hedeshian .match = socket_mt6_v1_v2_v3,
283681f130fSEric Dumazet .checkentry = socket_mt_v2_check,
284de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
285b64c9256SBalazs Scheidler .matchsize = sizeof(struct xt_socket_mtinfo1),
286b64c9256SBalazs Scheidler .hooks = (1 << NF_INET_PRE_ROUTING) |
287b64c9256SBalazs Scheidler (1 << NF_INET_LOCAL_IN),
288b64c9256SBalazs Scheidler .me = THIS_MODULE,
289b64c9256SBalazs Scheidler },
290b64c9256SBalazs Scheidler #endif
29101555e74SHarout Hedeshian {
29201555e74SHarout Hedeshian .name = "socket",
29301555e74SHarout Hedeshian .revision = 3,
29401555e74SHarout Hedeshian .family = NFPROTO_IPV4,
29501555e74SHarout Hedeshian .match = socket_mt4_v1_v2_v3,
29601555e74SHarout Hedeshian .checkentry = socket_mt_v3_check,
297de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
29801555e74SHarout Hedeshian .matchsize = sizeof(struct xt_socket_mtinfo1),
29901555e74SHarout Hedeshian .hooks = (1 << NF_INET_PRE_ROUTING) |
30001555e74SHarout Hedeshian (1 << NF_INET_LOCAL_IN),
30101555e74SHarout Hedeshian .me = THIS_MODULE,
30201555e74SHarout Hedeshian },
3038db4c5beSPablo Neira Ayuso #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
30401555e74SHarout Hedeshian {
30501555e74SHarout Hedeshian .name = "socket",
30601555e74SHarout Hedeshian .revision = 3,
30701555e74SHarout Hedeshian .family = NFPROTO_IPV6,
30801555e74SHarout Hedeshian .match = socket_mt6_v1_v2_v3,
30901555e74SHarout Hedeshian .checkentry = socket_mt_v3_check,
310de8c1211SFlorian Westphal .destroy = socket_mt_destroy,
31101555e74SHarout Hedeshian .matchsize = sizeof(struct xt_socket_mtinfo1),
31201555e74SHarout Hedeshian .hooks = (1 << NF_INET_PRE_ROUTING) |
31301555e74SHarout Hedeshian (1 << NF_INET_LOCAL_IN),
31401555e74SHarout Hedeshian .me = THIS_MODULE,
31501555e74SHarout Hedeshian },
31601555e74SHarout Hedeshian #endif
317136cdc71SKOVACS Krisztian };
318136cdc71SKOVACS Krisztian
socket_mt_init(void)319136cdc71SKOVACS Krisztian static int __init socket_mt_init(void)
320136cdc71SKOVACS Krisztian {
321a31e1ffdSLaszlo Attila Toth return xt_register_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
322136cdc71SKOVACS Krisztian }
323136cdc71SKOVACS Krisztian
socket_mt_exit(void)324136cdc71SKOVACS Krisztian static void __exit socket_mt_exit(void)
325136cdc71SKOVACS Krisztian {
326a31e1ffdSLaszlo Attila Toth xt_unregister_matches(socket_mt_reg, ARRAY_SIZE(socket_mt_reg));
327136cdc71SKOVACS Krisztian }
328136cdc71SKOVACS Krisztian
329136cdc71SKOVACS Krisztian module_init(socket_mt_init);
330136cdc71SKOVACS Krisztian module_exit(socket_mt_exit);
331136cdc71SKOVACS Krisztian
332136cdc71SKOVACS Krisztian MODULE_LICENSE("GPL");
333136cdc71SKOVACS Krisztian MODULE_AUTHOR("Krisztian Kovacs, Balazs Scheidler");
334136cdc71SKOVACS Krisztian MODULE_DESCRIPTION("x_tables socket match module");
335136cdc71SKOVACS Krisztian MODULE_ALIAS("ipt_socket");
336b64c9256SBalazs Scheidler MODULE_ALIAS("ip6t_socket");
337