Back to home page

OSCL-LXR
 
 

     

0001 #ifndef _NF_TPROXY_H_
0002 #define _NF_TPROXY_H_
0003 
0004 #include <net/tcp.h>
0005 
0006 enum nf_tproxy_lookup_t {
0007      NF_TPROXY_LOOKUP_LISTENER,
0008      NF_TPROXY_LOOKUP_ESTABLISHED,
0009 };
0010 
0011 static inline bool nf_tproxy_sk_is_transparent(struct sock *sk)
0012 {
0013     if (inet_sk_transparent(sk))
0014         return true;
0015 
0016     sock_gen_put(sk);
0017     return false;
0018 }
0019 
0020 /* assign a socket to the skb -- consumes sk */
0021 static inline void nf_tproxy_assign_sock(struct sk_buff *skb, struct sock *sk)
0022 {
0023     skb_orphan(skb);
0024     skb->sk = sk;
0025     skb->destructor = sock_edemux;
0026 }
0027 
0028 __be32 nf_tproxy_laddr4(struct sk_buff *skb, __be32 user_laddr, __be32 daddr);
0029 
0030 /**
0031  * nf_tproxy_handle_time_wait4 - handle IPv4 TCP TIME_WAIT reopen redirections
0032  * @skb:    The skb being processed.
0033  * @laddr:  IPv4 address to redirect to or zero.
0034  * @lport:  TCP port to redirect to or zero.
0035  * @sk:     The TIME_WAIT TCP socket found by the lookup.
0036  *
0037  * We have to handle SYN packets arriving to TIME_WAIT sockets
0038  * differently: instead of reopening the connection we should rather
0039  * redirect the new connection to the proxy if there's a listener
0040  * socket present.
0041  *
0042  * nf_tproxy_handle_time_wait4() consumes the socket reference passed in.
0043  *
0044  * Returns the listener socket if there's one, the TIME_WAIT socket if
0045  * no such listener is found, or NULL if the TCP header is incomplete.
0046  */
0047 struct sock *
0048 nf_tproxy_handle_time_wait4(struct net *net, struct sk_buff *skb,
0049                 __be32 laddr, __be16 lport, struct sock *sk);
0050 
0051 /*
0052  * This is used when the user wants to intercept a connection matching
0053  * an explicit iptables rule. In this case the sockets are assumed
0054  * matching in preference order:
0055  *
0056  *   - match: if there's a fully established connection matching the
0057  *     _packet_ tuple, it is returned, assuming the redirection
0058  *     already took place and we process a packet belonging to an
0059  *     established connection
0060  *
0061  *   - match: if there's a listening socket matching the redirection
0062  *     (e.g. on-port & on-ip of the connection), it is returned,
0063  *     regardless if it was bound to 0.0.0.0 or an explicit
0064  *     address. The reasoning is that if there's an explicit rule, it
0065  *     does not really matter if the listener is bound to an interface
0066  *     or to 0. The user already stated that he wants redirection
0067  *     (since he added the rule).
0068  *
0069  * Please note that there's an overlap between what a TPROXY target
0070  * and a socket match will match. Normally if you have both rules the
0071  * "socket" match will be the first one, effectively all packets
0072  * belonging to established connections going through that one.
0073  */
0074 struct sock *
0075 nf_tproxy_get_sock_v4(struct net *net, struct sk_buff *skb,
0076               const u8 protocol,
0077               const __be32 saddr, const __be32 daddr,
0078               const __be16 sport, const __be16 dport,
0079               const struct net_device *in,
0080               const enum nf_tproxy_lookup_t lookup_type);
0081 
0082 const struct in6_addr *
0083 nf_tproxy_laddr6(struct sk_buff *skb, const struct in6_addr *user_laddr,
0084          const struct in6_addr *daddr);
0085 
0086 /**
0087  * nf_tproxy_handle_time_wait6 - handle IPv6 TCP TIME_WAIT reopen redirections
0088  * @skb:    The skb being processed.
0089  * @tproto: Transport protocol.
0090  * @thoff:  Transport protocol header offset.
0091  * @net:    Network namespace.
0092  * @laddr:  IPv6 address to redirect to.
0093  * @lport:  TCP port to redirect to or zero.
0094  * @sk:     The TIME_WAIT TCP socket found by the lookup.
0095  *
0096  * We have to handle SYN packets arriving to TIME_WAIT sockets
0097  * differently: instead of reopening the connection we should rather
0098  * redirect the new connection to the proxy if there's a listener
0099  * socket present.
0100  *
0101  * nf_tproxy_handle_time_wait6() consumes the socket reference passed in.
0102  *
0103  * Returns the listener socket if there's one, the TIME_WAIT socket if
0104  * no such listener is found, or NULL if the TCP header is incomplete.
0105  */
0106 struct sock *
0107 nf_tproxy_handle_time_wait6(struct sk_buff *skb, int tproto, int thoff,
0108                 struct net *net,
0109                 const struct in6_addr *laddr,
0110                 const __be16 lport,
0111                 struct sock *sk);
0112 
0113 struct sock *
0114 nf_tproxy_get_sock_v6(struct net *net, struct sk_buff *skb, int thoff,
0115               const u8 protocol,
0116               const struct in6_addr *saddr, const struct in6_addr *daddr,
0117               const __be16 sport, const __be16 dport,
0118               const struct net_device *in,
0119               const enum nf_tproxy_lookup_t lookup_type);
0120 
0121 #endif /* _NF_TPROXY_H_ */
Source navigation ] Diff markup ] Identifier search ] general search ]

This page was automatically generated by the 2.1.0 LXR engine.

The LXR team
Valid CSS 2.1! Valid HTML 4.01!