Re: [PATCH 11/13] xtables TPROXY target

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sep 30 2007 22:53, KOVACS Krisztian wrote:
>The TPROXY target implements redirection of non-local TCP/UDP traffic to local
>sockets. Additionally, it's possible to manipulate the packet mark if and only
>if a socket has been found. (We need this because we cannot use multiple
>targets in the same iptables rule.)

This provides xt_TPROXY.

===
iptables TPROXY target

From: KOVACS Krisztian <hidden@xxxxxxxxxx>

The TPROXY target implements redirection of non-local TCP/UDP traffic
to local sockets. It is simply a wrapper around functionality exported
from iptable_tproxy.

Signed-off-by: Jan Engelhardt <jengelh@xxxxxxxxxxxxxxx>
---

 include/linux/netfilter/xt_TPROXY.h |    9 ++++
 net/ipv4/netfilter/Kconfig          |   11 +++++
 net/netfilter/Makefile              |    1 
 net/netfilter/xt_TPROXY.c           |   76 ++++++++++++++++++++++++++++++++++++
 4 files changed, 97 insertions(+)

Index: linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h
===================================================================
--- /dev/null
+++ linux-2.6.22.1/include/linux/netfilter/xt_TPROXY.h
@@ -0,0 +1,9 @@
+#ifndef _XT_TPROXY_H
+#define _XT_TPROXY_H
+
+struct xt_tproxy_info {
+	u_int32_t laddr;
+	u_int16_t lport;
+};
+
+#endif /* _XT_TPROXY_H */
Index: linux-2.6.22.1/net/ipv4/netfilter/Kconfig
===================================================================
--- linux-2.6.22.1.orig/net/ipv4/netfilter/Kconfig
+++ linux-2.6.22.1/net/ipv4/netfilter/Kconfig
@@ -403,6 +403,17 @@ config IP_NF_TPROXY_TABLE
 
 	  To compile it as a module, choose M here.  If unsure, say `N'.
 
+config NETFILTER_XT_TARGET_TPROXY
+	tristate "TPROXY target support"
+	depends on IP_NF_TPROXY_TABLE
+	help
+	  This option adds a `TPROXY' target, which is somewhat similar to
+	  REDIRECT.  It can only be used in the tproxy table and is useful
+	  to redirect traffic to a transparent proxy.  It does _not_ depend
+	  on Netfilter connection tracking.
+
+	  To compile it as a module, choose M here.  If unsure, say N.
+
 # ARP tables
 config IP_NF_ARPTABLES
 	tristate "ARP tables support"
Index: linux-2.6.22.1/net/netfilter/Makefile
===================================================================
--- linux-2.6.22.1.orig/net/netfilter/Makefile
+++ linux-2.6.22.1/net/netfilter/Makefile
@@ -50,6 +50,7 @@ obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) 
 obj-$(CONFIG_NETFILTER_XT_TARGET_SECMARK) += xt_SECMARK.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TARPIT) += xt_TARPIT.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
+obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
 obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
 
 # matches
Index: linux-2.6.22.1/net/netfilter/xt_TPROXY.c
===================================================================
--- /dev/null
+++ linux-2.6.22.1/net/netfilter/xt_TPROXY.c
@@ -0,0 +1,76 @@
+/*
+ * Transparent proxy support for Linux/iptables
+ *
+ * Copyright (c) 2006-2007 BalaBit IT Ltd.
+ * Author: Balazs Scheidler, Krisztian Kovacs
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+#include <linux/ip.h>
+#include <linux/kernel.h>
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter_ipv4/ip_tables.h>
+#include <linux/netfilter_ipv4/ip_tproxy.h>
+#include <linux/netfilter/xt_TPROXY.h>
+#include <net/checksum.h>
+#include <net/inet_sock.h>
+#include <net/udp.h>
+
+static unsigned int
+tproxy_target(struct sk_buff **pskb, const struct net_device *in,
+              const struct net_device *out, unsigned int hooknum,
+              const struct xt_target *target, const void *targinfo)
+{
+	const struct xt_tproxy_info *tgi = targinfo;
+	const struct iphdr *iph = ip_hdr(*pskb);
+	struct sk_buff *skb = *pskb;
+	struct udphdr _hdr, *hp;
+
+	/* TCP/UDP only */
+	if (iph->protocol != IPPROTO_TCP && iph->protocol != IPPROTO_UDP)
+		return NF_ACCEPT;
+
+	hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr);
+	if (hp == NULL)
+		return NF_DROP;
+
+	skb->nf_tproxy.redirect_address = tgi->laddr ? : iph->daddr;
+	skb->nf_tproxy.redirect_port    = tgi->lport ? : hp->dest;
+
+	pr_debug(KERN_DEBUG "redirecting: proto %d %08x:%d -> %08x:%d\n",
+	         iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
+	         ntohl(skb->nf_tproxy.redirect_address),
+	         ntohs(skb->nf_tproxy.redirect_port));
+
+	return NF_ACCEPT;
+}
+
+static struct xt_target xt_tproxy_reg __read_mostly = {
+	.name       = "TPROXY",
+	.family     = AF_INET,
+	.table      = "tproxy",
+	.target     = tproxy_target,
+	.targetsize = sizeof(struct xt_tproxy_info),
+	.me         = THIS_MODULE,
+};
+
+static int __init xt_tproxy_init(void)
+{
+	return xt_register_target(&xt_tproxy_reg);
+}
+
+static void __exit xt_tproxy_exit(void)
+{
+	xt_unregister_target(&xt_tproxy_reg);
+}
+
+module_init(xt_tproxy_init);
+module_exit(xt_tproxy_exit);
+MODULE_AUTHOR("Krisztian Kovacs <hidden@xxxxxxxxxx>");
+MODULE_DESCRIPTION("Netfilter transparent proxy TPROXY target module");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_TPROXY");
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux