Hi Patrick,
On Monday 01 October 2007, Patrick McHardy wrote:
> KOVACS Krisztian wrote:
> > The TPROXY target implements redirection of non-local TCP/UDP traffic
> > to local sockets. Additionally, it's possible to manipulate the
> > packet mark if and only if a socket has been found. (We need this
> > because we cannot use multiple targets in the same iptables rule.)
> >
> > Signed-off-by: KOVACS Krisztian <hidden@xxxxxxxxxx>
> > ---
> > +++ b/include/linux/netfilter_ipv4/ipt_TPROXY.h
> > @@ -0,0 +1,14 @@
> > +#ifndef _IPT_TPROXY_H_target
> > +#define _IPT_TPROXY_H_target
> > +
> > +/* TPROXY target is capable of marking the packet to perform
> > + * redirection. We can get rid of that whenever we get support for
> > + * mutliple targets in the same rule. */
> > +struct ipt_tproxy_target_info {
> > + __be32 laddr;
> > + __be16 lport;
> > + unsigned long mark_mask;
> > + unsigned long mark_value;
>
> This should use fixed size types.
Yes, but marks are unsigned longs, aren't they? So if we restrict this to
say 32bit then we lose the ability to use the upper half of the mark...
> > diff --git a/net/netfilter/xt_TPROXY.c b/net/netfilter/xt_TPROXY.c
> > new file mode 100644
> > index 0000000..8603421
> > --- /dev/null
> > +++ b/net/netfilter/xt_TPROXY.c
> > @@ -0,0 +1,139 @@
> > +/*
> > + * Transparent proxy support for Linux/iptables
> > + *
> > + * Copyright (c) 2006-2007 BalaBit IT Ltd.
> > + * Author: Balazs Scheidler, Krisztian Kovacs
> > + *
> > + * This program is free software; you can redistribute it and/or
> > modify + * it under the terms of the GNU General Public License
> > version 2 as + * published by the Free Software Foundation.
> > + *
> > + */
> > +
> > +#include <linux/module.h>
> > +#include <linux/skbuff.h>
> > +#include <linux/ip.h>
> > +#include <net/checksum.h>
> > +#include <net/udp.h>
> > +#include <net/inet_sock.h>
> > +
> > +#include <linux/netfilter/x_tables.h>
> > +#include <linux/netfilter_ipv4/ipt_TPROXY.h>
> > +
> > +#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
> > +#include <net/netfilter/nf_tproxy_core.h>
> > +
> > +static unsigned int
> > +target(struct sk_buff **pskb,
> > + const struct net_device *in,
> > + const struct net_device *out,
> > + unsigned int hooknum,
> > + const struct xt_target *target,
> > + const void *targinfo)
> > +{
> > + const struct iphdr *iph = ip_hdr(*pskb);
> > + const struct ipt_tproxy_target_info *tgi =
> > + (const struct ipt_tproxy_target_info *) targinfo;
> > + struct sk_buff *skb = *pskb;
> > + struct udphdr _hdr, *hp;
> > + struct sock *sk;
> > +
> > + /* TCP/UDP only */
> > + if ((iph->protocol != IPPROTO_TCP) &&
> > + (iph->protocol != IPPROTO_UDP))
> > + return NF_ACCEPT;
> > +
> > + hp = skb_header_pointer(*pskb, iph->ihl * 4, sizeof(_hdr), &_hdr);
> > + if (hp == NULL)
> > + return NF_DROP;
> > +
> > + sk = nf_tproxy_get_sock_v4(iph->protocol,
> > + iph->saddr, tgi->laddr ? tgi->laddr : iph->daddr,
> > + hp->source, tgi->lport ? tgi->lport : hp->dest,
> > + in, true);
> >
> > +
> > + /* NOTE: assign_sock consumes our sk reference */
> > + if (sk && nf_tproxy_assign_sock(skb, sk)) {
> > + /* This should be in a separate target, but we don't do multiple
> > + targets on the same rule yet */
> > + skb->mark = (skb->mark & ~tgi->mark_mask) ^ tgi->mark_value;
> > +
> > + pr_debug("redirecting: proto %d %08x:%d -> %08x:%d, mark: %x\n",
> > + iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
> > + ntohl(tgi->laddr), ntohs(tgi->lport), skb->mark);
> > + return NF_ACCEPT;
> > + }
> > + else {
> > + pr_debug("no socket, dropping: proto %d %08x:%d -> %08x:%d, mark:
> > %x\n", + iph->protocol, ntohl(iph->daddr), ntohs(hp->dest),
> > + ntohl(tgi->laddr), ntohs(tgi->lport), skb->mark);
> > + return NF_DROP;
> > + }
> > +}
> > +
> > +#ifdef CONFIG_COMPAT
>
> All this compat stuff becomes unnecessary with fixed size types.
--
KOVACS Krisztian
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
