1 /*
2  * Copyright (C) 1996-2021 The Squid Software Foundation and contributors
3  *
4  * Squid software is distributed under GPLv2+ license and includes
5  * contributions from numerous individuals and organizations.
6  * Please see the COPYING and CONTRIBUTORS files for details.
7  */
8 
9 /* DEBUG: section 89    NAT / IP Interception */
10 
11 #ifndef SQUID_IP_IPINTERCEPT_H
12 #define SQUID_IP_IPINTERCEPT_H
13 
14 /* for time_t */
15 #include "SquidTime.h"
16 
17 namespace Ip
18 {
19 
20 class Address;
21 
22 /**
23  \defgroup IpInterceptAPI IP Interception and Transparent Proxy API
24  \ingroup SquidComponent
25  \par
26  * There is no formal state-machine for transparency and interception
27  * instead there is this neutral API which other connection state machines
28  * and the comm layer use to co-ordinate their own state for transparency.
29  */
30 class Intercept
31 {
32 public:
Intercept()33     Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
~Intercept()34     ~Intercept() {};
35 
36     /** Perform NAT lookups */
37     bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn);
38 
39     /**
40      * Test system networking calls for TPROXY support.
41      * Detects IPv6 and IPv4 level of support matches the address being listened on
42      * and if the compiled v2/v4 is usable as far down as a bind()ing.
43      *
44      * \param test    Address set on the squid.conf *_port being checked.
45      * \retval true   TPROXY is available.
46      * \retval false  TPROXY is not available.
47      */
48     bool ProbeForTproxy(Address &test);
49 
50     /**
51      \retval 0  Full transparency is disabled.
52      \retval 1  Full transparency is enabled and active.
53      */
TransparentActive()54     inline int TransparentActive() { return transparentActive_; };
55 
56     /** \par
57      * Turn on fully Transparent-Proxy activities.
58      * This function should be called during parsing of the squid.conf
59      * When any option requiring full-transparency is encountered.
60      */
StartTransparency()61     inline void StartTransparency() { transparentActive_=1; };
62 
63     /** \par
64      * Turn off fully Transparent-Proxy activities on all new connections.
65      * Existing transactions and connections are unaffected and will run
66      * to their natural completion.
67      \param str    Reason for stopping. Will be logged to cache.log
68      */
69     void StopTransparency(const char *str);
70 
71     /**
72      \retval 0  IP Interception is disabled.
73      \retval 1  IP Interception is enabled and active.
74      */
InterceptActive()75     inline int InterceptActive() { return interceptActive_; };
76 
77     /** \par
78      * Turn on IP-Interception-Proxy activities.
79      * This function should be called during parsing of the squid.conf
80      * When any option requiring interception / NAT handling is encountered.
81      */
StartInterception()82     inline void StartInterception() { interceptActive_=1; };
83 
84     /** \par
85      * Turn off IP-Interception-Proxy activities on all new connections.
86      * Existing transactions and connections are unaffected and will run
87      * to their natural completion.
88      \param str    Reason for stopping. Will be logged to cache.log
89      */
90     inline void StopInterception(const char *str);
91 
92 private:
93 
94     /**
95      * perform Lookups on fully-transparent interception targets (TPROXY).
96      * Supports Netfilter, PF and IPFW.
97      *
98      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
99      * \param newConn  Details known, to be updated where relevant.
100      * \return         Whether successfuly located the new address.
101      */
102     bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent);
103 
104     /**
105      * perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
106      *
107      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
108      * \param newConn  Details known, to be updated where relevant.
109      * \return         Whether successfuly located the new address.
110      */
111     bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);
112 
113     /**
114      * perform Lookups on IPFW interception.
115      *
116      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
117      * \param newConn  Details known, to be updated where relevant.
118      * \return         Whether successfuly located the new address.
119      */
120     bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);
121 
122     /**
123      * perform Lookups on IPF interception.
124      *
125      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
126      * \param newConn  Details known, to be updated where relevant.
127      * \return         Whether successfuly located the new address.
128      */
129     bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);
130 
131     /**
132      * perform Lookups on PF interception target (REDIRECT).
133      *
134      * \param silent   0 if errors are to be displayed. 1 if errors are to be hidden.
135      * \param newConn  Details known, to be updated where relevant.
136      * \return         Whether successfuly located the new address.
137      */
138     bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);
139 
140     int transparentActive_;
141     int interceptActive_;
142     time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */
143 };
144 
145 #if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
146 /// \ingroup IpInterceptAPI
147 #define IP_TRANSPARENT 19
148 #endif
149 
150 /**
151  \ingroup IpInterceptAPI
152  * Globally available instance of the IP Interception manager.
153  */
154 extern Intercept Interceptor;
155 
156 } // namespace Ip
157 
158 #endif /* SQUID_IP_IPINTERCEPT_H */
159 
160