1 /* 2 * Copyright (C) 1996-2021 The Squid Software Foundation and contributors 3 * 4 * Squid software is distributed under GPLv2+ license and includes 5 * contributions from numerous individuals and organizations. 6 * Please see the COPYING and CONTRIBUTORS files for details. 7 */ 8 9 /* DEBUG: section 89 NAT / IP Interception */ 10 11 #ifndef SQUID_IP_IPINTERCEPT_H 12 #define SQUID_IP_IPINTERCEPT_H 13 14 /* for time_t */ 15 #include "SquidTime.h" 16 17 namespace Ip 18 { 19 20 class Address; 21 22 /** 23 \defgroup IpInterceptAPI IP Interception and Transparent Proxy API 24 \ingroup SquidComponent 25 \par 26 * There is no formal state-machine for transparency and interception 27 * instead there is this neutral API which other connection state machines 28 * and the comm layer use to co-ordinate their own state for transparency. 29 */ 30 class Intercept 31 { 32 public: Intercept()33 Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {}; ~Intercept()34 ~Intercept() {}; 35 36 /** Perform NAT lookups */ 37 bool Lookup(const Comm::ConnectionPointer &newConn, const Comm::ConnectionPointer &listenConn); 38 39 /** 40 * Test system networking calls for TPROXY support. 41 * Detects IPv6 and IPv4 level of support matches the address being listened on 42 * and if the compiled v2/v4 is usable as far down as a bind()ing. 43 * 44 * \param test Address set on the squid.conf *_port being checked. 45 * \retval true TPROXY is available. 46 * \retval false TPROXY is not available. 47 */ 48 bool ProbeForTproxy(Address &test); 49 50 /** 51 \retval 0 Full transparency is disabled. 52 \retval 1 Full transparency is enabled and active. 53 */ TransparentActive()54 inline int TransparentActive() { return transparentActive_; }; 55 56 /** \par 57 * Turn on fully Transparent-Proxy activities. 58 * This function should be called during parsing of the squid.conf 59 * When any option requiring full-transparency is encountered. 60 */ StartTransparency()61 inline void StartTransparency() { transparentActive_=1; }; 62 63 /** \par 64 * Turn off fully Transparent-Proxy activities on all new connections. 65 * Existing transactions and connections are unaffected and will run 66 * to their natural completion. 67 \param str Reason for stopping. Will be logged to cache.log 68 */ 69 void StopTransparency(const char *str); 70 71 /** 72 \retval 0 IP Interception is disabled. 73 \retval 1 IP Interception is enabled and active. 74 */ InterceptActive()75 inline int InterceptActive() { return interceptActive_; }; 76 77 /** \par 78 * Turn on IP-Interception-Proxy activities. 79 * This function should be called during parsing of the squid.conf 80 * When any option requiring interception / NAT handling is encountered. 81 */ StartInterception()82 inline void StartInterception() { interceptActive_=1; }; 83 84 /** \par 85 * Turn off IP-Interception-Proxy activities on all new connections. 86 * Existing transactions and connections are unaffected and will run 87 * to their natural completion. 88 \param str Reason for stopping. Will be logged to cache.log 89 */ 90 inline void StopInterception(const char *str); 91 92 private: 93 94 /** 95 * perform Lookups on fully-transparent interception targets (TPROXY). 96 * Supports Netfilter, PF and IPFW. 97 * 98 * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. 99 * \param newConn Details known, to be updated where relevant. 100 * \return Whether successfuly located the new address. 101 */ 102 bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent); 103 104 /** 105 * perform Lookups on Netfilter interception targets (REDIRECT, DNAT). 106 * 107 * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. 108 * \param newConn Details known, to be updated where relevant. 109 * \return Whether successfuly located the new address. 110 */ 111 bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent); 112 113 /** 114 * perform Lookups on IPFW interception. 115 * 116 * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. 117 * \param newConn Details known, to be updated where relevant. 118 * \return Whether successfuly located the new address. 119 */ 120 bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent); 121 122 /** 123 * perform Lookups on IPF interception. 124 * 125 * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. 126 * \param newConn Details known, to be updated where relevant. 127 * \return Whether successfuly located the new address. 128 */ 129 bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent); 130 131 /** 132 * perform Lookups on PF interception target (REDIRECT). 133 * 134 * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden. 135 * \param newConn Details known, to be updated where relevant. 136 * \return Whether successfuly located the new address. 137 */ 138 bool PfInterception(const Comm::ConnectionPointer &newConn, int silent); 139 140 int transparentActive_; 141 int interceptActive_; 142 time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */ 143 }; 144 145 #if LINUX_NETFILTER && !defined(IP_TRANSPARENT) 146 /// \ingroup IpInterceptAPI 147 #define IP_TRANSPARENT 19 148 #endif 149 150 /** 151 \ingroup IpInterceptAPI 152 * Globally available instance of the IP Interception manager. 153 */ 154 extern Intercept Interceptor; 155 156 } // namespace Ip 157 158 #endif /* SQUID_IP_IPINTERCEPT_H */ 159 160