2
* DEBUG: section 89 NAT / IP Interception
3
* AUTHOR: Robert Collins
4
* AUTHOR: Amos Jeffries
7
#ifndef SQUID_IPINTERCEPTION_H
8
#define SQUID_IPINTERCEPTION_H
13
#include "SquidTime.h"
16
\defgroup IpInterceptAPI IP Interception and Transparent Proxy API
17
\ingroup SquidComponent
19
* There is no formal state-machine for transparency and interception
20
* instead there is this neutral API which other connection state machines
21
* and the comm layer use to co-ordinate their own state for transparency.
26
IpIntercept() : transparent_active(0), intercept_active(0), last_reported(0) {};
29
/** Perform NAT lookups */
30
int NatLookup(int fd, const IpAddress &me, const IpAddress &peer, IpAddress &client, IpAddress &dst);
33
// only relevant to TPROXY v2 connections.
34
// which require the address be set specifically post-connect.
35
int SetTproxy2OutgoingAddr(int fd, const IpAddress &src);
39
* Test system networking calls for TPROXY support.
40
* Detects IPv6 and IPv4 level of support matches the address being listened on
41
* and if the compiled v2/v4 is usable as far down as a bind()ing.
43
* \param test Address set on the http(s)_port being checked.
44
* \retval true TPROXY is available.
45
* \retval false TPROXY is not available.
47
bool ProbeForTproxy(IpAddress &test);
50
\retval 0 Full transparency is disabled.
51
\retval 1 Full transparency is enabled and active.
53
inline int TransparentActive() { return transparent_active; };
56
* Turn on fully Transparent-Proxy activities.
57
* This function should be called during parsing of the squid.conf
58
* When any option requiring full-transparency is encountered.
60
inline void StartTransparency() { transparent_active=1; };
63
* Turn off fully Transparent-Proxy activities on all new connections.
64
* Existing transactions and connections are unaffected and will run
65
* to their natural completion.
66
\param str Reason for stopping. Will be logged to cache.log
68
void StopTransparency(const char *str);
71
\retval 0 IP Interception is disabled.
72
\retval 1 IP Interception is enabled and active.
74
inline int InterceptActive() { return intercept_active; };
77
* Turn on IP-Interception-Proxy activities.
78
* This function should be called during parsing of the squid.conf
79
* When any option requiring interception / NAT handling is encountered.
81
inline void StartInterception() { intercept_active=1; };
84
* Turn off IP-Interception-Proxy activities on all new connections.
85
* Existing transactions and connections are unaffected and will run
86
* to their natural completion.
87
\param str Reason for stopping. Will be logged to cache.log
89
inline void StopInterception(const char *str);
95
* perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
97
\param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
98
\param fd FD for the current TCP connection being tested.
99
\param me IP address Squid received the connection on
100
\param client IP address from which Squid received the connection.
101
* May be updated by the NAT table information.
102
* Default is the same value as the me IP address.
103
\retval 0 Successfuly located the new address.
104
\retval -1 An error occured during NAT lookups.
106
int NetfilterInterception(int fd, const IpAddress &me, IpAddress &client, int silent);
109
* perform Lookups on Netfilter fully-transparent interception targets (TPROXY).
111
\param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
112
\param fd FD for the current TCP connection being tested.
113
\param me IP address Squid received the connection on
114
\param dst IP address to which the request was made.
115
* expected to be updated from the NAT table information.
116
* Default is the same value as the peer IP address sent to NatLookup().
117
\retval 0 Successfuly located the new address.
118
\retval -1 An error occured during NAT lookups.
120
int NetfilterTransparent(int fd, const IpAddress &me, IpAddress &dst, int silent);
123
* perform Lookups on IPFW interception.
125
\param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
126
\param fd FD for the current TCP connection being tested.
127
\param me IP address Squid received the connection on
128
\param client IP address from which Squid received the connection.
129
* May be updated by the NAT table information.
130
* Default is the same value as the me IP address.
131
\retval 0 Successfuly located the new address.
132
\retval -1 An error occured during NAT lookups.
134
int IpfwInterception(int fd, const IpAddress &me, IpAddress &client, int silent);
137
* perform Lookups on IPF interception.
139
\param silent[in] 0 if errors are to be displayed. 1 if errors are to be hidden.
140
\retval 0 Successfuly located the new address.
141
\retval -1 An error occured during NAT lookups.
143
int IpfInterception(int fd, const IpAddress &me, IpAddress &client, IpAddress &dst, int silent);
146
* perform Lookups on PF interception.
148
\param silent[in] 0 if errors are to be displayed. 1 if errors are to be hidden.
149
\retval 0 Successfuly located the new address.
150
\retval -1 An error occured during NAT lookups.
152
int PfInterception(int fd, const IpAddress &me, IpAddress &client, IpAddress &dst, int silent);
154
int transparent_active;
155
int intercept_active;
156
time_t last_reported; /**< Time of last error report. Throttles NAT error display to 1 per minute */
159
#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
160
/// \ingroup IpInterceptAPI
161
#define IP_TRANSPARENT 19
165
\ingroup IpInterceptAPI
166
* Globally available instance of the IP Interception manager.
168
extern IpIntercept IpInterceptor;
170
#endif /* SQUID_IPINTERCEPTION_H */