struct sock *
nf_tproxy_get_sock_v4(struct net *net, const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
const struct net_device *in, bool listening_only)
{
struct sock *sk;
switch (protocol) {
case IPPROTO_TCP:
if (listening_only)
sk = __inet_lookup_listener(net, &tcp_hashinfo,
daddr, ntohs(dport),
in->ifindex);
else
sk = __inet_lookup(net, &tcp_hashinfo,
saddr, sport, daddr, dport,
in->ifindex);
break;
case IPPROTO_UDP:
sk = udp4_lib_lookup(net, saddr, sport, daddr, dport,
in->ifindex);
break;
default:
WARN_ON(1);
sk = NULL;
}
pr_debug("tproxy socket lookup: proto %u %08x:%u -> %08x:%u, listener only: %d, sock %p\n",
protocol, ntohl(saddr), ntohs(sport), ntohl(daddr), ntohs(dport), listening_only, sk);
return sk;
}
/* "socket" match based redirection (no specific rule)
* ===================================================
*
* There are connections with dynamic endpoints (e.g. FTP data
* connection) that the user is unable to add explicit rules
* for. These are taken care of by a generic "socket" rule. It is
* assumed that the proxy application is trusted to open such
* connections without explicit iptables rule (except of course the
* generic 'socket' rule). In this case the following sockets are
* matched in preference order:
*
* - match: if there's a fully established connection matching the
* _packet_ tuple
*
* - match: if there's a non-zero bound listener (possibly with a
* non-local address) We don't accept zero-bound listeners, since
* then local services could intercept traffic going through the
* box.
*/
static struct sock *
xt_socket_get_sock_v4(struct net *net, const u8 protocol,
const __be32 saddr, const __be32 daddr,
const __be16 sport, const __be16 dport,
const struct net_device *in)
{
switch (protocol) {
case IPPROTO_TCP:
return __inet_lookup(net, &tcp_hashinfo,
saddr, sport, daddr, dport,
in->ifindex);
case IPPROTO_UDP:
return udp4_lib_lookup(net, saddr, sport, daddr, dport,
in->ifindex);
}
return NULL;
}
/*******************************************************************************
函数名称: sslvpn_data_packet
功能描述: 判断sslvpn报文类型
输入参数: skb
输出参数: 无
返 回 值: 0 非sslvpn 报文
1 sslvpn 报文
--------------------------------------------------------------------------------
最近一次修改记录:
修改作者: 谢永超
修改目的: 创建新函数
修改日期: 2010年8月9日
********************************************************************************/
s32 sslvpn_data_packet(struct sk_buff *skb)
{
s32 ret = 0;
#ifdef CONFIG_KSSL
if(skb->nh.iph->protocol == IPPROTO_TCP)
{
int ihl = 0;
struct tcphdr *th = NULL;
struct iphdr *iph = NULL;
struct sock *sk = NULL;
ihl =skb->nh.iph->ihl * 4;
th = (struct tcphdr *)(skb->nh.raw + ihl);
iph = skb->nh.iph;
sk = __inet_lookup(&init_vrf, 0, &tcp_hashinfo,iph->saddr,th->source,iph->daddr,th->dest,inet_iif(skb));
if (sk)
{
if (sk->ssl)
{
ret = 1;
}
if (sk->sk_state == TCP_TIME_WAIT)
{
inet_twsk_put(inet_twsk(sk));
}
else
{
sock_put(sk);
}
}
}
#endif
return ret;
}
