*
* DEBUG: section 89 NAT / IP Interception
* AUTHOR: Robert Collins
+ * AUTHOR: Amos Jeffries
*
* SQUID Web Proxy Cache http://www.squid-cache.org/
* ----------------------------------------------------------
// single global instance for access by other components.
IPIntercept IPInterceptor;
+void
+IPIntercept::StopTransparency(const char *str) {
+ debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str);
+ transparent_active = 0;
+}
+
+void
+IPIntercept::StopInterception(const char *str) {
+ debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str);
+ intercept_active = 0;
+}
// TODO split this one call into one per transparency method
// with specific switching at run-time ??
/*
* $Id: IPInterception.h,v 1.7 2007/12/14 23:11:45 amosjeffries Exp $
*
- *
- * SQUID Web Proxy Cache http://www.squid-cache.org/
- * ----------------------------------------------------------
- *
- * Squid is the result of efforts by numerous individuals from
- * the Internet community; see the CONTRIBUTORS file for full
- * details. Many organizations have provided support for Squid's
- * development; see the SPONSORS file for full details. Squid is
- * Copyrighted (C) 2001 by the Regents of the University of
- * California; see the COPYRIGHT file for full details. Squid
- * incorporates software developed and/or copyrighted by other
- * sources; see the CREDITS file for full details.
- *
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * This program is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with this program; if not, write to the Free Software
- * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
+ * DEBUG: section 89 NAT / IP Interception
+ * AUTHOR: Robert Collins
+ * AUTHOR: Amos Jeffries
*
*/
#ifndef SQUID_IPINTERCEPTION_H
class IPIntercept
{
public:
+ IPIntercept() : transparent_active(0), intercept_active(0) {};
+ ~IPIntercept() {};
+
int NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAddress &dst);
#if LINUX_TPROXY2
// which require the address be set specifically post-connect.
int SetTproxy2OutgoingAddr(int fd, const IPAddress &src);
#endif
-}
+
+ /**
+ \retval 0 Full transparency is disabled.
+ \retval 1 Full transparency is enabled and active.
+ */
+ inline int TransparentActive() { return transparent_active; };
+
+ /** \par
+ * Turn on fully Transparent-Proxy activities.
+ * This function should be called during parsing of the squid.conf
+ * When any option requiring full-transparency is encountered.
+ */
+ inline void StartTransparency() { transparent_active=1; };
+
+ /** \par
+ * Turn off fully Transparent-Proxy activities on all new connections.
+ * Existing transactions and connections are unaffected and will run
+ * to their natural completion.
+ \param str Reason for stopping. Will be logged to cache.log
+ */
+ void StopTransparency(const char *str);
+
+ /**
+ \retval 0 IP Interception is disabled.
+ \retval 1 IP Interception is enabled and active.
+ */
+ inline int InterceptActive() { return intercept_active; };
+
+ /** \par
+ * Turn on IP-Interception-Proxy activities.
+ * This function should be called during parsing of the squid.conf
+ * When any option requiring interception / NAT handling is encountered.
+ */
+ inline void StartInterception() { intercept_active=1; };
+
+ /** \par
+ * Turn off IP-Interception-Proxy activities on all new connections.
+ * Existing transactions and connections are unaffected and will run
+ * to their natural completion.
+ \param str Reason for stopping. Will be logged to cache.log
+ */
+ inline void StopInterception(const char *str);
+
+private:
+ int transparent_active;
+ int intercept_active;
+};
#if !defined(IP_TRANSPARENT)
/// \ingroup IPInterceptAPI
#include "Parsing.h"
#include "MemBuf.h"
#include "wordlist.h"
+#include "IPInterception.h"
+
#if HAVE_GLOB_H
#include <glob.h>
#endif
} else if (strncmp(token, "name=", 5) == 0) {
safe_free(s->name);
s->name = xstrdup(token + 5);
- } else if (strcmp(token, "transparent") == 0) {
- s->transparent = 1;
-#if USE_IPV6
- /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */
- if( !s->s.SetIPv4() ) {
- debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s );
- self_destruct();
- }
-#endif
} else if (strcmp(token, "vhost") == 0) {
s->vhost = 1;
s->accel = 1;
else
self_destruct();
-#if LINUX_TPROXY2 || LINUX_TPROXY4
-
+ } else if (strcmp(token, "transparent") == 0) {
+ s->transparent = 1;
+ IPInterceptor.StartInterception();
+#if USE_IPV6
+ /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */
+ if( !s->s.SetIPv4() ) {
+ debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s );
+ self_destruct();
+ }
+#endif
} else if (strcmp(token, "tproxy") == 0) {
s->tproxy = 1;
- need_linux_tproxy = 1;
+ IPInterceptor.StartTransparency();
#if USE_IPV6
- /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */
+ /* INET6: until target TPROXY is known to work on IPv6 SOCKET, force wildcard to IPv4 */
if( s->s.IsIPv6() && !s->s.SetIPv4() ) {
debugs(3, 0, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s );
self_destruct();
}
-#endif
#endif
} else if (strcmp(token, "ipv4") == 0) {
}
request->flags.accelerated = http->flags.accel;
-
- request->flags.transparent = http->flags.transparent;
-
-#if LINUX_TPROXY2 || LINUX_TPROXY4
- request->flags.tproxy = conn->port->tproxy && need_linux_tproxy;
-#endif
+ /* propagate the transparent and interception flags only if those modes are currently active. */
+ request->flags.transparent = http->flags.transparent && IPInterceptor.InterceptActive();
+ request->flags.tproxy = conn->port->tproxy && IPInterceptor.TransparentActive();
if (internalCheck(request->urlpath.buf())) {
if (internalHostnameIs(request->GetHost()) &&
extern const char *external_acl_message; /* NULL */
extern int opt_send_signal; /* -1 */
extern int opt_no_daemon; /* 0 */
-#if LINUX_TPROXY2 || LINUX_TPROXY4
- extern int need_linux_tproxy; /* 0 */
-#endif
#ifdef __cplusplus
-
/*
* $Id: tools.cc,v 1.281 2008/02/11 22:44:50 rousskov Exp $
*
#include "MemBuf.h"
#include "wordlist.h"
#include "SquidTime.h"
+#include "IPInterception.h"
#ifdef _SQUID_LINUX_
#if HAVE_SYS_CAPABILITY_H
#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H
if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
- /* Silent failure unless TPROXY is required. Maybe not started as root */
-#if LINUX_TPROXY2 || LINUX_TPROXY4
-
- if (need_linux_tproxy)
- debugs(1, 1, "Error - tproxy support requires capability setting which has failed. Continuing without tproxy support");
-
- need_linux_tproxy = 0;
-
-#endif
-
+ /* Silent failure unless transparency is required. Maybe not started as root */
+ if (IPInterceptor.TransparentActive()) {
+ debugs(1, 1, "Error - full transparency support requires capability setting which has failed. Continuing without transparency support");
+ IPInterceptor.StopTransparency();
+ }
}
#endif
}
cap->inheritable = 0;
cap->effective = (1 << CAP_NET_BIND_SERVICE);
-#if LINUX_TPROXY2
- if (need_linux_tproxy)
- cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST);
-#elif LINUX_TPROXY4
- if (need_linux_tproxy)
+ if(IPIntercept.TransparentActive()) {
cap->effective |= (1 << CAP_NET_ADMIN);
-
+#if LINUX_TPROXY2
+ cap->effective |= (1 << CAP_NET_BROADCAST);
#endif
+ }
if (!keep)
cap->permitted &= cap->effective;
if (capset(head, cap) != 0) {
- /* Silent failure unless TPROXY is required */
-#if LINUX_TPROXY2 || LINUX_TPROXY4
-
- if (need_linux_tproxy)
- debugs(50, 1, "Error enabling needed capabilities. Will continue without tproxy support");
-
- need_linux_tproxy = 0;
-
-#endif
-
+ /* Silent failure unless transparency is required */
+ if(IPInterceptor.TransparentActive()) {
+ IPInterceptor.StopTransparency("Error enabling needed capabilities.");
+ }
}
nocap:
xfree(cap);
#else /* not defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H */
-#if LINUX_TPROXY2 || LINUX_TPROXY4
-
- if (need_linux_tproxy)
- debugs(50, 1, "Missing needed capability support. Will continue without tproxy support");
-
- need_linux_tproxy = 0;
-#endif
+ if (IPInterceptor.TransparentActive()) {
+ IPInterceptor.StopTransparency("Missing needed capability support.");
+ }
#endif
}
projects / thirdparty / squid.git / commitdiff
