[MINOR] add transparent proxy support for balabit's Tproxy v4

Balabit's TPROXY version 4 which replaces CTTPROXY provides a similar
API to the previous proxy, but relies on IP_FREEBIND instead of
IP_TRANSPARENT. Let's add it.

diff --git a/include/common/compat.h b/include/common/compat.h
index 3c51fb237c43c4755924a30aaa9627a290abbdc2..9cce1f53c6c01e7bf1a15aa349c891734c2be739 100644 (file)
--- a/include/common/compat.h
+++ b/include/common/compat.h
@@ -66,8 +66,11 @@
 #include <linux/netfilter_ipv4.h>
 #endif
 
-/* On Linux, IP_TRANSPARENT generally requires a kernel patch */
+/* On Linux, IP_TRANSPARENT and/or IP_FREEBIND generally require a kernel patch */
 #if defined(CONFIG_HAP_LINUX_TPROXY)
+#if !defined(IP_FREEBIND)
+#define IP_FREEBIND 15
+#endif /* !IP_FREEBIND */
 #if !defined(IP_TRANSPARENT)
 #define IP_TRANSPARENT 19
 #endif /* !IP_TRANSPARENT */

diff --git a/src/backend.c b/src/backend.c
index 8e1ec115b30ec33fd37b2a8faa42c7ed6c9e1745..aadc65057da7ff52ec1df44d24c410d0be29c523 100644 (file)
--- a/src/backend.c
+++ b/src/backend.c
@@ -1136,7 +1136,8 @@ static int bind_ipv4(int fd, int flags, struct sockaddr_in *local, struct sockad
 #ifdef CONFIG_HAP_LINUX_TPROXY
        static int ip_transp_working = 1;
        if (flags && ip_transp_working) {
-               if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0)
+               if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
+                   || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
                        foreign_ok = 1;
                else
                        ip_transp_working = 0;

diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 78d936746d5ba4ee11eb0704ff921f89f724ca24..d68941b2c8378b68bb8c62781e6420b7f5859ebd 100644 (file)
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -156,7 +156,8 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
 #endif
 #ifdef CONFIG_HAP_LINUX_TPROXY
        if ((listener->options & LI_O_FOREIGN) 
-           && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)) {
+           && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
+           && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
                msg = "cannot make listening socket transparent";
                err |= ERR_ALERT;
        }