Implement FreeBSD ipfw based ip transparent interception using

the getsockname() syscall. This returns the original destination
IP rather than the local server IP.

This behaviour existed in Squid-2 in the past; but was removed for some
reason.

diff --git a/configure.in b/configure.in
index cf072dd94273ff88b2c53654638d41e7e96cd528..85a6ba37759f9ca2c7463dea5190d255d3170e7f 100644 (file)
--- a/configure.in
+++ b/configure.in
@@ -1,7 +1,7 @@
 
 dnl  Configuration input file for Squid
 dnl
-dnl  $Id: configure.in,v 1.454 2007/05/13 10:57:41 hno Exp $
+dnl  $Id: configure.in,v 1.455 2007/05/20 04:22:43 adrian Exp $
 dnl
 dnl
 dnl
@@ -11,7 +11,7 @@ AM_CONFIG_HEADER(include/autoconf.h)
 AC_CONFIG_AUX_DIR(cfgaux)
 AC_CONFIG_SRCDIR([src/main.cc])
 AM_INIT_AUTOMAKE([tar-ustar])
-AC_REVISION($Revision: 1.454 $)dnl
+AC_REVISION($Revision: 1.455 $)dnl
 AC_PREFIX_DEFAULT(/usr/local/squid)
 AM_MAINTAINER_MODE
 
@@ -1140,6 +1140,18 @@ else
     AC_DEFINE(HTTP_VIOLATIONS, 0)
 fi
 
+dnl Enable IPFW Transparent Proxy
+AC_ARG_ENABLE(ipfw-transparent,
+[  --enable-ipfw-transparent
+                          Enable Transparent Proxy support for systems
+                          using FreeBSD IPFW style redirection.],
+[ if test "$enableval" = "yes" ; then
+       echo "IPFW Transparent Proxy enabled"
+       AC_DEFINE(IPFW_TRANSPARENT,1,[Enable support for Transparent Proxy on systems using FreeBSD IPFW address redirection.])
+       IPFW_TRANSPARENT="yes"
+  fi
+])
+
 dnl Enable IP-Filter Transparent Proxy
 AC_ARG_ENABLE(ipf-transparent,
 [  --enable-ipf-transparent

diff --git a/include/autoconf.h.in b/include/autoconf.h.in
index 021fae39d89d0b87f94c6ddd92fd9f2d3fb8dbca..a5179a8c4412419fac9c400a6b9c0d448a4be073 100644 (file)
--- a/include/autoconf.h.in
+++ b/include/autoconf.h.in
@@ -725,6 +725,10 @@
 /* Enable ICAP client features in Squid */
 #undef ICAP_CLIENT
 
+/* Enable support for Transparent Proxy on systems using FreeBSD IPFW address
+   redirection. */
+#undef IPFW_TRANSPARENT
+
 /* Enable support for Transparent Proxy on systems using IP-Filter address
    redirection. This provides "masquerading" support for non Linux system. */
 #undef IPF_TRANSPARENT

diff --git a/src/IPInterception.cc b/src/IPInterception.cc
index 564d2aca94e751d22898d054952509f5c5834147..a37b13e2695f81803835e4aeaebc23c590e9b00e 100644 (file)
--- a/src/IPInterception.cc
+++ b/src/IPInterception.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: IPInterception.cc,v 1.16 2007/04/28 22:26:37 hno Exp $
+ * $Id: IPInterception.cc,v 1.17 2007/05/20 04:22:45 adrian Exp $
  *
  * DEBUG: section 89    NAT / IP Interception 
  * AUTHOR: Robert Collins
@@ -282,14 +282,29 @@ clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct s
     }
 }
 
-#else
+#elif IPFW_TRANSPARENT
 int
-
 clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct sockaddr_in *dst)
 {
-    debugs(89, 1, "WARNING: transparent proxying not supported");
-    return -1;
+       int ret;
+       struct sockaddr_in s;
+       int slen = sizeof(struct sockaddr_in);
+
+       ret = getsockname(fd, (struct sockaddr *) &s, (socklen_t * )&slen);
+       if (ret < 0) {
+               debugs(89, 1, "clientNatLookup: getpeername failed (fd " << fd << "), errstr " << xstrerror());
+               return -1;
+       }
+       *dst = s;
+       return 0;
 }
 
+#else
+int
+clientNatLookup(int fd, struct sockaddr_in me, struct sockaddr_in peer, struct sockaddr_in *dst)
+{
+       debugs(89, 1, "WARNING: transparent proxying not supported");
+       return -1;
+}
 #endif