}
bool
-Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent)
+Ip::Intercept::NetfilterInterception(const Comm::ConnectionPointer &newConn)
{
#if LINUX_NETFILTER
struct sockaddr_storage lookup;
newConn->local.isIPv6() ? IP6T_SO_ORIGINAL_DST : SO_ORIGINAL_DST,
&lookup,
&len) != 0) {
- if (!silent) {
- int xerrno = errno;
- debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno));
- lastReported_ = squid_curtime;
- }
- debugs(89, 9, "address: " << newConn);
+ const auto xerrno = errno;
+ debugs(89, DBG_IMPORTANT, "ERROR: NF getsockopt(ORIGINAL_DST) failed on " << newConn << ": " << xstrerr(xerrno));
return false;
} else {
newConn->local = lookup;
}
bool
-Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int)
+Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn)
{
#if (LINUX_NETFILTER && defined(IP_TRANSPARENT)) || \
(PF_TRANSPARENT && defined(SO_BINDANY)) || \
}
bool
-Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn, int)
+Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn)
{
#if IPFW_TRANSPARENT
/* The getsockname() call performed already provided the TCP packet details.
}
bool
-Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn, int silent)
+Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn)
{
#if IPF_TRANSPARENT /* --enable-ipf-transparent */
}
if (natfd < 0) {
- if (!silent) {
- int xerrno = errno;
- debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT open failed: " << xstrerr(xerrno));
- lastReported_ = squid_curtime;
- return false;
- }
+ const auto xerrno = errno;
+ debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT open failed: " << xstrerr(xerrno));
+ return false;
}
#if defined(IPFILTER_VERSION) && (IPFILTER_VERSION >= 4000027)
#endif
if (x < 0) {
- int xerrno = errno;
+ const auto xerrno = errno;
if (xerrno != ESRCH) {
- if (!silent) {
- debugs(89, DBG_IMPORTANT, "IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno));
- lastReported_ = squid_curtime;
- }
-
+ debugs(89, DBG_IMPORTANT, "ERROR: IPF (IPFilter) NAT lookup failed: ioctl(SIOCGNATL) (v=" << IPFILTER_VERSION << "): " << xstrerr(xerrno));
close(natfd);
natfd = -1;
}
}
bool
-Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn, int silent)
+Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn)
{
#if PF_TRANSPARENT /* --enable-pf-transparent */
pffd = open("/dev/pf", O_RDONLY);
if (pffd < 0) {
- if (!silent) {
- int xerrno = errno;
- debugs(89, DBG_IMPORTANT, MYNAME << "PF open failed: " << xstrerr(xerrno));
- lastReported_ = squid_curtime;
- }
+ const auto xerrno = errno;
+ debugs(89, DBG_IMPORTANT, "ERROR: PF open failed: " << xstrerr(xerrno));
return false;
}
nl.direction = PF_OUT;
if (ioctl(pffd, DIOCNATLOOK, &nl)) {
- int xerrno = errno;
+ const auto xerrno = errno;
if (xerrno != ENOENT) {
- if (!silent) {
- debugs(89, DBG_IMPORTANT, HERE << "PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno));
- lastReported_ = squid_curtime;
- }
+ debugs(89, DBG_IMPORTANT, "ERROR: PF lookup failed: ioctl(DIOCNATLOOK): " << xstrerr(xerrno));
close(pffd);
pffd = -1;
}
/* --enable-pf-transparent */
#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
-#if 0
- // Crop interception errors down to one per minute.
- int silent = (squid_curtime - lastReported_ > 60 ? 0 : 1);
-#else
- // Show all interception errors.
- int silent = 0;
-#endif
-
debugs(89, 5, HERE << "address BEGIN: me/client= " << newConn->local << ", destination/me= " << newConn->remote);
newConn->flags |= (listenConn->flags & (COMM_TRANSPARENT|COMM_INTERCEPTION));
/* NP: try TPROXY first, its much quieter than NAT when non-matching */
if (transparentActive_ && listenConn->flags&COMM_TRANSPARENT) {
- if (TproxyTransparent(newConn, silent)) return true;
+ if (TproxyTransparent(newConn)) return true;
}
if (interceptActive_ && listenConn->flags&COMM_INTERCEPTION) {
/* NAT methods that use sock-opts to return client address */
- if (NetfilterInterception(newConn, silent)) return true;
- if (IpfwInterception(newConn, silent)) return true;
+ if (NetfilterInterception(newConn)) return true;
+ if (IpfwInterception(newConn)) return true;
/* NAT methods that use ioctl to return client address AND destination address */
- if (PfInterception(newConn, silent)) return true;
- if (IpfInterception(newConn, silent)) return true;
+ if (PfInterception(newConn)) return true;
+ if (IpfInterception(newConn)) return true;
}
#else /* none of the transparent options configured */
#ifndef SQUID_IP_IPINTERCEPT_H
#define SQUID_IP_IPINTERCEPT_H
-/* for time_t */
-#include "SquidTime.h"
-
namespace Ip
{
class Intercept
{
public:
- Intercept() : transparentActive_(0), interceptActive_(0), lastReported_(0) {};
+ Intercept() : transparentActive_(0), interceptActive_(0) {}
~Intercept() {};
/** Perform NAT lookups */
* perform Lookups on fully-transparent interception targets (TPROXY).
* Supports Netfilter, PF and IPFW.
*
- * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
* \param newConn Details known, to be updated where relevant.
* \return Whether successfully located the new address.
*/
- bool TproxyTransparent(const Comm::ConnectionPointer &newConn, int silent);
+ bool TproxyTransparent(const Comm::ConnectionPointer &newConn);
/**
* perform Lookups on Netfilter interception targets (REDIRECT, DNAT).
*
- * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
* \param newConn Details known, to be updated where relevant.
* \return Whether successfully located the new address.
*/
- bool NetfilterInterception(const Comm::ConnectionPointer &newConn, int silent);
+ bool NetfilterInterception(const Comm::ConnectionPointer &newConn);
/**
* perform Lookups on IPFW interception.
*
- * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
* \param newConn Details known, to be updated where relevant.
* \return Whether successfully located the new address.
*/
- bool IpfwInterception(const Comm::ConnectionPointer &newConn, int silent);
+ bool IpfwInterception(const Comm::ConnectionPointer &newConn);
/**
* perform Lookups on IPF interception.
*
- * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
* \param newConn Details known, to be updated where relevant.
* \return Whether successfully located the new address.
*/
- bool IpfInterception(const Comm::ConnectionPointer &newConn, int silent);
+ bool IpfInterception(const Comm::ConnectionPointer &newConn);
/**
* perform Lookups on PF interception target (REDIRECT).
*
- * \param silent 0 if errors are to be displayed. 1 if errors are to be hidden.
* \param newConn Details known, to be updated where relevant.
* \return Whether successfully located the new address.
*/
- bool PfInterception(const Comm::ConnectionPointer &newConn, int silent);
+ bool PfInterception(const Comm::ConnectionPointer &newConn);
int transparentActive_;
int interceptActive_;
- time_t lastReported_; /**< Time of last error report. Throttles NAT error display to 1 per minute */
};
#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
projects / thirdparty / squid.git / commitdiff
