fi
esac
-dnl Enable Linux transparent proxy support for obsolete TPROXY
-AH_TEMPLATE(LINUX_TPROXY2,[Enable real Transparent Proxy support for Netfilter TPROXY v2])
-squid_opt_linux_tproxy2="no"
-AC_ARG_ENABLE(linux-tproxy,
- AS_HELP_STRING([--enable-linux-tproxy],
- [Enable real Transparent Proxy support for Netfilter TPROXY (version 2).]), [
- if test "$enableval" = "yes" ; then
- squid_opt_linux_tproxy2="yes"
- AC_MSG_NOTICE([Linux Transparent Proxy (TPROXY) requested])
- fi
- #AC_DEFINE will be handled later
-])
-
dnl Enable Leak Finding Functions
squid_opt_enable_leakfinder=no
AC_ARG_ENABLE(leakfinder,
db.h \
db_185.h
)
-
AC_CHECK_HEADERS(
- linux/netfilter_ipv4.h \
- linux/netfilter_ipv4/ip_tproxy.h \
+ linux/netfilter_ipv4.h
,,,
SQUID_DEFAULT_INCLUDES
#if HAVE_LIMITS_H
dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $squid_opt_linux_netfilter])
if test "$squid_opt_linux_netfilter" = "yes" && test "$use_libcap" != "yes" ; then
- AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
+ AC_MSG_WARN([Missing needed capabilities from libcap for TPROXY])
AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
AC_MSG_WARN([Reduced support to Interception Proxy])
- squid_opt_linux_tproxy2="no"
# AC_DEFINE'd later
fi
-# Linux Netfilter/TPROXYv2 support requires some specific header files and
-# support infrastructure (netfilter and libcap)
-AC_MSG_NOTICE([Support for Linux TPROXY v2 transparent proxy requested: $squid_opt_linux_tproxy2])
-if test "$squid_opt_linux_tproxy2" = "yes" -a "$use_libcap" != "yes" ; then
- AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
- AC_MSG_WARN([Disabling Linux TPROXY v2 support])
- AC_MSG_WARN([Interception proxy will still work])
- squid_opt_linux_tproxy2="no"
-fi
-if test "$squid_opt_linux_tproxy2" = "yes" ; then
- # we already checked that $use_libcap2=yes
- if test "$squid_opt_linux_netfilter" = "no" ; then
- squid_opt_linux_netfilter="yes"
- AC_MSG_NOTICE([Enabling Linux Netfilter support needed by Linux TPROXY v2])
- fi
- AC_MSG_CHECKING([if TPROXYv2 header files are installed])
- if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" != "yes" ; then
- squid_opt_linux_tproxy2="no"
- dnl need to output before next lines
- AC_MSG_RESULT($squid_opt_linux_tproxy2)
- AC_MSG_WARN([Cannot find TPROXY v2 headers, you need to patch the kernel with ])
- AC_MSG_WARN([tproxy package from: http://www.balabit.com/downloads/files/tproxy/])
- AC_MSG_WARN([or use '--enable-linux-netfilter' option instead for Netfilter support.])
- else
- AC_MSG_RESULT($squid_opt_linux_tproxy2)
- fi
-fi
-
-dnl at the end of it all..
-if test "$squid_opt_linux_tproxy2" = "yes" ; then
- AC_DEFINE(LINUX_TPROXY2, 1)
-else
- AC_DEFINE(LINUX_TPROXY2, 0)
-fi
-
-
AC_ARG_ENABLE(gnuregex,
AS_HELP_STRING([--enable-gnuregex],[Compile GNUregex. Unless you have reason to use
this option, you should not enable it.
commSetTimeout(fd, ctimeout, fwdConnectTimeoutWrapper, this);
-#if LINUX_TPROXY2
- if (!fs->_peer && request->flags.spoof_client_ip) {
- // try to set the outgoing address using TPROXY v2
- // if it fails we abort any further TPROXY actions on this connection
- if (Ip::Interceptor.SetTproxy2OutgoingAddr(fd, src) == -1) {
- request->flags.spoof_client_ip = 0;
- }
- }
-#endif
-
updateHierarchyInfo();
commConnectStart(fd, host, port, fwdConnectDoneWrapper, this);
}
#include <linux/netfilter_ipv4.h>
#endif
-#if LINUX_TPROXY2
-#if HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
-#include <linux/netfilter_ipv4/ip_tproxy.h>
-#else
-#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
-#endif
-#endif
-
-
// single global instance for access by other components.
Ip::Intercept Ip::Interceptor;
return -1;
}
-#if LINUX_TPROXY2
-int
-Ip::Intercept::SetTproxy2OutgoingAddr(int fd, const Ip::Address &src)
-{
- Address addr;
- struct in_tproxy itp;
-
- src.GetInAddr(itp.v.addr.faddr);
- itp.v.addr.fport = 0;
-
- /* If these syscalls fail then we just fallback to connecting
- * normally by simply ignoring the errors...
- */
- itp.op = TPROXY_ASSIGN;
-
- addr = (struct in_addr)itp.v.addr.faddr;
- addr.SetPort(itp.v.addr.fport);
-
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
- debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
- return -1;
- } else {
- itp.op = TPROXY_FLAGS;
- itp.v.flags = ITP_CONNECT;
-
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
- debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
- return -1;
- }
- }
-
- return 0;
-}
-#endif
-
bool
Ip::Intercept::ProbeForTproxy(Ip::Address &test)
{
debugs(3, 3, "Detect TPROXY support on port " << test);
-#if LINUX_TPROXY2
-
-#if USE_IPV6
- /* TPROXYv2 is not IPv6 capable. Force wildcard sockets to IPv4. Die on IPv6 IPs */
- debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << test << " (TPROXYv2 interception enabled)");
- if ( test.IsIPv6() && !test.SetIPv4() ) {
- debugs(3, DBG_CRITICAL, "IPv6 requires TPROXYv4 support. You only have TPROXYv2 for " << test );
- return false;
- }
-#endif /* USE_IPV6 */
- return true;
-
-#else /* not LINUX_TPROXY2 */
#if defined(IP_TRANSPARENT)
#else /* undefined IP_TRANSPARENT */
debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
#endif
-#endif /* LINUX_TPROXY2 */
return false;
}
/** Perform NAT lookups */
int NatLookup(int fd, const Address &me, const Address &peer, Address &client, Address &dst);
-#if LINUX_TPROXY2
- // only relevant to TPROXY v2 connections.
- // which require the address be set specifically post-connect.
- int SetTproxy2OutgoingAddr(int fd, const Address &src);
-#endif
-
/**
* Test system networking calls for TPROXY support.
* Detects IPv6 and IPv4 level of support matches the address being listened on
if (Ip::Interceptor.TransparentActive()) {
cap_list[ncaps++] = CAP_NET_ADMIN;
-#if LINUX_TPROXY2
- cap_list[ncaps++] = CAP_NET_BROADCAST;
-#endif
}
cap_clear_flag(caps, CAP_EFFECTIVE);
projects / thirdparty / squid.git / commitdiff
