From: Willy Tarreau <w@1wt.eu>
Date: Sun, 13 Jan 2008 16:37:16 +0000 (+0100)
Subject: [MINOR] add transparent proxy support for balabit's Tproxy v4
X-Git-Tag: v1.3.15~65
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0a45989de3846dd33b04ad28a433003a622fd4f7;p=thirdparty%2Fhaproxy.git

[MINOR] add transparent proxy support for balabit's Tproxy v4

Balabit's TPROXY version 4 which replaces CTTPROXY provides a similar
API to the previous proxy, but relies on IP_FREEBIND instead of
IP_TRANSPARENT. Let's add it.
---

diff --git a/include/common/compat.h b/include/common/compat.h
index 3c51fb237c..9cce1f53c6 100644
--- a/include/common/compat.h
+++ b/include/common/compat.h
@@ -66,8 +66,11 @@
 #include <linux/netfilter_ipv4.h>
 #endif
 
-/* On Linux, IP_TRANSPARENT generally requires a kernel patch */
+/* On Linux, IP_TRANSPARENT and/or IP_FREEBIND generally require a kernel patch */
 #if defined(CONFIG_HAP_LINUX_TPROXY)
+#if !defined(IP_FREEBIND)
+#define IP_FREEBIND 15
+#endif /* !IP_FREEBIND */
 #if !defined(IP_TRANSPARENT)
 #define IP_TRANSPARENT 19
 #endif /* !IP_TRANSPARENT */
diff --git a/src/backend.c b/src/backend.c
index 8e1ec115b3..aadc65057d 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1136,7 +1136,8 @@ static int bind_ipv4(int fd, int flags, struct sockaddr_in *local, struct sockad
 #ifdef CONFIG_HAP_LINUX_TPROXY
 	static int ip_transp_working = 1;
 	if (flags && ip_transp_working) {
-		if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0)
+		if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
+		    || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
 			foreign_ok = 1;
 		else
 			ip_transp_working = 0;
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 78d936746d..d68941b2c8 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -156,7 +156,8 @@ int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen)
 #endif
 #ifdef CONFIG_HAP_LINUX_TPROXY
 	if ((listener->options & LI_O_FOREIGN) 
-	    && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)) {
+	    && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
+	    && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
 		msg = "cannot make listening socket transparent";
 		err |= ERR_ALERT;
 	}