From: Alexander Gozman <goal81@gmail.com>
Date: Fri, 16 Feb 2018 10:52:58 +0000 (+0300)
Subject: Fix clientside_mark and client port logging in TPROXY mode (#150)
X-Git-Tag: SQUID_4_0_24~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1bc9cfe93adf8051099e8b1144ea9f3b556acaba;p=thirdparty%2Fsquid.git

Fix clientside_mark and client port logging in TPROXY mode (#150)

The clientside_mark ACL was not working with TPROXY because a
conntrack query could not find connmark without a true client port.

Ip::Intercept::Lookup() must return true client address, but its
TproxyTransparent() component was reseting the client port. We should
use zero port when we compute the source address for the Squid-to-peer
connection instead.
---

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 887f01b6df..70d1bc8ca3 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -1270,6 +1270,7 @@ getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
             else
 #endif
                 conn->local = request->client_addr;
+            conn->local.port(0); // let OS pick the source port to prevent address clashes
             // some flags need setting on the socket to use this address
             conn->flags |= COMM_DOBIND;
             conn->flags |= COMM_TRANSPARENT;
diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
index a331db04bf..c4df036d70 100644
--- a/src/ip/Intercept.cc
+++ b/src/ip/Intercept.cc
@@ -169,7 +169,6 @@ Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int)
     /* Trust the user configured properly. If not no harm done.
      * We will simply attempt a bind outgoing on our own IP.
      */
-    newConn->remote.port(0); // allow random outgoing port to prevent address clashes
     debugs(89, 5, HERE << "address TPROXY: " << newConn);
     return true;
 #else