From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 8 Apr 2008 06:51:51 +0000 (+1200)
Subject: Move TPROXY v2 method of setting the outgoing address to IPIntercept class
X-Git-Tag: SQUID_3_1_0_1~49^2~276^2~18
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34ec5c6298baf2055a16a03886d5590224a1e4c0;p=thirdparty%2Fsquid.git

Move TPROXY v2 method of setting the outgoing address to IPIntercept class
---

diff --git a/src/IPInterception.cc b/src/IPInterception.cc
index a027089799..0c5445aa07 100644
--- a/src/IPInterception.cc
+++ b/src/IPInterception.cc
@@ -37,7 +37,9 @@
 #include "IPInterception.h"
 #include "SquidTime.h"
 
+
 #if IPF_TRANSPARENT
+
 #if HAVE_SYS_IOCTL_H
 #include <sys/ioctl.h>
 #endif
@@ -71,7 +73,8 @@
 #elif HAVE_NETINET_IP_NAT_H
 #include <netinet/ip_nat.h>
 #endif
-#endif
+
+#endif /* IPF_TRANSPARENT required headers */
 
 #if PF_TRANSPARENT
 #include <sys/types.h>
@@ -81,12 +84,20 @@
 #include <net/if.h>
 #include <netinet/in.h>
 #include <net/pfvar.h>
-#endif
+#endif /* PF_TRANSPARENT required headers */
 
 #if LINUX_NETFILTER
 #include <linux/netfilter_ipv4.h>
 #endif
 
+#if LINUX_TPROXY2
+#ifdef HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
+#include <linux/netfilter_ipv4/ip_tproxy.h>
+#else
+#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
+#endif
+#endif
+
 
 // single global instance for access by other components.
 IPIntercept IPInterceptor;
@@ -343,3 +354,37 @@ IPIntercept::NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAdd
 #endif
 
 }
+
+#if LINUX_TPROXY2
+IPIntercept::SetTproxy2OutgoingAddr(int fd, const IPAddress &src)
+{
+    IPAddress addr;
+    struct in_tproxy itp;
+
+    src.GetInAddr(itp.v.addr.faddr);
+    itp.v.addr.fport = 0;
+
+    /* If these syscalls fail then we just fallback to connecting
+     * normally by simply ignoring the errors...
+     */
+    itp.op = TPROXY_ASSIGN;
+
+    addr = (struct in_addr)itp.v.addr.faddr;
+    addr.SetPort(itp.v.addr.fport);
+
+    if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
+        debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
+        return -1;
+    } else {
+        itp.op = TPROXY_FLAGS;
+        itp.v.flags = ITP_CONNECT;
+
+        if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
+            debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
+            return -1;
+        }
+    }
+
+    return 0;
+}
+#endif
diff --git a/src/IPInterception.h b/src/IPInterception.h
index 1f9d0aafb2..ad7dae5caa 100644
--- a/src/IPInterception.h
+++ b/src/IPInterception.h
@@ -46,6 +46,12 @@ class IPIntercept
 {
 public:
     int NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAddress &dst);
+
+#if LINUX_TPROXY2
+    // only relevant to TPROXY v2 connections.
+    // which require the address be set specifically post-connect.
+    int SetTproxy2OutgoingAddr(int fd, const IPAddress &src);
+#endif
 }
 
 #if !defined(IP_TRANSPARENT)
diff --git a/src/forward.cc b/src/forward.cc
index c86356b2eb..da75d7f7ab 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -49,13 +49,8 @@
 #include "SquidTime.h"
 #include "Store.h"
 
-#if LINUX_TPROXY2
-#ifdef HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
-#include <linux/netfilter_ipv4/ip_tproxy.h>
-#else
-#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
-#endif
-#endif
+/* for IPInterceptor API */
+#include "IPInterception.h"
 
 static PSC fwdStartCompleteWrapper;
 static PF fwdServerClosedWrapper;
@@ -775,10 +770,6 @@ FwdState::connectStart()
     const char *domain = NULL;
     int ctimeout;
     int ftimeout = Config.Timeout.forward - (squid_curtime - start_t);
-#if LINUX_TPROXY2
-
-    struct in_tproxy itp;
-#endif
 
     IPAddress outgoing;
     unsigned short tos;
@@ -894,36 +885,14 @@ FwdState::connectStart()
 
 #if LINUX_TPROXY2
         if (request->flags.tproxy) {
-            IPAddress addr;
-
-            src.GetInAddr(itp.v.addr.faddr);
-            itp.v.addr.fport = 0;
-
-            /* If these syscalls fail then we just fallback to connecting
-             * normally by simply ignoring the errors...
-             */
-            itp.op = TPROXY_ASSIGN;
-
-            addr = (struct in_addr)itp.v.addr.faddr;
-            addr.SetPort(itp.v.addr.fport);
-
-            if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
-                debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
-
+            // try to set the outgoing address using TPROXY v2
+            // if it fails we abort any further TPROXY actions on this connection
+            if(IPInterceptor.SetTPROXY2OutgoingAddr(int fd, const IPAddress &src) == -1) {
                 request->flags.tproxy = 0;
-            } else {
-                itp.op = TPROXY_FLAGS;
-                itp.v.flags = ITP_CONNECT;
-
-                if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
-                    debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
-
-                    request->flags.tproxy = 0;
-                }
             }
         }
-
 #endif
+
         hierarchyNote(&request->hier, fs->code, request->GetHost());
     }