From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 23 Apr 2010 00:48:04 +0000 (+1200)
Subject: Drop TPROXYv2 Support
X-Git-Tag: SQUID_3_2_0_1~276
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=aa46a340d8c4838559cd263ee769f12f7496e4fa;p=thirdparty%2Fsquid.git

Drop TPROXYv2 Support
---

diff --git a/configure.in b/configure.in
index 70e752215b..6850c7d42f 100644
--- a/configure.in
+++ b/configure.in
@@ -1426,19 +1426,6 @@ default|"")
   fi
 esac
 
-dnl Enable Linux transparent proxy support for obsolete TPROXY
-AH_TEMPLATE(LINUX_TPROXY2,[Enable real Transparent Proxy support for Netfilter TPROXY v2])
-squid_opt_linux_tproxy2="no"
-AC_ARG_ENABLE(linux-tproxy,
-  AS_HELP_STRING([--enable-linux-tproxy],
-    [Enable real Transparent Proxy support for Netfilter TPROXY (version 2).]), [
-  if test "$enableval" = "yes" ; then
-    squid_opt_linux_tproxy2="yes"
-    AC_MSG_NOTICE([Linux Transparent Proxy (TPROXY) requested])
-  fi
-  #AC_DEFINE will be handled later
-])
-
 dnl Enable Leak Finding Functions
 squid_opt_enable_leakfinder=no
 AC_ARG_ENABLE(leakfinder,
@@ -2296,10 +2283,8 @@ AC_CHECK_HEADERS( \
 	db.h \
 	db_185.h
 )
-
 AC_CHECK_HEADERS(
-	linux/netfilter_ipv4.h \
-	linux/netfilter_ipv4/ip_tproxy.h \
+	linux/netfilter_ipv4.h
 ,,,
 SQUID_DEFAULT_INCLUDES
 #if HAVE_LIMITS_H
@@ -3245,49 +3230,12 @@ fi
 dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
 AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $squid_opt_linux_netfilter])
 if test "$squid_opt_linux_netfilter" = "yes" && test "$use_libcap" != "yes" ; then
-    AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
+    AC_MSG_WARN([Missing needed capabilities from libcap for TPROXY])
     AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
     AC_MSG_WARN([Reduced support to Interception Proxy])
-    squid_opt_linux_tproxy2="no"
     # AC_DEFINE'd later
 fi
 
-# Linux Netfilter/TPROXYv2 support requires some specific header files and
-# support infrastructure (netfilter and libcap)
-AC_MSG_NOTICE([Support for Linux TPROXY v2 transparent proxy requested: $squid_opt_linux_tproxy2])
-if test "$squid_opt_linux_tproxy2" = "yes" -a "$use_libcap" != "yes" ; then
-  AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
-  AC_MSG_WARN([Disabling Linux TPROXY v2 support])
-  AC_MSG_WARN([Interception proxy will still work])
-  squid_opt_linux_tproxy2="no"
-fi
-if test "$squid_opt_linux_tproxy2" = "yes" ; then
-  # we already checked that $use_libcap2=yes 
-  if test "$squid_opt_linux_netfilter" = "no" ; then
-    squid_opt_linux_netfilter="yes"
-    AC_MSG_NOTICE([Enabling Linux Netfilter support needed by Linux TPROXY v2])
-  fi
-  AC_MSG_CHECKING([if TPROXYv2 header files are installed])
-  if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" != "yes" ; then
-    squid_opt_linux_tproxy2="no"
-    dnl need to output before next lines
-    AC_MSG_RESULT($squid_opt_linux_tproxy2)
-    AC_MSG_WARN([Cannot find TPROXY v2 headers, you need to patch the kernel with ])
-    AC_MSG_WARN([tproxy package from: http://www.balabit.com/downloads/files/tproxy/])
-    AC_MSG_WARN([or use '--enable-linux-netfilter' option instead for Netfilter support.])
-  else
-    AC_MSG_RESULT($squid_opt_linux_tproxy2)
-  fi
-fi
-
-dnl at the end of it all..
-if test "$squid_opt_linux_tproxy2" = "yes" ; then
-  AC_DEFINE(LINUX_TPROXY2, 1)
-else
-  AC_DEFINE(LINUX_TPROXY2, 0)
-fi
-
-
 AC_ARG_ENABLE(gnuregex,
   AS_HELP_STRING([--enable-gnuregex],[Compile GNUregex.  Unless you have reason to use 
                  this option, you should not enable it.
diff --git a/src/forward.cc b/src/forward.cc
index 0174509715..bf144e8376 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -911,16 +911,6 @@ FwdState::connectStart()
 
     commSetTimeout(fd, ctimeout, fwdConnectTimeoutWrapper, this);
 
-#if LINUX_TPROXY2
-    if (!fs->_peer && request->flags.spoof_client_ip) {
-        // try to set the outgoing address using TPROXY v2
-        // if it fails we abort any further TPROXY actions on this connection
-        if (Ip::Interceptor.SetTproxy2OutgoingAddr(fd, src) == -1) {
-            request->flags.spoof_client_ip = 0;
-        }
-    }
-#endif
-
     updateHierarchyInfo();
     commConnectStart(fd, host, port, fwdConnectDoneWrapper, this);
 }
diff --git a/src/ip/IpIntercept.cc b/src/ip/IpIntercept.cc
index a04b80e178..9deced4241 100644
--- a/src/ip/IpIntercept.cc
+++ b/src/ip/IpIntercept.cc
@@ -90,15 +90,6 @@
 #include <linux/netfilter_ipv4.h>
 #endif
 
-#if LINUX_TPROXY2
-#if HAVE_LINUX_NETFILTER_IPV4_IP_TPROXY_H
-#include <linux/netfilter_ipv4/ip_tproxy.h>
-#else
-#error " TPROXY v2 Header file missing: linux/netfilter_ipv4/ip_tproxy.h. Perhapse you meant to use TPROXY v4 ? "
-#endif
-#endif
-
-
 // single global instance for access by other components.
 Ip::Intercept Ip::Interceptor;
 
@@ -404,58 +395,10 @@ Ip::Intercept::NatLookup(int fd, const Ip::Address &me, const Ip::Address &peer,
     return -1;
 }
 
-#if LINUX_TPROXY2
-int
-Ip::Intercept::SetTproxy2OutgoingAddr(int fd, const Ip::Address &src)
-{
-    Address addr;
-    struct in_tproxy itp;
-
-    src.GetInAddr(itp.v.addr.faddr);
-    itp.v.addr.fport = 0;
-
-    /* If these syscalls fail then we just fallback to connecting
-     * normally by simply ignoring the errors...
-     */
-    itp.op = TPROXY_ASSIGN;
-
-    addr = (struct in_addr)itp.v.addr.faddr;
-    addr.SetPort(itp.v.addr.fport);
-
-    if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
-        debugs(20, 1, "tproxy ip=" << addr << " ERROR ASSIGN");
-        return -1;
-    } else {
-        itp.op = TPROXY_FLAGS;
-        itp.v.flags = ITP_CONNECT;
-
-        if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
-            debugs(20, 1, "tproxy ip=" << addr << " ERROR CONNECT");
-            return -1;
-        }
-    }
-
-    return 0;
-}
-#endif
-
 bool
 Ip::Intercept::ProbeForTproxy(Ip::Address &test)
 {
     debugs(3, 3, "Detect TPROXY support on port " << test);
-#if LINUX_TPROXY2
-
-#if USE_IPV6
-    /* TPROXYv2 is not IPv6 capable. Force wildcard sockets to IPv4. Die on IPv6 IPs */
-    debugs(3, DBG_IMPORTANT, "Disabling IPv6 on port " << test << " (TPROXYv2 interception enabled)");
-    if ( test.IsIPv6() && !test.SetIPv4() ) {
-        debugs(3, DBG_CRITICAL, "IPv6 requires TPROXYv4 support. You only have TPROXYv2 for " << test );
-        return false;
-    }
-#endif /* USE_IPV6 */
-    return true;
-
-#else /* not LINUX_TPROXY2 */
 
 #if defined(IP_TRANSPARENT)
 
@@ -517,6 +460,5 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
 #else /* undefined IP_TRANSPARENT */
     debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this platform. Disabling TPROXYv4.");
 #endif
-#endif /* LINUX_TPROXY2 */
     return false;
 }
diff --git a/src/ip/IpIntercept.h b/src/ip/IpIntercept.h
index 7ec0d1a9e9..338255a153 100644
--- a/src/ip/IpIntercept.h
+++ b/src/ip/IpIntercept.h
@@ -32,12 +32,6 @@ public:
     /** Perform NAT lookups */
     int NatLookup(int fd, const Address &me, const Address &peer, Address &client, Address &dst);
 
-#if LINUX_TPROXY2
-    // only relevant to TPROXY v2 connections.
-    // which require the address be set specifically post-connect.
-    int SetTproxy2OutgoingAddr(int fd, const Address &src);
-#endif
-
     /**
      * Test system networking calls for TPROXY support.
      * Detects IPv6 and IPv4 level of support matches the address being listened on
diff --git a/src/tools.cc b/src/tools.cc
index 87d72f9790..97f2c97a9f 100644
--- a/src/tools.cc
+++ b/src/tools.cc
@@ -1237,9 +1237,6 @@ restoreCapabilities(int keep)
 
         if (Ip::Interceptor.TransparentActive()) {
             cap_list[ncaps++] = CAP_NET_ADMIN;
-#if LINUX_TPROXY2
-            cap_list[ncaps++] = CAP_NET_BROADCAST;
-#endif
         }
 
         cap_clear_flag(caps, CAP_EFFECTIVE);