From 2ad20b4f9eaac9470dc18d4ad9153aa29b4f8422 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Wed, 9 Apr 2008 17:26:32 +1200 Subject: [PATCH] Make transparency flags always-present. Rename flags 'transparent' to 'intercepted' This minimizes the differences in code between multiple supported types of transparency and interception. The flag renaming is pure code cleanup, making the names much more descriptive of the actual meaning of the flags. TODO: currently remaining 'tproxy' flag needs changing to 'spoof_client_ip' TODO: testing of code changes. TODO: failover mechanism between two netfilter suported methods. --- src/ACLChecklist.cc | 4 ++-- src/ProtoPort.h | 18 +++++------------ src/cache_cf.cc | 8 ++++---- src/client_side.cc | 41 ++++++++++++++++++++------------------- src/client_side_request.h | 2 +- src/comm.cc | 10 +++------- src/forward.cc | 21 +++++++------------- src/forward.h | 4 +--- src/http.cc | 4 ---- src/structs.h | 10 +++------- 10 files changed, 47 insertions(+), 75 deletions(-) diff --git a/src/ACLChecklist.cc b/src/ACLChecklist.cc index e18330901a..24f0f33c26 100644 --- a/src/ACLChecklist.cc +++ b/src/ACLChecklist.cc @@ -53,8 +53,8 @@ ACLChecklist::authenticated() } else if (request->flags.accelerated) { /* WWW authorization on accelerated requests */ headertype = HDR_AUTHORIZATION; - } else if (request->flags.transparent) { - debugs(28, 1, "ACHChecklist::authenticated: authentication not applicable on transparently intercepted requests."); + } else if (request->flags.intercepted || request->flags.tproxy) { + debugs(28, DBG_IMPORTANT, HERE << " authentication not applicable on intercepted requests."); return -1; } else { /* Proxy authorization on proxy requests */ diff --git a/src/ProtoPort.h b/src/ProtoPort.h index 9d1ea8fa0a..f17864a61b 100644 --- a/src/ProtoPort.h +++ b/src/ProtoPort.h @@ -1,8 +1,6 @@ - /* * $Id: ProtoPort.h,v 1.1 2008/02/11 22:24:39 rousskov Exp $ */ - #ifndef SQUID_PROTO_PORT_H #define SQUID_PROTO_PORT_H @@ -21,21 +19,15 @@ struct http_port_list char *name; /* visible name */ char *defaultsite; /* default web site */ - unsigned int transparent:1; /* transparent proxy */ - - unsigned int accel:1; /* HTTP accelerator */ - - unsigned int vhost:1; /* uses host header */ - - unsigned int sslBump:1; /* intercepts CONNECT requests */ + unsigned int intercepted:1; /* intercepting proxy */ + unsigned int tproxy:1; /* spoof client ip using TPROXY */ + unsigned int accel:1; /* HTTP accelerator */ + unsigned int vhost:1; /* uses host header */ + unsigned int sslBump:1; /* intercepts CONNECT requests */ int vport; /* virtual port support, -1 for dynamic, >0 static*/ int disable_pmtu_discovery; -#if LINUX_TPROXY2 || LINUX_TPROXY4 - unsigned int tproxy:1; /* spoof client ip using tproxy */ -#endif - struct { unsigned int enabled; unsigned int idle; diff --git a/src/cache_cf.cc b/src/cache_cf.cc index d158311352..ad48e07b05 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -2920,8 +2920,8 @@ parse_http_port_option(http_port_list * s, char *token) else self_destruct(); - } else if (strcmp(token, "transparent") == 0) { - s->transparent = 1; + } else if (strcmp(token, "transparent") == 0 || strcmp(token, "intercept") == 0) { + s->intercepted = 1; IPInterceptor.StartInterception(); #if USE_IPV6 /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ @@ -3063,8 +3063,8 @@ dump_generic_http_port(StoreEntry * e, const char *n, const http_port_list * s) if (s->defaultsite) storeAppendPrintf(e, " defaultsite=%s", s->defaultsite); - if (s->transparent) - storeAppendPrintf(e, " transparent"); + if (s->intercepted) + storeAppendPrintf(e, " intercept"); if (s->vhost) storeAppendPrintf(e, " vhost"); diff --git a/src/client_side.cc b/src/client_side.cc index 62dd775857..c44f31f7cb 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -1824,7 +1824,7 @@ prepareTransparentURL(ConnStateData * conn, ClientHttpRequest *http, char *url, char *host; char ntoabuf[MAX_IPSTRLEN]; - http->flags.transparent = 1; + http->flags.intercepted = 1; if (*url != '/') return; /* already in good shape */ @@ -1995,8 +1995,8 @@ parseHttpRequest(ConnStateData *conn, HttpParser *hp, HttpRequestMethod * method /* prepend our name & port */ http->uri = xstrdup(internalLocalUri(NULL, url)); http->flags.accel = 1; - } else if (conn->port->transparent) { - // Fallback on transparent if enabled, useful for "self" requests + } else if (conn->port->intercepted) { + // Fallback on transparent interception if enabled, useful for "self" requests prepareTransparentURL(conn, http, url, req_hdr); } @@ -2213,9 +2213,17 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c } request->flags.accelerated = http->flags.accel; - /* propagate the transparent and interception flags only if those modes are currently active. */ - request->flags.transparent = http->flags.transparent && IPInterceptor.InterceptActive(); - request->flags.tproxy = conn->port->tproxy && IPInterceptor.TransparentActive(); + + /** \par + * If transparent or interception mode is working clone the transparent and interception flags + * from the port settings to the request. + */ + if(IPInterceptor.InterceptActive()) { + request->flags.intercepted = http->flags.intercepted; + } + if(IPInterceptor.TransparentActive()) { + request->flags.tproxy = conn->port->tproxy; + } if (internalCheck(request->urlpath.buf())) { if (internalHostnameIs(request->GetHost()) && @@ -2715,6 +2723,7 @@ ConnStateData * connStateCreate(const IPAddress &peer, const IPAddress &me, int fd, http_port_list *port) { ConnStateData *result = new ConnStateData; + result->peer = peer; result->log_addr = peer; result->log_addr.ApplyMask(Config.Addrs.client_netmask.GetCIDR()); @@ -2723,12 +2732,7 @@ connStateCreate(const IPAddress &peer, const IPAddress &me, int fd, http_port_li result->in.buf = (char *)memAllocBuf(CLIENT_REQ_BUF_SZ, &result->in.allocatedSize); result->port = cbdataReference(port); -#if LINUX_TPROXY4 - if(port->transparent || port->tproxy) -#else - if(port->transparent) -#endif - { + if(port->intercepted || port->tproxy) { IPAddress dst; if (IPInterceptor.NatLookup(fd, me, peer, dst) == 0) { @@ -3111,13 +3115,9 @@ clientHttpConnectionsOpen(void) enter_suid(); -#if LINUX_TPROXY4 if(s->tproxy) { fd = comm_openex(SOCK_STREAM, IPPROTO_TCP, s->s, (COMM_NONBLOCKING|COMM_TRANSPARENT), 0, "HTTP Socket"); - } - else -#endif - { + } else { fd = comm_open(SOCK_STREAM, IPPROTO_TCP, s->s, COMM_NONBLOCKING, "HTTP Socket"); } @@ -3131,9 +3131,10 @@ clientHttpConnectionsOpen(void) comm_accept(fd, httpAccept, s); debugs(1, 1, "Accepting " << - (s->transparent ? "transparently proxied" : - s->sslBump ? "bumpy" : - s->accel ? "accelerated" : "") + (s->intercepted ? " intercepted" : "") << + (s->tproxy ? " spoofing" : "") << + (s->sslBump ? " bumpy" : "") << + (s->accel ? " accelerated" : "") << " HTTP connections at " << s->s << ", FD " << fd << "." ); diff --git a/src/client_side_request.h b/src/client_side_request.h index a642a8cf8d..64edd1072b 100644 --- a/src/client_side_request.h +++ b/src/client_side_request.h @@ -117,7 +117,7 @@ public: struct { unsigned int accel:1; - unsigned int transparent:1; + unsigned int intercepted:1; unsigned int internal:1; unsigned int done_copying:1; unsigned int purging:1; diff --git a/src/comm.cc b/src/comm.cc index 526a4de25f..83ec4b3df9 100644 --- a/src/comm.cc +++ b/src/comm.cc @@ -634,7 +634,7 @@ comm_set_v6only(int fd, int tos) void comm_set_transparent(int fd) { -#if LINUX_TPROXY4 +#if defined(IP_TRANSPARENT) int tos = 1; if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &tos, sizeof(int)) < 0) { debugs(50, DBG_IMPORTANT, "comm_open: setsockopt(IP_TRANSPARENT) on FD " << fd << ": " << xstrerror()); @@ -754,12 +754,10 @@ comm_openex(int sock_type, commSetReuseAddr(new_socket); } -#if LINUX_TPROXY4 /* MUST be done before binding or face OS Error: "(99) Cannot assign requested address"... */ if((flags & COMM_TRANSPARENT)) { comm_set_transparent(new_socket); } -#endif if (!addr.IsNoAddr()) { @@ -1351,13 +1349,11 @@ comm_old_accept(int fd, ConnectionDetail &details) commSetNonBlocking(sock); -#if LINUX_TPROXY4 - /* AYJ: do we actually need to set this again on every accept? */ if(fd_table[fd].flags.transparent == 1) { - comm_set_transparent(sock); + /* AYJ: do we actually need to set this again on every accept? */ + //comm_set_transparent(sock); F->flags.transparent = 1; } -#endif PROF_stop(comm_accept); return sock; diff --git a/src/forward.cc b/src/forward.cc index da75d7f7ab..965cd44422 100644 --- a/src/forward.cc +++ b/src/forward.cc @@ -265,11 +265,13 @@ FwdState::fwdStart(int client_fd, StoreEntry *entry, HttpRequest *request) default: FwdState::Pointer fwd = new FwdState(client_fd, entry, request); -#if LINUX_TPROXY2 || LINUX_TPROXY4 + /* If we need to transparently proxy the request * then we need the client source protocol, address and port */ - fwd->src = request->client_addr; -#endif + if(request->flags.tproxy) { + fwd->src = request->client_addr; + // AYJ: do we need to pass on the transparent flag also? + } fwd->start(fwd); return; @@ -793,12 +795,9 @@ FwdState::connectStart() ctimeout = Config.Timeout.connect; } -#if LINUX_TPROXY2 || LINUX_TPROXY4 if (request->flags.tproxy) client_addr = request->client_addr; -#endif - if (ftimeout < 0) ftimeout = 5; @@ -836,13 +835,9 @@ FwdState::connectStart() debugs(17, 3, "fwdConnectStart: got outgoing addr " << outgoing << ", tos " << tos); -#if LINUX_TPROXY4 if (request->flags.tproxy) { fd = comm_openex(SOCK_STREAM, IPPROTO_TCP, outgoing, (COMM_NONBLOCKING|COMM_TRANSPARENT), tos, url); - } - else -#endif - { + } else { fd = comm_openex(SOCK_STREAM, IPPROTO_TCP, outgoing, COMM_NONBLOCKING, tos, url); } @@ -887,7 +882,7 @@ FwdState::connectStart() if (request->flags.tproxy) { // try to set the outgoing address using TPROXY v2 // if it fails we abort any further TPROXY actions on this connection - if(IPInterceptor.SetTPROXY2OutgoingAddr(int fd, const IPAddress &src) == -1) { + if(IPInterceptor.SetTproxy2OutgoingAddr(int fd, const IPAddress &src) == -1) { request->flags.tproxy = 0; } } @@ -1227,10 +1222,8 @@ getOutgoingAddr(HttpRequest * request) { ACLChecklist ch; -#if LINUX_TPROXY4 if (request && request->flags.tproxy) return request->client_addr; -#endif if (request) { diff --git a/src/forward.h b/src/forward.h index c3a8d77ef8..9fba688b10 100644 --- a/src/forward.h +++ b/src/forward.h @@ -99,10 +99,8 @@ private: unsigned int ftp_pasv_failed:1; unsigned int forward_completed:1; } flags; -#if LINUX_NETFILTER || LINUX_TPROXY2 || LINUX_TPROXY4 - IPAddress src; -#endif + IPAddress src; /* Client address for this connection. Needed for transparent operations. */ }; #endif diff --git a/src/http.cc b/src/http.cc index 18f643688a..1b14f75210 100644 --- a/src/http.cc +++ b/src/http.cc @@ -1230,13 +1230,9 @@ HttpStateData::processReplyBody() closeHandler = NULL; fwd->unregister(fd); -#if LINUX_TPROXY2 || LINUX_TPROXY4 - if (orig_request->flags.tproxy) client_addr = orig_request->client_addr; -#endif - if (_peer) { if (_peer->options.originserver) fwd->pconnPush(fd, _peer->name, orig_request->port, orig_request->GetHost(), client_addr); diff --git a/src/structs.h b/src/structs.h index dfbce3fe16..30c00f3296 100644 --- a/src/structs.h +++ b/src/structs.h @@ -1024,14 +1024,12 @@ struct _iostats struct request_flags { - request_flags():range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),accelerated(0),transparent(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0) + request_flags(): range(0),nocache(0),ims(0),auth(0),cachable(0),hierarchical(0),loopdetect(0),proxy_keepalive(0),proxying(0),refresh(0),redirected(0),need_validation(0),accelerated(0),intercepted(0),internal(0),internalclient(0),must_keepalive(0),destinationIPLookedUp_(0) { #if HTTP_VIOLATIONS nocache_hack = 0; #endif -#if LINUX_TPROXY2 || LINUX_TPROXY4 tproxy = 0; -#endif } unsigned int range:1; @@ -1050,10 +1048,8 @@ struct request_flags unsigned int nocache_hack:1; /* for changing/ignoring no-cache requests */ #endif unsigned int accelerated:1; - unsigned int transparent:1; -#if LINUX_TPROXY2 || LINUX_TPROXY4 - unsigned int tproxy:1; /* spoof client ip using tproxy */ -#endif + unsigned int intercepted:1; /**< transparently intercepted request */ + unsigned int tproxy:1; /**< spoof client ip using tproxy */ unsigned int internal:1; unsigned int internalclient:1; unsigned int must_keepalive:1; -- 2.47.2