Fix clientside_mark and client port logging in TPROXY mode (#150)

The clientside_mark ACL was not working with TPROXY because a
conntrack query could not find connmark without a true client port.

Ip::Intercept::Lookup() must return true client address, but its
TproxyTransparent() component was reseting the client port. We should
use zero port when we compute the source address for the Squid-to-peer
connection instead.

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 887f01b6df274278b64622a6f264d9ac860ef03f..70d1bc8ca3f29aa6718df3c1b050839f464cd5d5 100644 (file)
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -1270,6 +1270,7 @@ getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
             else
 #endif
                 conn->local = request->client_addr;
+            conn->local.port(0); // let OS pick the source port to prevent address clashes
             // some flags need setting on the socket to use this address
             conn->flags |= COMM_DOBIND;
             conn->flags |= COMM_TRANSPARENT;

diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
index a331db04bf7944487e82ae73a0db767c03e1a595..c4df036d705a3493a9397e975eeb10b2f25ca33c 100644 (file)
--- a/src/ip/Intercept.cc
+++ b/src/ip/Intercept.cc
@@ -169,7 +169,6 @@ Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int)
     /* Trust the user configured properly. If not no harm done.
      * We will simply attempt a bind outgoing on our own IP.
      */
-    newConn->remote.port(0); // allow random outgoing port to prevent address clashes
     debugs(89, 5, HERE << "address TPROXY: " << newConn);
     return true;
 #else