From: Amos Jeffries Date: Tue, 8 Apr 2008 13:14:49 +0000 (+1200) Subject: Move need_linux_tproxy to a property of the Interception manager X-Git-Tag: SQUID_3_1_0_1~49^2~276^2~17 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=04f874690ce86ba252f172a34d374ad38d1edea5;p=thirdparty%2Fsquid.git Move need_linux_tproxy to a property of the Interception manager --- diff --git a/src/IPInterception.cc b/src/IPInterception.cc index 0c5445aa07..2d952b2ce1 100644 --- a/src/IPInterception.cc +++ b/src/IPInterception.cc @@ -3,6 +3,7 @@ * * DEBUG: section 89 NAT / IP Interception * AUTHOR: Robert Collins + * AUTHOR: Amos Jeffries * * SQUID Web Proxy Cache http://www.squid-cache.org/ * ---------------------------------------------------------- @@ -102,6 +103,17 @@ // single global instance for access by other components. IPIntercept IPInterceptor; +void +IPIntercept::StopTransparency(const char *str) { + debugs(89, DBG_IMPORTANT, "Stopping full transparency: " << str); + transparent_active = 0; +} + +void +IPIntercept::StopInterception(const char *str) { + debugs(89, DBG_IMPORTANT, "Stopping IP interception: " << str); + intercept_active = 0; +} // TODO split this one call into one per transparency method // with specific switching at run-time ?? diff --git a/src/IPInterception.h b/src/IPInterception.h index ad7dae5caa..cd1d6522f5 100644 --- a/src/IPInterception.h +++ b/src/IPInterception.h @@ -1,32 +1,9 @@ /* * $Id: IPInterception.h,v 1.7 2007/12/14 23:11:45 amosjeffries Exp $ * - * - * SQUID Web Proxy Cache http://www.squid-cache.org/ - * ---------------------------------------------------------- - * - * Squid is the result of efforts by numerous individuals from - * the Internet community; see the CONTRIBUTORS file for full - * details. Many organizations have provided support for Squid's - * development; see the SPONSORS file for full details. Squid is - * Copyrighted (C) 2001 by the Regents of the University of - * California; see the COPYRIGHT file for full details. Squid - * incorporates software developed and/or copyrighted by other - * sources; see the CREDITS file for full details. - * - * This program is free software; you can redistribute it and/or modify - * it under the terms of the GNU General Public License as published by - * the Free Software Foundation; either version 2 of the License, or - * (at your option) any later version. - * - * This program is distributed in the hope that it will be useful, - * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. - * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software - * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. + * DEBUG: section 89 NAT / IP Interception + * AUTHOR: Robert Collins + * AUTHOR: Amos Jeffries * */ #ifndef SQUID_IPINTERCEPTION_H @@ -45,6 +22,9 @@ class IPAddress; class IPIntercept { public: + IPIntercept() : transparent_active(0), intercept_active(0) {}; + ~IPIntercept() {}; + int NatLookup(int fd, const IPAddress &me, const IPAddress &peer, IPAddress &dst); #if LINUX_TPROXY2 @@ -52,7 +32,53 @@ public: // which require the address be set specifically post-connect. int SetTproxy2OutgoingAddr(int fd, const IPAddress &src); #endif -} + + /** + \retval 0 Full transparency is disabled. + \retval 1 Full transparency is enabled and active. + */ + inline int TransparentActive() { return transparent_active; }; + + /** \par + * Turn on fully Transparent-Proxy activities. + * This function should be called during parsing of the squid.conf + * When any option requiring full-transparency is encountered. + */ + inline void StartTransparency() { transparent_active=1; }; + + /** \par + * Turn off fully Transparent-Proxy activities on all new connections. + * Existing transactions and connections are unaffected and will run + * to their natural completion. + \param str Reason for stopping. Will be logged to cache.log + */ + void StopTransparency(const char *str); + + /** + \retval 0 IP Interception is disabled. + \retval 1 IP Interception is enabled and active. + */ + inline int InterceptActive() { return intercept_active; }; + + /** \par + * Turn on IP-Interception-Proxy activities. + * This function should be called during parsing of the squid.conf + * When any option requiring interception / NAT handling is encountered. + */ + inline void StartInterception() { intercept_active=1; }; + + /** \par + * Turn off IP-Interception-Proxy activities on all new connections. + * Existing transactions and connections are unaffected and will run + * to their natural completion. + \param str Reason for stopping. Will be logged to cache.log + */ + inline void StopInterception(const char *str); + +private: + int transparent_active; + int intercept_active; +}; #if !defined(IP_TRANSPARENT) /// \ingroup IPInterceptAPI diff --git a/src/cache_cf.cc b/src/cache_cf.cc index d05034d035..d158311352 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -47,6 +47,8 @@ #include "Parsing.h" #include "MemBuf.h" #include "wordlist.h" +#include "IPInterception.h" + #if HAVE_GLOB_H #include #endif @@ -2894,15 +2896,6 @@ parse_http_port_option(http_port_list * s, char *token) } else if (strncmp(token, "name=", 5) == 0) { safe_free(s->name); s->name = xstrdup(token + 5); - } else if (strcmp(token, "transparent") == 0) { - s->transparent = 1; -#if USE_IPV6 - /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ - if( !s->s.SetIPv4() ) { - debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s ); - self_destruct(); - } -#endif } else if (strcmp(token, "vhost") == 0) { s->vhost = 1; s->accel = 1; @@ -2927,18 +2920,25 @@ parse_http_port_option(http_port_list * s, char *token) else self_destruct(); -#if LINUX_TPROXY2 || LINUX_TPROXY4 - + } else if (strcmp(token, "transparent") == 0) { + s->transparent = 1; + IPInterceptor.StartInterception(); +#if USE_IPV6 + /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ + if( !s->s.SetIPv4() ) { + debugs(3, 0, "http(s)_port: IPv6 addresses cannot be 'transparent' (protocol does not provide NAT)" << s->s ); + self_destruct(); + } +#endif } else if (strcmp(token, "tproxy") == 0) { s->tproxy = 1; - need_linux_tproxy = 1; + IPInterceptor.StartTransparency(); #if USE_IPV6 - /* INET6: until transparent REDIRECT works on IPv6 SOCKET, force wildcard to IPv4 */ + /* INET6: until target TPROXY is known to work on IPv6 SOCKET, force wildcard to IPv4 */ if( s->s.IsIPv6() && !s->s.SetIPv4() ) { debugs(3, 0, "http(s)_port: IPv6 addresses cannot be transparent (protocol does not provide NAT)" << s->s ); self_destruct(); } -#endif #endif } else if (strcmp(token, "ipv4") == 0) { diff --git a/src/client_side.cc b/src/client_side.cc index 13233925e1..62dd775857 100644 --- a/src/client_side.cc +++ b/src/client_side.cc @@ -2213,12 +2213,9 @@ clientProcessRequest(ConnStateData *conn, HttpParser *hp, ClientSocketContext *c } request->flags.accelerated = http->flags.accel; - - request->flags.transparent = http->flags.transparent; - -#if LINUX_TPROXY2 || LINUX_TPROXY4 - request->flags.tproxy = conn->port->tproxy && need_linux_tproxy; -#endif + /* propagate the transparent and interception flags only if those modes are currently active. */ + request->flags.transparent = http->flags.transparent && IPInterceptor.InterceptActive(); + request->flags.tproxy = conn->port->tproxy && IPInterceptor.TransparentActive(); if (internalCheck(request->urlpath.buf())) { if (internalHostnameIs(request->GetHost()) && diff --git a/src/globals.h b/src/globals.h index 9d581252fc..00519753db 100644 --- a/src/globals.h +++ b/src/globals.h @@ -185,9 +185,6 @@ extern "C" extern const char *external_acl_message; /* NULL */ extern int opt_send_signal; /* -1 */ extern int opt_no_daemon; /* 0 */ -#if LINUX_TPROXY2 || LINUX_TPROXY4 - extern int need_linux_tproxy; /* 0 */ -#endif #ifdef __cplusplus diff --git a/src/tools.cc b/src/tools.cc index aa87a254a7..61ef6bee30 100644 --- a/src/tools.cc +++ b/src/tools.cc @@ -1,4 +1,3 @@ - /* * $Id: tools.cc,v 1.281 2008/02/11 22:44:50 rousskov Exp $ * @@ -40,6 +39,7 @@ #include "MemBuf.h" #include "wordlist.h" #include "SquidTime.h" +#include "IPInterception.h" #ifdef _SQUID_LINUX_ #if HAVE_SYS_CAPABILITY_H @@ -1235,16 +1235,11 @@ keepCapabilities(void) #if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { - /* Silent failure unless TPROXY is required. Maybe not started as root */ -#if LINUX_TPROXY2 || LINUX_TPROXY4 - - if (need_linux_tproxy) - debugs(1, 1, "Error - tproxy support requires capability setting which has failed. Continuing without tproxy support"); - - need_linux_tproxy = 0; - -#endif - + /* Silent failure unless transparency is required. Maybe not started as root */ + if (IPInterceptor.TransparentActive()) { + debugs(1, 1, "Error - full transparency support requires capability setting which has failed. Continuing without transparency support"); + IPInterceptor.StopTransparency(); + } } #endif } @@ -1273,29 +1268,21 @@ restoreCapabilities(int keep) cap->inheritable = 0; cap->effective = (1 << CAP_NET_BIND_SERVICE); -#if LINUX_TPROXY2 - if (need_linux_tproxy) - cap->effective |= (1 << CAP_NET_ADMIN) | (1 << CAP_NET_BROADCAST); -#elif LINUX_TPROXY4 - if (need_linux_tproxy) + if(IPIntercept.TransparentActive()) { cap->effective |= (1 << CAP_NET_ADMIN); - +#if LINUX_TPROXY2 + cap->effective |= (1 << CAP_NET_BROADCAST); #endif + } if (!keep) cap->permitted &= cap->effective; if (capset(head, cap) != 0) { - /* Silent failure unless TPROXY is required */ -#if LINUX_TPROXY2 || LINUX_TPROXY4 - - if (need_linux_tproxy) - debugs(50, 1, "Error enabling needed capabilities. Will continue without tproxy support"); - - need_linux_tproxy = 0; - -#endif - + /* Silent failure unless transparency is required */ + if(IPInterceptor.TransparentActive()) { + IPInterceptor.StopTransparency("Error enabling needed capabilities."); + } } nocap: @@ -1303,13 +1290,9 @@ nocap: xfree(cap); #else /* not defined(_SQUID_LINUX_) && HAVE_SYS_CAPABILITY_H */ -#if LINUX_TPROXY2 || LINUX_TPROXY4 - - if (need_linux_tproxy) - debugs(50, 1, "Missing needed capability support. Will continue without tproxy support"); - - need_linux_tproxy = 0; -#endif + if (IPInterceptor.TransparentActive()) { + IPInterceptor.StopTransparency("Missing needed capability support."); + } #endif }