From: Alexander Gozman <goal81@gmail.com>
Date: Fri, 16 Feb 2018 10:52:58 +0000 (+0300)
Subject: Fix clientside_mark and client port logging in TPROXY mode (#150)
X-Git-Tag: SQUID_3_5_28~12
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=2db32599d23de8aec2cc3c9bcd788788c979e8b6;p=thirdparty%2Fsquid.git

Fix clientside_mark and client port logging in TPROXY mode (#150)

The clientside_mark ACL was not working with TPROXY because a
conntrack query could not find connmark without a true client port.

Ip::Intercept::Lookup() must return true client address, but its
TproxyTransparent() component was reseting the client port. We should
use zero port when we compute the source address for the Squid-to-peer
connection instead.
---

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 06467926d6..6b50df1633 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -1246,6 +1246,7 @@ getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
             else
 #endif
                 conn->local = request->client_addr;
+            conn->local.port(0); // let OS pick the source port to prevent address clashes
             // some flags need setting on the socket to use this address
             conn->flags |= COMM_DOBIND;
             conn->flags |= COMM_TRANSPARENT;
diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
index 9c0164a4a5..dd4302092f 100644
--- a/src/ip/Intercept.cc
+++ b/src/ip/Intercept.cc
@@ -168,7 +168,6 @@ Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int sil
     /* Trust the user configured properly. If not no harm done.
      * We will simply attempt a bind outgoing on our own IP.
      */
-    newConn->remote.port(0); // allow random outgoing port to prevent address clashes
     debugs(89, 5, HERE << "address TPROXY: " << newConn);
     return true;
 #else