Logic Fix experiment completion.

 * Requires 'tproxy' option be teh only mode on a given port.
 * Assumes all requests received there are TPROXY intercepted.
   bind() errors may occur if external configuration passes normal
   requests to the tproxy flagged Squid port.
 * Spoofs client IP on all requests received at that port.

Based on new info, TPROXY once set on a port has to be assumed as always
set. There is nothing reasonably possible which Squid can do as a quick
lookup to retrieve the clients destination IP. BUT, the destination IP is
the one given on accept() in all these cases anyway.

This makes Squid handling code much simpler and faster, but also runs the
risk of breakage on non-tproxy requests to the port.

diff --git a/src/IPInterception.cc b/src/IPInterception.cc
index 677298767fc15ef3254861d540846235e28797d1..66e4edb3d97f466ff77dabed4cd8e22ecbcb2d61 100644 (file)
--- a/src/IPInterception.cc
+++ b/src/IPInterception.cc
@@ -158,27 +158,15 @@ int
 IPIntercept::NetfilterTransparent(int fd, const IPAddress &me, IPAddress &dst, int silent)
 {
 #if LINUX_NETFILTER
-    int tmp = 0;
 
-    /** \par
-     * Try lookup for TPROXY targets. BUT, only if the FD is flagged for transparent operations. */
-    if(getsockopt(fd, SOL_IP, IP_TRANSPARENT, NULL, &tmp) != 0) {
-        if(!silent) {
-            debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(IP_TRANSPARENT) failed on FD " << fd << ": " << xstrerror());
-            last_reported = squid_curtime;
-        }
-        return -1;
-    }
-    else {
-        // mark the socket for preservation of IP_TRANSPARENT
-        fd_table[fd].flags.transparent = 1;
-        dst = me;
-        debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst);
-        return 0;
-    }
-
-#endif
+    /* Trust the user configured properly. If not no harm done.
+     * We will simply attempt a bind outgoing on our own IP.
+     * Maybe a port clash which will show them the problem.
+     */
+    return (fd_table[fd].flags.transparent ? 0 : -1);
+#else
     return -1;
+#endif
 }
 
 // TODO split this one call into one per transparency method

diff --git a/src/cache_cf.cc b/src/cache_cf.cc
index af8d8461d85c4e6851830e8c14711d955f3dcc63..4e695b0959518c8248d95026c00cd42bcd169a2e 100644 (file)
--- a/src/cache_cf.cc
+++ b/src/cache_cf.cc
@@ -2962,6 +2962,10 @@ parse_http_port_option(http_port_list * s, char *token)
         }
 #endif
     } else if (strcmp(token, "tproxy") == 0) {
+        if(s->intercepted || s->accel) {
+            debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared.");
+            self_destruct();
+        }
         s->spoof_client_ip = 1;
         IPInterceptor.StartTransparency();
         /* Log information regarding the port modes under transparency. */
@@ -3046,6 +3050,11 @@ parse_http_port_option(http_port_list * s, char *token)
     } else {
         self_destruct();
     }
+
+    if( s->spoof_client_ip && (s->intercepted || s->accel) ) {
+        debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared.");
+        self_destruct();
+    }
 }
 
 static http_port_list *

diff --git a/src/comm.cc b/src/comm.cc
index f6409489430e9b838a0e400b6bc97651b14ba12b..df6fca547382772ba8e1386831570f573b62370d 100644 (file)
--- a/src/comm.cc
+++ b/src/comm.cc
@@ -1401,14 +1401,8 @@ comm_old_accept(int fd, ConnectionDetail &details)
 
     commSetNonBlocking(sock);
 
-#if 0
-// AYJ: 2008-09-16 - might be a bad idea to pass this down from here.
-//     if KK is right, this flag should be set on successful NatLookup
-
-    if(fd_table[fd].flags.transparent == 1) {
-        F->flags.transparent = 1;
-    }
-#endif
+    /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */
+    F->flags.transparent = fd_table[fd].flags.transparent;
 
     PROF_stop(comm_accept);
     return sock;