From 96d64448203e15c4cb960039349fa81edae6b9b4 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Tue, 25 May 2010 23:12:20 +1200
Subject: [PATCH] Author: Wojciech Zatorski <zator@bg.szczecin.pl> Author: Amos
 Jeffries <squid3@treenet.co.nz> Support TPROXYv4 spoofing of X-Forwarded-For
 client address.

Assumes correct configuration use of the X-Forwarded-For header with
a zone of trusted sources.

SECURITY WARNING:
    This patch depends on security features not present in older Squid
    versions and is not to be ported or applied to earlier releases.
---
 doc/release-notes/release-3.2.sgml |  5 +++++
 src/cf.data.pre                    | 16 ++++++++++++++--
 src/cf_gen_defines                 |  1 +
 src/forward.cc                     | 10 ++++++++--
 src/structs.h                      |  3 +++
 5 files changed, 31 insertions(+), 4 deletions(-)

diff --git a/doc/release-notes/release-3.2.sgml b/doc/release-notes/release-3.2.sgml
index 2d5e3906de..2712b9cde9 100644
--- a/doc/release-notes/release-3.2.sgml
+++ b/doc/release-notes/release-3.2.sgml
@@ -181,6 +181,11 @@ This section gives a thorough account of those changes in three categories:
 	<tag>logfile_daemon</tag>
 	<p>Ported from 2.7
 
+	<tag>tproxy_uses_indirect_client</tag>
+	<p>Controls whether the indirect client address found in the X-Forwarded-For
+	header is used for spoofing instead of the directly connected client address.
+	Requires both --enable-follow-x-forwarded-for and --enable-linux-netfilter
+
 </descrip>
 
 <sect1>Changes to existing tags<label id="modifiedtags">
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 30acb60522..96fb15d3a6 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -808,8 +808,8 @@ DOC_START
 	refer to as the indirect client address.  This address may
 	be treated as the client address for access control, ICAP, delay
 	pools and logging, depending on the acl_uses_indirect_client,
-	icap_uses_indirect_client, delay_pool_uses_indirect_client and
-	log_uses_indirect_client options.
+	icap_uses_indirect_client, delay_pool_uses_indirect_client, 
+	log_uses_indirect_client and tproxy_uses_indirect_client options.
 
 	This clause only supports fast acl types.
 	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
@@ -867,6 +867,18 @@ DOC_START
 	direct client address in the access log.
 DOC_END
 
+NAME: tproxy_uses_indirect_client
+COMMENT: on|off
+TYPE: onoff
+IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
+DEFAULT: on
+LOC: Config.onoff.tproxy_uses_indirect_client
+DOC_START
+	Controls whether the indirect client address
+	(see follow_x_forwarded_for) is used instead of the
+	direct client address when spoofing the outgoing client.
+DOC_END
+
 NAME: http_access
 TYPE: acl_access
 LOC: Config.accessList.http
diff --git a/src/cf_gen_defines b/src/cf_gen_defines
index fc6a9d4382..bbebf6c17e 100644
--- a/src/cf_gen_defines
+++ b/src/cf_gen_defines
@@ -9,6 +9,7 @@ BEGIN {
 	define["FOLLOW_X_FORWARDED_FOR"]="--enable-follow-x-forwarded-for"
 	define["FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
 	define["FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT"]="--enable-follow-x-forwarded-for and --enable-icap-client"
+	define["FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER"]="--enable-follow-x-forwarded-for and --enable-linux-netfilter"
 	define["HTTP_VIOLATIONS"]="--enable-http-violations"
 	define["ICAP_CLIENT"]="--enable-icap-client"
 	define["SQUID_SNMP"]="--enable-snmp"
diff --git a/src/forward.cc b/src/forward.cc
index 7da3296278..96849bdc7d 100644
--- a/src/forward.cc
+++ b/src/forward.cc
@@ -1338,8 +1338,14 @@ Ip::Address
 getOutgoingAddr(HttpRequest * request, struct peer *dst_peer)
 {
     if (request && request->flags.spoof_client_ip) {
-        if (!dst_peer || !dst_peer->options.no_tproxy)
-            return request->client_addr;
+        if (!dst_peer || !dst_peer->options.no_tproxy) {
+#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
+            if (Config.onoff.tproxy_uses_indirect_client)
+                return request->indirect_client_addr;
+            else
+#endif
+               return request->client_addr;
+        }
         // else no tproxy today ...
     }
 
diff --git a/src/structs.h b/src/structs.h
index 266861bf74..b8ddec90bf 100644
--- a/src/structs.h
+++ b/src/structs.h
@@ -432,6 +432,9 @@ struct SquidConfig {
         int acl_uses_indirect_client;
         int delay_pool_uses_indirect_client;
         int log_uses_indirect_client;
+#if LINUX_NETFILTER
+        int tproxy_uses_indirect_client;
+#endif
 #endif /* FOLLOW_X_FORWARDED_FOR */
 
         int WIN32_IpAddrChangeMonitor;
-- 
2.47.3