From acaa719407e66cfcc28718122dfa2e852338fab2 Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Fri, 19 Sep 2008 00:57:49 +1200 Subject: [PATCH] Logic Fix experiment completion. * Requires 'tproxy' option be teh only mode on a given port. * Assumes all requests received there are TPROXY intercepted. bind() errors may occur if external configuration passes normal requests to the tproxy flagged Squid port. * Spoofs client IP on all requests received at that port. Based on new info, TPROXY once set on a port has to be assumed as always set. There is nothing reasonably possible which Squid can do as a quick lookup to retrieve the clients destination IP. BUT, the destination IP is the one given on accept() in all these cases anyway. This makes Squid handling code much simpler and faster, but also runs the risk of breakage on non-tproxy requests to the port. --- src/IPInterception.cc | 26 +++++++------------------- src/cache_cf.cc | 9 +++++++++ src/comm.cc | 10 ++-------- 3 files changed, 18 insertions(+), 27 deletions(-) diff --git a/src/IPInterception.cc b/src/IPInterception.cc index 677298767f..66e4edb3d9 100644 --- a/src/IPInterception.cc +++ b/src/IPInterception.cc @@ -158,27 +158,15 @@ int IPIntercept::NetfilterTransparent(int fd, const IPAddress &me, IPAddress &dst, int silent) { #if LINUX_NETFILTER - int tmp = 0; - /** \par - * Try lookup for TPROXY targets. BUT, only if the FD is flagged for transparent operations. */ - if(getsockopt(fd, SOL_IP, IP_TRANSPARENT, NULL, &tmp) != 0) { - if(!silent) { - debugs(89, DBG_IMPORTANT, HERE << " NF getsockopt(IP_TRANSPARENT) failed on FD " << fd << ": " << xstrerror()); - last_reported = squid_curtime; - } - return -1; - } - else { - // mark the socket for preservation of IP_TRANSPARENT - fd_table[fd].flags.transparent = 1; - dst = me; - debugs(89, 9, HERE << "address: me= " << me << ", dst= " << dst); - return 0; - } - -#endif + /* Trust the user configured properly. If not no harm done. + * We will simply attempt a bind outgoing on our own IP. + * Maybe a port clash which will show them the problem. + */ + return (fd_table[fd].flags.transparent ? 0 : -1); +#else return -1; +#endif } // TODO split this one call into one per transparency method diff --git a/src/cache_cf.cc b/src/cache_cf.cc index af8d8461d8..4e695b0959 100644 --- a/src/cache_cf.cc +++ b/src/cache_cf.cc @@ -2962,6 +2962,10 @@ parse_http_port_option(http_port_list * s, char *token) } #endif } else if (strcmp(token, "tproxy") == 0) { + if(s->intercepted || s->accel) { + debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared."); + self_destruct(); + } s->spoof_client_ip = 1; IPInterceptor.StartTransparency(); /* Log information regarding the port modes under transparency. */ @@ -3046,6 +3050,11 @@ parse_http_port_option(http_port_list * s, char *token) } else { self_destruct(); } + + if( s->spoof_client_ip && (s->intercepted || s->accel) ) { + debugs(3,DBG_CRITICAL, "http(s)_port: TPROXY option requires its own interception port. It cannot be shared."); + self_destruct(); + } } static http_port_list * diff --git a/src/comm.cc b/src/comm.cc index f640948943..df6fca5473 100644 --- a/src/comm.cc +++ b/src/comm.cc @@ -1401,14 +1401,8 @@ comm_old_accept(int fd, ConnectionDetail &details) commSetNonBlocking(sock); -#if 0 -// AYJ: 2008-09-16 - might be a bad idea to pass this down from here. -// if KK is right, this flag should be set on successful NatLookup - - if(fd_table[fd].flags.transparent == 1) { - F->flags.transparent = 1; - } -#endif + /* IFF the socket is (tproxy) transparent, pass the flag down to allow spoofing */ + F->flags.transparent = fd_table[fd].flags.transparent; PROF_stop(comm_accept); return sock; -- 2.47.3