tproxy4, kernel 2.6.22, squid-2.6.stable16 and our patch with IP_FREEBIND
Squid with this changes is currently work in our server diff -ru squid-2.6.STABLE16.tproxy-freebind/src/comm.c squid-2.6.STABLE16/src/comm.c --- squid-2.6.STABLE16.tproxy-freebind/src/comm.c 2007-12-18 09:31:55.000000000 +0200 +++ squid-2.6.STABLE16/src/comm.c 2007-04-17 12:39:56.000000000 +0300 @@ -162,7 +162,7 @@ int flags, const char *note) { - return comm_openex(sock_type, proto, addr, port, flags, 0, note,0); + return comm_openex(sock_type, proto, addr, port, flags, 0, note); } @@ -175,8 +175,7 @@ u_short port, int flags, unsigned char TOS, - const char *note, - struct in_addr* tproxy) + const char *note) { int new_socket; int tos = 0; @@ -210,16 +209,6 @@ debug(5, 0) ("comm_open: setsockopt(IP_TOS) not supported on this platform\n"); #endif } - { - #define IP_FREEBIND 15 - int x=1; - if (setsockopt(new_socket, SOL_IP, IP_FREEBIND, &x, sizeof(x)) == -1) { - debug(20, 1) ("tproxy ip ,port ERROR ASSIGN\n"); - } else if (tproxy){ - addr.s_addr = tproxy->s_addr; - port=0; - } - } /* update fdstat */ debug(5, 5) ("comm_open: FD %d is a new socket\n", new_socket); fd_open(new_socket, FD_SOCKET, note); diff -ru squid-2.6.STABLE16.tproxy-freebind/src/forward.c squid-2.6.STABLE16/src/forward.c --- squid-2.6.STABLE16.tproxy-freebind/src/forward.c 2007-12-18 14:17:42.000000000 +0200 +++ squid-2.6.STABLE16/src/forward.c 2007-09-06 00:28:34.000000000 +0300 @@ -27,7 +27,7 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of theF GNU General Public License + * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. * @@ -556,8 +556,7 @@ 0, COMM_NONBLOCKING, tos, - url, - (fwdState->request->flags.tproxy && strcmp(host,"127.0.0.2"))?( &( fwdState->src.sin_addr)):0); + url); if (fd < 0) { debug(50, 4) ("fwdConnectStart: %s\n", xstrerror()); err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR, fwdState->request); @@ -588,6 +587,32 @@ if (fs->peer) { hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name); } else { +#if LINUX_TPROXY + if (fwdState->request->flags.tproxy) { + + itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; + itp.v.addr.fport = 0; + + /* If these syscalls fail then we just fallback to connecting + * normally by simply ignoring the errors... + */ + itp.op = TPROXY_ASSIGN; + if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { + debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN \n", + inet_ntoa(itp.v.addr.faddr), + itp.v.addr.faddr.s_addr, + itp.v.addr.fport); + } else { + itp.op = TPROXY_FLAGS; + itp.v.flags = ITP_CONNECT; + if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { + debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT \n", + itp.v.addr.faddr.s_addr, + itp.v.addr.fport); + } + } + } +#endif hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host); } commConnectStart(fd, host, port, fwdConnectDone, fwdState); diff -ru squid-2.6.STABLE16.tproxy-freebind/src/main.c squid-2.6.STABLE16/src/main.c --- squid-2.6.STABLE16.tproxy-freebind/src/main.c 2007-12-05 14:21:51.000000000 +0200 +++ squid-2.6.STABLE16/src/main.c 2007-08-31 16:52:10.000000000 +0300 @@ -487,13 +487,13 @@ #ifdef _SQUID_OS2_ return; #endif -/* if (geteuid() == 0) { + if (geteuid() == 0) { debug(0, 0) ("Squid is not safe to run as root! If you must \n"); debug(0, 0) ("start Squid as root, then you must configure\n"); debug(0, 0) ("it to run as a non-priveledged user with the\n"); debug(0, 0) ("'cache_effective_user' option in the config file.\n"); fatal("Don't run Squid as root, set 'cache_effective_user'!"); - }*/ + } } static void diff -ru squid-2.6.STABLE16.tproxy-freebind/src/protos.h squid-2.6.STABLE16/src/protos.h --- squid-2.6.STABLE16.tproxy-freebind/src/protos.h 2007-12-18 09:26:35.000000000 +0200 +++ squid-2.6.STABLE16/src/protos.h 2007-07-15 12:52:17.000000000 +0300 @@ -160,7 +160,7 @@ extern void comm_init(void); extern int comm_listen(int sock); extern int comm_open(int, int, struct in_addr, u_short port, int, const char *note); -extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned char TOS, const char *,struct in_addr* ); +extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned char TOS, const char *); extern u_short comm_local_port(int fd); extern void commDeferFD(int fd); diff -ru squid-2.6.STABLE16.tproxy-freebind/src/ssl.c squid-2.6.STABLE16/src/ssl.c --- squid-2.6.STABLE16.tproxy-freebind/src/ssl.c 2007-12-18 09:27:04.000000000 +0200 +++ squid-2.6.STABLE16/src/ssl.c 2007-02-03 23:53:38.000000000 +0200 @@ -524,8 +524,7 @@ 0, COMM_NONBLOCKING, getOutgoingTOS(request), - url, - 0); + url); if (sock == COMM_ERROR) { debug(26, 4) ("sslStart: Failed because we're out of sockets.\n"); err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR, request); -- Andrey Luzgin <andrey@icomsw.com> I-com software
:-O I'm so sorry!!!! Was mistaken a direction in diff! My previous post consider cancelled. This is the right patch: diff -ru squid-2.6.STABLE16/src/comm.c squid-2.6.STABLE16.tproxy-freebind/src/comm.c --- squid-2.6.STABLE16/src/comm.c 2007-04-17 12:39:56.000000000 +0300 +++ squid-2.6.STABLE16.tproxy-freebind/src/comm.c 2007-12-18 09:31:55.000000000 +0200 @@ -162,7 +162,7 @@ int flags, const char *note) { - return comm_openex(sock_type, proto, addr, port, flags, 0, note); + return comm_openex(sock_type, proto, addr, port, flags, 0, note,0); } @@ -175,7 +175,8 @@ u_short port, int flags, unsigned char TOS, - const char *note) + const char *note, + struct in_addr* tproxy) { int new_socket; int tos = 0; @@ -209,6 +210,16 @@ debug(5, 0) ("comm_open: setsockopt(IP_TOS) not supported on this platform\n"); #endif } + { + #define IP_FREEBIND 15 + int x=1; + if (setsockopt(new_socket, SOL_IP, IP_FREEBIND, &x, sizeof(x)) == -1) { + debug(20, 1) ("tproxy ip ,port ERROR ASSIGN\n"); + } else if (tproxy){ + addr.s_addr = tproxy->s_addr; + port=0; + } + } /* update fdstat */ debug(5, 5) ("comm_open: FD %d is a new socket\n", new_socket); fd_open(new_socket, FD_SOCKET, note); diff -ru squid-2.6.STABLE16/src/forward.c squid-2.6.STABLE16.tproxy-freebind/src/forward.c --- squid-2.6.STABLE16/src/forward.c 2007-09-06 00:28:34.000000000 +0300 +++ squid-2.6.STABLE16.tproxy-freebind/src/forward.c 2007-12-18 14:17:42.000000000 +0200 @@ -27,7 +27,7 @@ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * - * You should have received a copy of the GNU General Public License + * You should have received a copy of theF GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA. * @@ -556,7 +556,8 @@ 0, COMM_NONBLOCKING, tos, - url); + url, + (fwdState->request->flags.tproxy && strcmp(host,"127.0.0.2"))?( &( fwdState->src.sin_addr)):0); if (fd < 0) { debug(50, 4) ("fwdConnectStart: %s\n", xstrerror()); err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR, fwdState->request); @@ -587,32 +588,6 @@ if (fs->peer) { hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name); } else { -#if LINUX_TPROXY - if (fwdState->request->flags.tproxy) { - - itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; - itp.v.addr.fport = 0; - - /* If these syscalls fail then we just fallback to connecting - * normally by simply ignoring the errors... - */ - itp.op = TPROXY_ASSIGN; - if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { - debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN \n", - inet_ntoa(itp.v.addr.faddr), - itp.v.addr.faddr.s_addr, - itp.v.addr.fport); - } else { - itp.op = TPROXY_FLAGS; - itp.v.flags = ITP_CONNECT; - if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { - debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT \n", - itp.v.addr.faddr.s_addr, - itp.v.addr.fport); - } - } - } -#endif hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host); } commConnectStart(fd, host, port, fwdConnectDone, fwdState); diff -ru squid-2.6.STABLE16/src/main.c squid-2.6.STABLE16.tproxy-freebind/src/main.c --- squid-2.6.STABLE16/src/main.c 2007-08-31 16:52:10.000000000 +0300 +++ squid-2.6.STABLE16.tproxy-freebind/src/main.c 2007-12-05 14:21:51.000000000 +0200 @@ -487,13 +487,13 @@ #ifdef _SQUID_OS2_ return; #endif - if (geteuid() == 0) { +/* if (geteuid() == 0) { debug(0, 0) ("Squid is not safe to run as root! If you must \n"); debug(0, 0) ("start Squid as root, then you must configure\n"); debug(0, 0) ("it to run as a non-priveledged user with the\n"); debug(0, 0) ("'cache_effective_user' option in the config file.\n"); fatal("Don't run Squid as root, set 'cache_effective_user'!"); - } + }*/ } static void diff -ru squid-2.6.STABLE16/src/protos.h squid-2.6.STABLE16.tproxy-freebind/src/protos.h --- squid-2.6.STABLE16/src/protos.h 2007-07-15 12:52:17.000000000 +0300 +++ squid-2.6.STABLE16.tproxy-freebind/src/protos.h 2007-12-18 09:26:35.000000000 +0200 @@ -160,7 +160,7 @@ extern void comm_init(void); extern int comm_listen(int sock); extern int comm_open(int, int, struct in_addr, u_short port, int, const char *note); -extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned char TOS, const char *); +extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned char TOS, const char *,struct in_addr* ); extern u_short comm_local_port(int fd); extern void commDeferFD(int fd); diff -ru squid-2.6.STABLE16/src/ssl.c squid-2.6.STABLE16.tproxy-freebind/src/ssl.c --- squid-2.6.STABLE16/src/ssl.c 2007-02-03 23:53:38.000000000 +0200 +++ squid-2.6.STABLE16.tproxy-freebind/src/ssl.c 2007-12-18 09:27:04.000000000 +0200 @@ -524,7 +524,8 @@ 0, COMM_NONBLOCKING, getOutgoingTOS(request), - url); + url, + 0); if (sock == COMM_ERROR) { debug(26, 4) ("sslStart: Failed because we're out of sockets.\n"); err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR, request);
-- Andrey Luzgin <andrey@icomsw.com> I-com software
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- Andrey Luzgin <andrey@icomsw.com> I-com software
(fwdState->request->flags.tproxy && strcmp(host,"127.0.0.2"))?( &( fwdState->src.sin_addr)):0); This is because our use local Apache in host 127.0.0.2 for rewriting script needs. By the way, if Apache runs on localhost in address 127.0.0.1 ALL http requests redirects to it. He is bug in tproxy ?
-- Andrey Luzgin <andrey@icomsw.com> I-com software
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
-- Andrey Luzgin <andrey@icomsw.com> I-com software
On Dec 20 2007 21:19, Andrey Luzgin wrote:
(fwdState->request->flags.tproxy && strcmp(host,"127.0.0.2"))?( &( fwdState->src.sin_addr)):0); This is because our use local Apache in host 127.0.0.2 for rewriting script needs.
By the way, if Apache runs on localhost in address 127.0.0.1 ALL http requests redirects to it. He is bug in tproxy ?
The bug is in your condition.
participants (2)
-
Andrey Luzgin
-
Jan Engelhardt