[tproxy] Squid 3 TPROXY patch
Jan Engelhardt
jengelh at linux01.gwdg.de
Mon Aug 22 16:02:23 CEST 2005
Hi list,
for reference, I'll post my Squid3 patch here. Chunk 7 (@@ -1473,6) of comm.cc
is the 'most important' part.
diff -Pdpru squid-3.0-PRE3-20050524~/src/cf.data.pre squid-3.0-PRE3-20050524/src/cf.data.pre
--- squid-3.0-PRE3-20050524~/src/cf.data.pre 2005-08-14 17:00:06.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/cf.data.pre 2005-08-14 20:17:20.000000000 +0200
@@ -2800,6 +2800,16 @@ DOC_START
the correct result.
DOC_END
+NAME: tproxy
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.tproxy
+DOC_START
+ If you have Linux with iptables and TPROXY support, you can enable
+ this option to have SQUID make outgoing connections using the original
+ IP address of the client.
+DOC_END
+
NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
TYPE: acl_tos
DEFAULT: none
diff -Pdpru squid-3.0-PRE3-20050524~/src/comm.cc squid-3.0-PRE3-20050524/src/comm.cc
--- squid-3.0-PRE3-20050524~/src/comm.cc 2005-05-14 04:39:40.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/comm.cc 2005-08-14 20:46:02.000000000 +0200
@@ -41,6 +41,7 @@
#include "fde.h"
#include "CommIO.h"
#include "ConnectionDetail.h"
+#include "HttpRequest.h"
#if defined(_SQUID_CYGWIN_)
#include <sys/ioctl.h>
@@ -49,6 +50,7 @@
#include <netinet/tcp.h>
#endif
+#include "ip_tproxy.h"
class ConnectStateData
{
@@ -63,7 +65,7 @@ public:
char *host;
u_short port;
- struct sockaddr_in S;
+ struct sockaddr_in S, src_addr;
CallBack<CNCB> callback;
struct IN_ADDR in_addr;
@@ -1198,6 +1200,25 @@ ConnectStateData::operator delete (void
cbdataFree(address);
}
+void commConnectStart2(int fd, const char *host, u_short port, CNCB *callback,
+ FwdState *fs)
+{
+ ConnectStateData *cs;
+ cs = new ConnectStateData;
+ cs->fd = fd;
+ cs->host = xstrdup(host);
+ cs->port = port;
+ cs->callback = CallBack<CNCB>(callback, fs);
+ if(fs->request != NULL) {
+ cs->src_addr.sin_addr = fs->request->client_addr;
+ cs->src_addr.sin_port = fs->request->client_port;
+ } else {
+ memset(&cs->src_addr, 0, sizeof(cs->src_addr));
+ }
+ comm_add_close_handler(fd, commConnectFree, cs);
+ ipcache_nbgethostbyname(host, commConnectDnsHandle, cs);
+}
+
void
commConnectStart(int fd, const char *host, u_short port, CNCB * callback, void *data)
{
@@ -1401,7 +1422,7 @@ ConnectStateData::connect()
if (S.sin_addr.s_addr == 0)
defaults();
- switch (comm_connect_addr(fd, &S)) {
+ switch (comm_connect_addr(fd, &S, &src_addr)) {
case COMM_INPROGRESS:
debug(5, 5) ("commConnectHandle: FD %d: COMM_INPROGRESS\n", fd);
@@ -1455,8 +1476,8 @@ commSetTimeout(int fd, int timeout, PF *
}
int
-
-comm_connect_addr(int sock, const struct sockaddr_in *address)
+comm_connect_addr(int sock, const struct sockaddr_in *address,
+ const struct sockaddr_in *src)
{
comm_err_t status = COMM_OK;
fde *F = &fd_table[sock];
@@ -1473,6 +1494,21 @@ comm_connect_addr(int sock, const struct
F->flags.called_connect = 1;
statCounter.syscalls.sock.connects++;
+ if(Config.onoff.tproxy && src != NULL && src->sin_addr.s_addr != 0 &&
+ (ntohl(src->sin_addr.s_addr) & 0xFF000000) != 0x7F000000) {
+ struct in_tproxy itp;
+ memset(&itp, 0, sizeof(itp));
+ itp.v.addr.faddr = src->sin_addr;
+ itp.v.addr.fport = src->sin_port;
+ itp.op = TPROXY_ASSIGN;
+ if((x = setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp))) == 0) {
+ memset(&itp, 0, sizeof(itp));
+ itp.v.flags = ITP_CONNECT;
+ itp.op = TPROXY_FLAGS;
+ setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
+ }
+ }
+
x = connect(sock, (struct sockaddr *) address, sizeof(*address));
if (x < 0)
diff -Pdpru squid-3.0-PRE3-20050524~/src/forward.cc squid-3.0-PRE3-20050524/src/forward.cc
--- squid-3.0-PRE3-20050524~/src/forward.cc 2005-04-18 23:52:42.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/forward.cc 2005-08-14 20:01:25.000000000 +0200
@@ -663,7 +663,7 @@ fwdConnectStart(void *data)
fwdConnectTimeout,
fwdState);
- commConnectStart(fd, host, port, fwdConnectDone, fwdState);
+ commConnectStart2(fd, host, port, fwdConnectDone, fwdState);
}
static void
##diff -Pdpru squid-3.0-PRE3-20050524~/src/ip_tproxy.h squid-3.0-PRE3-20050524/src/ip_tproxy.h
##--- squid-3.0-PRE3-20050524~/src/ip_tproxy.h 1970-01-01 01:00:00.000000000 +0100
##+++ squid-3.0-PRE3-20050524/src/ip_tproxy.h 2005-08-14 20:01:25.000000000 +0200
##@@ -0,0 +1,78 @@
## Omitted, copy ip_tproxy.h here
diff -Pdpru squid-3.0-PRE3-20050524~/src/protos.h squid-3.0-PRE3-20050524/src/protos.h
--- squid-3.0-PRE3-20050524~/src/protos.h 2005-04-18 23:52:43.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/protos.h 2005-08-14 20:01:25.000000000 +0200
@@ -126,8 +126,9 @@ SQUIDCEXTERN void comm_reset_close(int f
SQUIDCEXTERN void comm_lingering_close(int fd);
#endif
SQUIDCEXTERN void commConnectStart(int fd, const char *, u_short, CNCB *, void *);
+SQUIDCEXTERN void commConnectStart2(int fd, const char *, u_short, CNCB *, FwdState *);
-SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *);
+SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *, const struct sockaddr_in * = NULL);
SQUIDCEXTERN void comm_init(void);
SQUIDCEXTERN int comm_open(int, int, struct IN_ADDR, u_short port, int, const char *note);
diff -Pdpru squid-3.0-PRE3-20050524~/src/structs.h squid-3.0-PRE3-20050524/src/structs.h
--- squid-3.0-PRE3-20050524~/src/structs.h 2005-05-05 17:44:45.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/structs.h 2005-08-14 20:17:53.000000000 +0200
@@ -580,6 +580,7 @@ struct _SquidConfig
int via;
int emailErrData;
int httpd_suppress_version_string;
+ int tproxy;
}
onoff;
## eof
Jan Engelhardt
--
| Alphagate Systems, http://alphagate.hopto.org/
More information about the tproxy
mailing list