[tproxy] Squid 3 TPROXY patch

Jan Engelhardt jengelh at linux01.gwdg.de
Mon Aug 22 16:02:23 CEST 2005


Hi list,


for reference, I'll post my Squid3 patch here. Chunk 7 (@@ -1473,6) of comm.cc
is the 'most important' part.


diff -Pdpru squid-3.0-PRE3-20050524~/src/cf.data.pre squid-3.0-PRE3-20050524/src/cf.data.pre
--- squid-3.0-PRE3-20050524~/src/cf.data.pre	2005-08-14 17:00:06.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/cf.data.pre	2005-08-14 20:17:20.000000000 +0200
@@ -2800,6 +2800,16 @@ DOC_START
 	the correct result.
 DOC_END
 
+NAME: tproxy
+TYPE: onoff
+DEFAULT: off
+LOC: Config.onoff.tproxy
+DOC_START
+	If you have Linux with iptables and TPROXY support, you can enable
+	this option to have SQUID make outgoing connections using the original
+        IP address of the client.
+DOC_END
+
 NAME: tcp_outgoing_tos tcp_outgoing_ds tcp_outgoing_dscp
 TYPE: acl_tos
 DEFAULT: none
diff -Pdpru squid-3.0-PRE3-20050524~/src/comm.cc squid-3.0-PRE3-20050524/src/comm.cc
--- squid-3.0-PRE3-20050524~/src/comm.cc	2005-05-14 04:39:40.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/comm.cc	2005-08-14 20:46:02.000000000 +0200
@@ -41,6 +41,7 @@
 #include "fde.h"
 #include "CommIO.h"
 #include "ConnectionDetail.h"
+#include "HttpRequest.h"
 
 #if defined(_SQUID_CYGWIN_)
 #include <sys/ioctl.h>
@@ -49,6 +50,7 @@
 #include <netinet/tcp.h>
 #endif
 
+#include "ip_tproxy.h"
 
 class ConnectStateData
 {
@@ -63,7 +65,7 @@ public:
     char *host;
     u_short port;
 
-    struct sockaddr_in S;
+    struct sockaddr_in S, src_addr;
     CallBack<CNCB> callback;
 
     struct IN_ADDR in_addr;
@@ -1198,6 +1200,25 @@ ConnectStateData::operator delete (void 
     cbdataFree(address);
 }
 
+void commConnectStart2(int fd, const char *host, u_short port, CNCB *callback,
+ FwdState *fs)
+{
+    ConnectStateData *cs;
+    cs = new ConnectStateData;
+    cs->fd = fd;
+    cs->host = xstrdup(host);
+    cs->port = port;
+    cs->callback = CallBack<CNCB>(callback, fs);
+    if(fs->request != NULL) {
+        cs->src_addr.sin_addr = fs->request->client_addr;
+        cs->src_addr.sin_port = fs->request->client_port;
+    } else {
+        memset(&cs->src_addr, 0, sizeof(cs->src_addr));
+    }
+    comm_add_close_handler(fd, commConnectFree, cs);
+    ipcache_nbgethostbyname(host, commConnectDnsHandle, cs);
+}
+
 void
 commConnectStart(int fd, const char *host, u_short port, CNCB * callback, void *data)
 {
@@ -1401,7 +1422,7 @@ ConnectStateData::connect()
     if (S.sin_addr.s_addr == 0)
         defaults();
 
-    switch (comm_connect_addr(fd, &S)) {
+    switch (comm_connect_addr(fd, &S, &src_addr)) {
 
     case COMM_INPROGRESS:
         debug(5, 5) ("commConnectHandle: FD %d: COMM_INPROGRESS\n", fd);
@@ -1455,8 +1476,8 @@ commSetTimeout(int fd, int timeout, PF *
 }
 
 int
-
-comm_connect_addr(int sock, const struct sockaddr_in *address)
+comm_connect_addr(int sock, const struct sockaddr_in *address,
+ const struct sockaddr_in *src)
 {
     comm_err_t status = COMM_OK;
     fde *F = &fd_table[sock];
@@ -1473,6 +1494,21 @@ comm_connect_addr(int sock, const struct
         F->flags.called_connect = 1;
         statCounter.syscalls.sock.connects++;
 
+        if(Config.onoff.tproxy && src != NULL && src->sin_addr.s_addr != 0 &&
+         (ntohl(src->sin_addr.s_addr) & 0xFF000000) != 0x7F000000) {
+            struct in_tproxy itp;
+            memset(&itp, 0, sizeof(itp));
+            itp.v.addr.faddr = src->sin_addr;
+            itp.v.addr.fport = src->sin_port;
+            itp.op = TPROXY_ASSIGN;
+            if((x = setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp))) == 0) {
+                memset(&itp, 0, sizeof(itp));
+                itp.v.flags = ITP_CONNECT;
+                itp.op = TPROXY_FLAGS;
+                setsockopt(sock, SOL_IP, IP_TPROXY, &itp, sizeof(itp));
+            }
+        }
+
         x = connect(sock, (struct sockaddr *) address, sizeof(*address));
 
         if (x < 0)
diff -Pdpru squid-3.0-PRE3-20050524~/src/forward.cc squid-3.0-PRE3-20050524/src/forward.cc
--- squid-3.0-PRE3-20050524~/src/forward.cc	2005-04-18 23:52:42.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/forward.cc	2005-08-14 20:01:25.000000000 +0200
@@ -663,7 +663,7 @@ fwdConnectStart(void *data)
                    fwdConnectTimeout,
                    fwdState);
 
-    commConnectStart(fd, host, port, fwdConnectDone, fwdState);
+    commConnectStart2(fd, host, port, fwdConnectDone, fwdState);
 }
 
 static void
##diff -Pdpru squid-3.0-PRE3-20050524~/src/ip_tproxy.h squid-3.0-PRE3-20050524/src/ip_tproxy.h
##--- squid-3.0-PRE3-20050524~/src/ip_tproxy.h	1970-01-01 01:00:00.000000000 +0100
##+++ squid-3.0-PRE3-20050524/src/ip_tproxy.h	2005-08-14 20:01:25.000000000 +0200
##@@ -0,0 +1,78 @@
## Omitted, copy ip_tproxy.h here
diff -Pdpru squid-3.0-PRE3-20050524~/src/protos.h squid-3.0-PRE3-20050524/src/protos.h
--- squid-3.0-PRE3-20050524~/src/protos.h	2005-04-18 23:52:43.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/protos.h	2005-08-14 20:01:25.000000000 +0200
@@ -126,8 +126,9 @@ SQUIDCEXTERN void comm_reset_close(int f
 SQUIDCEXTERN void comm_lingering_close(int fd);
 #endif
 SQUIDCEXTERN void commConnectStart(int fd, const char *, u_short, CNCB *, void *);
+SQUIDCEXTERN void commConnectStart2(int fd, const char *, u_short, CNCB *, FwdState *);
 
-SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *);
+SQUIDCEXTERN int comm_connect_addr(int sock, const struct sockaddr_in *, const struct sockaddr_in * = NULL);
 SQUIDCEXTERN void comm_init(void);
 
 SQUIDCEXTERN int comm_open(int, int, struct IN_ADDR, u_short port, int, const char *note);
diff -Pdpru squid-3.0-PRE3-20050524~/src/structs.h squid-3.0-PRE3-20050524/src/structs.h
--- squid-3.0-PRE3-20050524~/src/structs.h	2005-05-05 17:44:45.000000000 +0200
+++ squid-3.0-PRE3-20050524/src/structs.h	2005-08-14 20:17:53.000000000 +0200
@@ -580,6 +580,7 @@ struct _SquidConfig
         int via;
         int emailErrData;
         int httpd_suppress_version_string;
+        int tproxy;
     }
 
     onoff;
## eof


Jan Engelhardt
-- 
| Alphagate Systems, http://alphagate.hopto.org/


More information about the tproxy mailing list