[tproxy] tproxy4, kernel 2.6.22, squid-2.6.stable16 and our patch with IP_FREEBIND

Andrey Luzgin andrey at icomsw.com
Thu Dec 20 20:10:47 CET 2007


:-O  I'm so sorry!!!! Was mistaken a direction in diff!
My previous post consider cancelled.
This is the right patch:

diff -ru squid-2.6.STABLE16/src/comm.c
squid-2.6.STABLE16.tproxy-freebind/src/comm.c
--- squid-2.6.STABLE16/src/comm.c       2007-04-17 12:39:56.000000000
+0300
+++ squid-2.6.STABLE16.tproxy-freebind/src/comm.c       2007-12-18
09:31:55.000000000 +0200
@@ -162,7 +162,7 @@
     int flags,
     const char *note)
{
-    return comm_openex(sock_type, proto, addr, port, flags, 0, note);
+    return comm_openex(sock_type, proto, addr, port, flags, 0, note,0);
}


@@ -175,7 +175,8 @@
     u_short port,
     int flags,
     unsigned char TOS,
-    const char *note)
+    const char *note,
+    struct in_addr* tproxy)
{
     int new_socket;
     int tos = 0;
@@ -209,6 +210,16 @@
        debug(5, 0) ("comm_open: setsockopt(IP_TOS) not supported on
this platform\n");
#endif
     }
+    {
+           #define IP_FREEBIND 15
+           int x=1;
+           if (setsockopt(new_socket, SOL_IP, IP_FREEBIND, &x,
sizeof(x)) == -1) {
+               debug(20, 1) ("tproxy ip ,port  ERROR ASSIGN\n");
+           } else if (tproxy){
+               addr.s_addr = tproxy->s_addr;
+                port=0;
+           }
+    }
     /* update fdstat */
     debug(5, 5) ("comm_open: FD %d is a new socket\n", new_socket);
     fd_open(new_socket, FD_SOCKET, note);
diff -ru squid-2.6.STABLE16/src/forward.c
squid-2.6.STABLE16.tproxy-freebind/src/forward.c
--- squid-2.6.STABLE16/src/forward.c    2007-09-06 00:28:34.000000000
+0300
+++ squid-2.6.STABLE16.tproxy-freebind/src/forward.c    2007-12-18
14:17:42.000000000 +0200
@@ -27,7 +27,7 @@
  *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  *  GNU General Public License for more details.
  *
- *  You should have received a copy of the GNU General Public License
+ *  You should have received a copy of theF GNU General Public License
  *  along with this program; if not, write to the Free Software
  *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111,
USA.
  *
@@ -556,7 +556,8 @@
        0,
        COMM_NONBLOCKING,
        tos,
-       url);
+       url,
+         (fwdState->request->flags.tproxy &&
strcmp(host,"127.0.0.2"))?( &( fwdState->src.sin_addr)):0);
     if (fd < 0) {
        debug(50, 4) ("fwdConnectStart: %s\n", xstrerror());
        err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR,
fwdState->request);
@@ -587,32 +588,6 @@
     if (fs->peer) {
        hierarchyNote(&fwdState->request->hier, fs->code,
fs->peer->name);
     } else {
-#if LINUX_TPROXY
-       if (fwdState->request->flags.tproxy) {
-
-           itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
-           itp.v.addr.fport = 0;
-
-           /* If these syscalls fail then we just fallback to
connecting
-            * normally by simply ignoring the errors...
-            */
-           itp.op = TPROXY_ASSIGN;
-           if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) ==
-1) {
-               debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN
\n",
-                   inet_ntoa(itp.v.addr.faddr),
-                   itp.v.addr.faddr.s_addr,
-                   itp.v.addr.fport);
-           } else {
-               itp.op = TPROXY_FLAGS;
-               itp.v.flags = ITP_CONNECT;
-               if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp))
== -1) {
-                   debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT
\n",
-                       itp.v.addr.faddr.s_addr,
-                       itp.v.addr.fport);
-               }
-           }
-       }
-#endif
        hierarchyNote(&fwdState->request->hier, fs->code,
fwdState->request->host);
     }
     commConnectStart(fd, host, port, fwdConnectDone, fwdState);
diff -ru squid-2.6.STABLE16/src/main.c
squid-2.6.STABLE16.tproxy-freebind/src/main.c
--- squid-2.6.STABLE16/src/main.c       2007-08-31 16:52:10.000000000
+0300
+++ squid-2.6.STABLE16.tproxy-freebind/src/main.c       2007-12-05
14:21:51.000000000 +0200
@@ -487,13 +487,13 @@
#ifdef _SQUID_OS2_
     return;
#endif
-    if (geteuid() == 0) {
+/*    if (geteuid() == 0) {
        debug(0, 0) ("Squid is not safe to run as root!  If you must
\n");
        debug(0, 0) ("start Squid as root, then you must configure\n");
        debug(0, 0) ("it to run as a non-priveledged user with the\n");
        debug(0, 0) ("'cache_effective_user' option in the config
file.\n");
        fatal("Don't run Squid as root, set 'cache_effective_user'!");
-    }
+    }*/
}

static void
diff -ru squid-2.6.STABLE16/src/protos.h
squid-2.6.STABLE16.tproxy-freebind/src/protos.h
--- squid-2.6.STABLE16/src/protos.h     2007-07-15 12:52:17.000000000
+0300
+++ squid-2.6.STABLE16.tproxy-freebind/src/protos.h     2007-12-18
09:26:35.000000000 +0200
@@ -160,7 +160,7 @@
extern void comm_init(void);
extern int comm_listen(int sock);
extern int comm_open(int, int, struct in_addr, u_short port, int, const
char *note);
-extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned
char TOS, const char *);
+extern int comm_openex(int, int, struct in_addr, u_short, int, unsigned
char TOS, const char *,struct in_addr* );
extern u_short comm_local_port(int fd);

extern void commDeferFD(int fd);
diff -ru squid-2.6.STABLE16/src/ssl.c
squid-2.6.STABLE16.tproxy-freebind/src/ssl.c
--- squid-2.6.STABLE16/src/ssl.c        2007-02-03 23:53:38.000000000
+0200
+++ squid-2.6.STABLE16.tproxy-freebind/src/ssl.c        2007-12-18
09:27:04.000000000 +0200
@@ -524,7 +524,8 @@
        0,
        COMM_NONBLOCKING,
        getOutgoingTOS(request),
-       url);
+       url,
+        0);
     if (sock == COMM_ERROR) {
        debug(26, 4) ("sslStart: Failed because we're out of
sockets.\n");
        err = errorCon(ERR_SOCKET_FAILURE, HTTP_INTERNAL_SERVER_ERROR,
request);




> 
> 
> 
> -- 
> Andrey Luzgin <andrey at icomsw.com>
> I-com software
> 
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy

-- 
Andrey Luzgin <andrey at icomsw.com>
I-com software
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm 


More information about the tproxy mailing list