Index: configure.in =================================================================== RCS file: /cvsroot/squid/squid/configure.in,v retrieving revision 1.435 diff -u -u -r1.435 configure.in --- configure.in 17 Feb 2008 09:39:01 -0000 1.435 +++ configure.in 8 Apr 2008 05:55:37 -0000 @@ -1021,6 +1021,7 @@ fi ]) + dnl Enable Large file support buildmodel="" needlargefiles= @@ -2472,6 +2473,22 @@ AM_CONDITIONAL([USE_KQUEUE], [test $SELECT_TYPE = kqueue]) AM_CONDITIONAL([USE_DEVPOLL], [test $SELECT_TYPE = devpoll]) +dnl Enable Server-side IPT module selection +IPT_TYPE="null" +AC_ARG_ENABLE(ipt, +[ --enable-ipt="type" + Enable server-side IP transparency. + The options are tproxy2, tproxy4, freebsd, or null (none).], +[ IPT_TYPE=$enableval ] +[ if test -z "$IPT_TYPE"; then + IPT_TYPE="null" + fi +]) +echo "IPT: Using ${IPT_TYPE} for the server-side IP transparency" +AM_CONDITIONAL([USE_IPT_TPROXY2], [test $IPT_TYPE = tproxy2]) +AM_CONDITIONAL([USE_IPT_TPROXY4], [test $IPT_TYPE = tproxy4]) +AM_CONDITIONAL([USE_IPT_FREEBSD], [test $IPT_TYPE = freebsd]) +AM_CONDITIONAL([USE_IPT_NULL], [test $IPT_TYPE = null]) dnl Hmm.. some OS:es (i.e. FreeBSD) can't handle large AF_UNIX dgram packets. dnl Verify that at least 16K is supported, if not fall back on using Index: src/Makefile.am =================================================================== RCS file: /cvsroot/squid/squid/src/Makefile.am,v retrieving revision 1.68 diff -u -u -r1.68 Makefile.am --- src/Makefile.am 27 Dec 2007 15:36:30 -0000 1.68 +++ src/Makefile.am 8 Apr 2008 05:55:46 -0000 @@ -93,6 +93,18 @@ if USE_DEVPOLL COMMLOOP_SOURCE = comm_devpoll.c endif +if USE_IPT_TPROXY2 +IPT_SOURCE = ipt_tproxy2.c +endif +if USE_IPT_TPROXY4 +IPT_SOURCE = ipt_tproxy2.c +endif +if USE_IPT_FREEBSD +IPT_SOURCE = ipt_freebsd.c +endif +if USE_IPT_NULL +IPT_SOURCE = ipt_null.c +endif SUBDIRS = fs repl auth @@ -160,6 +172,7 @@ client_side_storeurl_rewrite.c \ comm.c \ $(COMMLOOP_SOURCE) \ + $(IPT_SOURCE) \ debug.c \ defines.h \ $(DELAY_POOL_SOURCE) \ Index: src/cache_cf.c =================================================================== RCS file: /cvsroot/squid/squid/src/cache_cf.c,v retrieving revision 1.491 diff -u -u -r1.491 cache_cf.c --- src/cache_cf.c 2 Apr 2008 03:25:38 -0000 1.491 +++ src/cache_cf.c 8 Apr 2008 05:55:48 -0000 @@ -2956,11 +2956,8 @@ s->urlgroup = xstrdup(token + 9); } else if (strncmp(token, "protocol=", 9) == 0) { s->protocol = xstrdup(token + 9); -#if LINUX_TPROXY } else if (strcmp(token, "tproxy") == 0) { s->tproxy = 1; - need_linux_tproxy = 1; -#endif } else if (strcmp(token, "act-as-origin") == 0) { s->act_as_origin = 1; s->accel = 1; @@ -3066,10 +3063,8 @@ storeAppendPrintf(e, " protocol=%s", s->protocol); if (s->no_connection_auth) storeAppendPrintf(e, " no-connection-auth"); -#if LINUX_TPROXY if (s->tproxy) storeAppendPrintf(e, " tproxy"); -#endif if (s->http11) storeAppendPrintf(e, " http11"); if (s->tcp_keepalive.enabled) { Index: src/client_side.c =================================================================== RCS file: /cvsroot/squid/squid/src/client_side.c,v retrieving revision 1.763 diff -u -u -r1.763 client_side.c --- src/client_side.c 7 Apr 2008 07:50:37 -0000 1.763 +++ src/client_side.c 8 Apr 2008 05:55:55 -0000 @@ -4014,9 +4014,7 @@ } if (conn->port->urlgroup) request->urlgroup = xstrdup(conn->port->urlgroup); -#if LINUX_TPROXY - request->flags.tproxy = conn->port->tproxy && need_linux_tproxy; -#endif + request->flags.tproxy = conn->port->tproxy; request->flags.accelerated = http->flags.accel; request->flags.no_direct = request->flags.accelerated ? !conn->port->allow_direct : 0; request->flags.transparent = http->flags.transparent; Index: src/forward.c =================================================================== RCS file: /cvsroot/squid/squid/src/forward.c,v retrieving revision 1.132 diff -u -u -r1.132 forward.c --- src/forward.c 12 Feb 2008 13:11:46 -0000 1.132 +++ src/forward.c 8 Apr 2008 05:55:57 -0000 @@ -39,9 +39,6 @@ #if LINUX_NETFILTER #include #endif -#if LINUX_TPROXY -#include -#endif static PSC fwdStartComplete; static void fwdDispatch(FwdState *); @@ -531,9 +528,6 @@ int ftimeout = Config.Timeout.forward - (squid_curtime - fwdState->start); struct in_addr outgoing; unsigned short tos; -#if LINUX_TPROXY - struct in_tproxy itp; -#endif int idle = -1; assert(fs); @@ -584,10 +578,8 @@ fwdConnectStart(fwdState); return; } -#if LINUX_TPROXY if (fd == -1 && fwdState->request->flags.tproxy) fd = pconnPop(name, port, domain, &fwdState->request->client_addr, 0, NULL); -#endif if (fd == -1) { fd = pconnPop(name, port, domain, NULL, 0, &idle); } @@ -678,32 +670,8 @@ if (fs->peer) { hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name); } else { -#if LINUX_TPROXY - if (fwdState->request->flags.tproxy) { - - itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; - itp.v.addr.fport = 0; - - /* If these syscalls fail then we just fallback to connecting - * normally by simply ignoring the errors... - */ - itp.op = TPROXY_ASSIGN; - if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { - debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", - inet_ntoa(itp.v.addr.faddr), - itp.v.addr.faddr.s_addr, - itp.v.addr.fport); - } else { - itp.op = TPROXY_FLAGS; - itp.v.flags = ITP_CONNECT; - if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { - debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n", - itp.v.addr.faddr.s_addr, - itp.v.addr.fport); - } - } - } -#endif + if (fwdState->request->flags.tproxy) + (void) commTransparentRemote(fd, fwdState->src.sin_addr, 0); hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host); } @@ -965,13 +933,11 @@ fwdState->start = squid_curtime; fwdState->orig_entry_flags = e->flags; -#if LINUX_TPROXY /* If we need to transparently proxy the request * then we need the client source address and port */ fwdState->src.sin_family = AF_INET; fwdState->src.sin_addr = r->client_addr; fwdState->src.sin_port = r->client_port; -#endif storeLockObject(e); if (!fwdState->request->flags.pinned) Index: src/globals.h =================================================================== RCS file: /cvsroot/squid/squid/src/globals.h,v retrieving revision 1.127 diff -u -u -r1.127 globals.h --- src/globals.h 26 Feb 2008 04:03:41 -0000 1.127 +++ src/globals.h 8 Apr 2008 05:55:57 -0000 @@ -175,9 +175,6 @@ #endif extern int opt_send_signal; /* -1 */ extern int opt_no_daemon; /* 0 */ -#if LINUX_TPROXY -extern int need_linux_tproxy; /* 0 */ -#endif extern int opt_parse_cfg_only; /* 0 */ extern int n_coss_dirs; /* 0 */ #ifdef LOG_LOCAL4 Index: src/http.c =================================================================== RCS file: /cvsroot/squid/squid/src/http.c,v retrieving revision 1.440 diff -u -u -r1.440 http.c --- src/http.c 28 Mar 2008 20:18:56 -0000 1.440 +++ src/http.c 8 Apr 2008 05:55:57 -0000 @@ -793,11 +793,9 @@ keep_alive = 0; if (keep_alive) { int pinned = 0; -#if LINUX_TPROXY if (orig_request->flags.tproxy) { client_addr = &httpState->request->client_addr; } -#endif /* yes we have to clear all these! */ commSetDefer(fd, NULL, NULL); commSetTimeout(fd, -1, NULL, NULL); Index: src/ipt_null.c =================================================================== RCS file: src/ipt_null.c diff -N src/ipt_null.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ src/ipt_null.c 8 Apr 2008 05:55:59 -0000 @@ -0,0 +1,8 @@ + +#include "squid.h" + +int +commTransparentRemote(int fd, struct in_addr addr, u_short port) +{ + return 0; +} Index: src/ipt_tproxy2.c =================================================================== RCS file: src/ipt_tproxy2.c diff -N src/ipt_tproxy2.c --- /dev/null 1 Jan 1970 00:00:00 -0000 +++ src/ipt_tproxy2.c 8 Apr 2008 05:55:59 -0000 @@ -0,0 +1,34 @@ + +#include "squid.h" +#include +#include + +int +commTransparentRemote(int fd, struct in_addr addr, u_short port) +{ + struct in_tproxy itp; + + itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; + itp.v.addr.fport = 0; + + /* If these syscalls fail then we just fallback to connecting + * normally by simply ignoring the errors... + */ + itp.op = TPROXY_ASSIGN; + if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { + debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", + inet_ntoa(itp.v.addr.faddr), + itp.v.addr.faddr.s_addr, + itp.v.addr.fport); + return 0; + } + itp.op = TPROXY_FLAGS; + itp.v.flags = ITP_CONNECT; + if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { + debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n", + itp.v.addr.faddr.s_addr, + itp.v.addr.fport); + return 0; + } + return 1; +} Index: src/protos.h =================================================================== RCS file: /cvsroot/squid/squid/src/protos.h,v retrieving revision 1.556 diff -u -u -r1.556 protos.h --- src/protos.h 2 Apr 2008 03:25:38 -0000 1.556 +++ src/protos.h 8 Apr 2008 05:55:59 -0000 @@ -1499,5 +1499,9 @@ extern void clientStoreURLRewriteStart(clientHttpRequest * http); extern void clientStoreURLRewriteDone(void *data, char *result); +/* Transparent interception related stuff - src/ipt*.c */ +extern int commTransparentRemote(int fd, struct in_addr addr, u_short port); #endif /* SQUID_PROTOS_H */ + + Index: src/structs.h =================================================================== RCS file: /cvsroot/squid/squid/src/structs.h,v retrieving revision 1.550 diff -u -u -r1.550 structs.h --- src/structs.h 7 Apr 2008 07:50:37 -0000 1.550 +++ src/structs.h 8 Apr 2008 05:56:02 -0000 @@ -379,9 +379,7 @@ unsigned int vport; /* virtual port support */ unsigned int no_connection_auth; /* Don't support connection oriented auth */ unsigned int http11; /* HTTP/1.1 support */ -#if LINUX_TPROXY unsigned int tproxy; -#endif unsigned int act_as_origin; /* Fake Date: headers in accelerator mode */ unsigned int allow_direct:1; /* Allow direct forwarding in accelerator mode */ struct { @@ -1888,9 +1886,7 @@ unsigned int no_connection_auth:1; /* Connection oriented auth can not be supported */ unsigned int pinned:1; /* Request seont on a pinned connection */ unsigned int auth_sent:1; /* Authentication forwarded */ -#if LINUX_TPROXY unsigned int tproxy:1; -#endif unsigned int collapsed:1; /* This request was collapsed. Don't trust the store entry to be valid */ unsigned int cache_validation:1; /* This request is an internal cache validation */ unsigned int no_direct:1; /* Deny direct forwarding unless overriden by always_direct. Used in accelerator mode */ @@ -2319,9 +2315,7 @@ unsigned int dont_retry:1; unsigned int ftp_pasv_failed:1; } flags; -#if LINUX_NETFILTER struct sockaddr_in src; -#endif u_short orig_entry_flags; /* Hack to be able to reset the entry proper */ }; Index: src/tools.c =================================================================== RCS file: /cvsroot/squid/squid/src/tools.c,v retrieving revision 1.262 diff -u -u -r1.262 tools.c --- src/tools.c 22 Jan 2008 15:20:38 -0000 1.262 +++ src/tools.c 8 Apr 2008 05:56:03 -0000 @@ -1345,11 +1345,7 @@ #if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && HAVE_SYS_CAPABILITY_H if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) { /* Silent failure unless TPROXY is required. Maybe not started as root */ -#if LINUX_TPROXY - if (need_linux_tproxy) - debug(1, 1) ("Error - tproxy support requires capability setting which has failed. Continuing without tproxy support\n"); - need_linux_tproxy = 0; -#endif + debug(1, 1) ("Error - Linux tproxy support requires capability setting which has failed. Continuing without tproxy support\n"); } #endif }