Re: [PATCH]: Linux Transparent Proxy

From: Henrik Nordstrom <hno@dont-contact.us>
Date: 10 Mar 2003 17:59:00 +0100

mån 2003-03-10 klockan 16.44 skrev Gianni Tedesco:
> Hi,
>
> Here is the second cut of the linux tproxy patch aiming for inclusion
> with squid-2.5 branch. The diff is versus squid-2.5.STABLE1. Comments
> are most welcome :)

Thanks.

Note: As discussed before Squid-2.5 is in it's STABLE release cycle and
patches like this cannot get included there.

A patch to HEAD has significantly higher chances of getting merged.

> 1. Server persistent connections are mutually exclusive with this patch.
> This is because squid will use any connection to server X, but that
> pre-existing connection may be spoofed from a different users IP.
> 2. You must supply a tcp_outgoing_address in your squid.conf, this is
> because of some deep magic in the Linux TCP/IP stack. If anyone would
> like me to explain the reasons more thoroughly just ask.

This is deep magic in the TPROXY extension of the Linux TCP/IP stack I
suppose?

> 3. Squid must run as root in order to do the connection spoofing bits.

This should be solved by process capabilities in the long run..

> 4. I have not tested the autoconf stuff because both my debian and rh8
> automakes and autoconfs (of varying versions) all failed for one
> reason or another.

RedHat 8 has the autoconf and automake packages needed in the
distribution, but you may need to select to install the older versions
used by Squid-2.5 manually.

> Anyone got any advice on what auto(conf|make) versions I should be
> using? Would you accept patches to make it work on my version (if they
> are correct of course)?

I am using the following RedHat packages:
autoconf-2.57-2
automake-1.6.3-3

autoconf213-2.13-5
automake15-1.5-5

the first two is used by HEAD. The last older packages by Squid-2.5.

The automake15 package is manually patched with the optimization from
http://devel.squid-cache.org/amake/ but this is not strictly required
(src/Makefile.in will be huge if you don't).

> TODO:
> o Fix server pconns.
> o Port all changes to cvs HEAD branch.

Required for merging.

> o Attempt to fix connect(2) problem in kernel which requires bind(2) to
> local address.

> o Fix kernel space code so squid doesn't need to run as root.

As a first step CAP_NETADMIN should be used.

> o TPROXY as it is breaks end-to-end requirement of the internet, need
> to develop a better API for controlling these features from
> userspace.

TPROXY falls in the same pit of evilness as interception when it comes
to TCP/IP. Both break the end-to-end criteria of IP networking. Both
require the network to be properly constructed to deal with the
breakage, it is only that TPROXY (and other "spoof as client") makes the
question much more visible.

-- 
Henrik Nordstrom <hno@squid-cache.org>
MARA Systems AB, Sweden
Received on Mon Mar 10 2003 - 09:59:08 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:31 MST