linux transparent proxy status? from Lennert Buytenhek on 2003-04-25 (squid-dev)

From: Lennert Buytenhek <buytenh@dont-contact.us>
Date: Fri, 25 Apr 2003 11:47:22 -0400

(please CC, I'm not on this list.)

Hi all,

I came across these emails in the squid-dev mailing list archive
concerning linux transparent proxy support in squid:

http://www.squid-cache.org/mail-archive/squid-dev/200303/0136.html
http://www.squid-cache.org/mail-archive/squid-dev/200303/0130.html

I must say that I didn't look any further at squid development or
the current codebase, so I'm talking out of ignorance here. But I
had three things on my mind when reading this.

- It is possible to automatically determine tcp_outgoing_address by
doing an rtnetlink routing table lookup for the target IP address,
and then using the 'src' RT attribute from the returned route.

  mara% /sbin/ip addr
  1: lo: <LOOPBACK,UP> mtu 16436 qdisc noqueue
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 brd 127.255.255.255 scope host lo
  2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast qlen 100
      link/ether 00:02:1e:f2:96:41 brd ff:ff:ff:ff:ff:ff
      inet 132.229.231.13/22 brd 132.229.231.255 scope global eth0
  mara% /sbin/ip route get 132.229.8.6
  132.229.8.6 via 132.229.231.1 dev eth0 src 132.229.231.13
      cache mtu 1500 advmss 1460

I can provide sample code if needed.

- I wrote a patch against the linux kernel in november last year that
  lets one selectively accept/reject TCP connections. I've put a copy
  at the following address. The API seems fairly clean. The patch
  itself needs some bug hunting still, but the basic idea is sound, I
  think.

http://www.math.leidenuniv.nl/~buytenh/marc_boucher_take_2

(It's called Marc Boucher because Marc Boucher convinced me to code
this up after Linux Kongress 2001 :)

- I would be interested in making it possible for squid to use something
  like an X-Forwarded-For: header to determine the source IP address to
  fake for a certain connection. I.e., to preserve a user's source IP
  address over multiple 'proxy hops' (of course using some kind of ACL
  mechanism for determining which proxy/proxies to 'trust' this
  X-Forwarded-For: header from)

Ideas?

cheers,
Lennert
Received on Fri Apr 25 2003 - 09:58:33 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:42 MST