Re: TPROXY support in Squid 3

From: Amos Jeffries <squid3@dont-contact.us>
Date: Mon, 07 Apr 2008 23:11:27 +1200

Adrian Chadd wrote:
> On Mon, Mar 31, 2008, Alex Rousskov wrote:
>
>> What about Adrian plans (if I understood them correctly) to add
>> TPROXY-like support to FreeBSD but not for TPROXY4-like API? Is that a
>> good enough reason to continue supporting unsupported TPROXY versions?
>
> The FreeBSD API will be almost like the TPROXY-4 API.
>
> I'd suggest supporting TPROXY-2 for a few reasons:
>
> * Those who are using it may not want to track the latest kernel + TPROXY
> patches for various reasons (if it just works; company policy; etc.)
> and I think its easy enough to maintain support for both without
> too much hassle.
>
> * Supporting both TPROXY-2 and TPROXY-4 will (hopefully!) force someone
> to integrate it cleanishly and avoid the Squid-2 ip interception mess!
>
> * Thus making it easier for me to drop in a FreeBSD version of "tproxy"
> without too much hassle (or #ifdef's for that matter.)
>
> It shouldn't be that difficult to isolate the bits of the code required for
> spoofing the client IP in the request versus the TPROXY-specific stuff.
> In fact, the only tproxy-specific stuff I can really see is:
>
> * the logic in forward.c to the local bind, which can be wrapped up as
> part of the socket creation process, and
> * The initialisation code, which in the tproxy-2 case does capabilities
> magic.
>
>
>
> Adrian
>

We have come up with a 'final-beta' patch for squid-3 now.
http://treenet.co.nz/projects/squid/patches/tproxy-squid-3_20080407.patch
Just waiting on Laszlo final approval.

It's pretty much:

  * adding a COMM_TRANSPARENT flag to comm_openex(...)

  * adds a comm_set_transparent for internal comm use to do setsockopt()

  * adding a transparent flag to all fde's
    - set to 1 on fde's which are opened with the transparent flag
      OR, accepted from a listening fde with transparent flag.

  * override getOutgoingAddr ACL checks to produce the transparent
client-address as outgoing addr.

  * adapt the existing Netfilter NAT getsockopt() for tproxy option.

Should be easy to drop the squid side of your emulated TPROXY-4
alterations in there Adrian.

Amos

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4
Received on Mon Apr 07 2008 - 05:11:11 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 30 2008 - 12:00:07 MDT