Re: TPROXY support in Squid 3 from Amos Jeffries on 2008-04-07 (squid-dev)

From: Amos Jeffries <squid3@dont-contact.us>
Date: Tue, 08 Apr 2008 17:59:52 +1200

Adrian Chadd wrote:
> On Mon, Apr 07, 2008, Amos Jeffries wrote:
>
>> We have come up with a 'final-beta' patch for squid-3 now.
>> http://treenet.co.nz/projects/squid/patches/tproxy-squid-3_20080407.patch
>> Just waiting on Laszlo final approval.
>>
>> It's pretty much:
>>
>> * adding a COMM_TRANSPARENT flag to comm_openex(...)
>
> This is the only thing I'm a bit weird on. This means that the same flag
> to TPROXY is used for outgoing sockets and incoming sockets?

The sockets open either as listening (needs IP_TRANSPARENT option set
for the OS to track new inbound connections as TPROXY targets etc.)

Or as outbound spoofed connects (needs IP_TRANSPARENT option set for the
OS to track the connection for special TPROXY handling.)

Both need the sockopt set in the same manner on connect. Sequence
matters for one, but not the other. So its done the same way for both
and in sequence where it handles both nicely.

>
> I'm thinking about seperating them just to make it absolutely clear -
> it doesn't matter that the backend sends the same sockopt and calls the same
> bind().

Make what clear? that is a socket involved with transparent handling?
Thats all the information that is needed by squid to operate well.

It's simpler to keep it in squid as a boolean flag. Tri-states can get
messy. Especially in squid case where we already have the
non-transparent intercept handling for non-tproxy methods intertwined at
higher levels.

Keep-it-simple and all that.

>
> I don't think it matters in the FreeBSD case either as I'm pretty sure
> the patch I have here uses the same flag for incoming and outgoing sockets.
>
> What do you (and others) think?

I think we need to clean up the two flags floating around squid rather
than adding more state.

Currently:
   fde::flags::transparent == 'intercept/non-intercept'
   fde::flags::tproxy == real-transparent/non-transparent
   (new) COMM_TRANSPARENT == real-transparent

Their use is currently good for what they do. A small re-naming is all
that is needed there. I'm thinking flags::intercept and
flags::realtransparent.

Amos

-- 
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

Received on Mon Apr 07 2008 - 23:59:37 MDT

This archive was generated by hypermail 2.2.0 : Wed Apr 30 2008 - 12:00:07 MDT