Re: [PATCH] ACL to control TPROXY spoofing

From: Steve Hill <steve_at_opendium.com>
Date: Mon, 25 Feb 2013 16:34:18 +0000

Ok, I've had time to clean this patch up... I'm not sure how half my
patch went missing the last time I sent it - I was obviously having a
bad day. :)

The attached patch adds a "spoof_client_ip" fast ACL to control whether
TPROXY
requests have their source IP address spoofed by Squid. The ACL
defaults to allow (i.e. the current normal behaviour), but using an ACL
that results in a deny result will disable spoofing for that request.

  Example config (disables spoofing for all requests):
      spoof_client_ip deny all

I've implemented the changes suggested by both Alex and Amos.

The patch also does a bit of code-cleanup:

1. The flags.spoofClientIp flag was a general "this is a TPROXY request"
flag, which was a bit confusing given the name of the flag. So the
flags.spoofClientIp flag now only indicates whether we want to spoof the
source IP or not.

2. TPROXY requests now all set flags.interceptTproxy, irrespective of
whether there is going to be any address spoofing.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com

Received on Mon Feb 25 2013 - 16:34:35 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:07 MST