Re: [PATCH] ACL to control TPROXY spoofing

From: Steve Hill <steve_at_opendium.com>
Date: Tue, 26 Feb 2013 12:17:31 +0000

On 26.02.13 10:31, Amos Jeffries wrote:

> Which is ALG-NAT. Client source IP on traffic entering the box, and
> Squid IP as source on traffic leaving it.

Fair point, but is there any problem with Squid being an ALG-NAT? This
is basically what "intercept" mode was all about (and the full squid
functionality isn't something you're ever going to find in Netfilter, so
"netfilter does NAT, just use that" isn't a good answer here).

> They added it last August. It should be filtering down to general use
> around kernel 3.4 or so.

I'm going to go with "oh god please no" :)
There are uses for NAT (even in the IPv6 world), but far too many people
seem to think its a Good Thing in its own right rather than a tool to
solve specific problems. Anyway, I'm going way off topic now.

> Code simplicity. An "if(flags.spoof)" test is far faster than even
> constructing a checklist and processing "allow all" in fast-ACL pathway.
> So if the ACL flexibility does not actually have a clear need the speed
> would be better.

Ok. Well I'm a bit on the fence here too.

I can see some use for the flexibility - the situation I mentioned would
require spoofing to be disabled for requests from the branch offices but
it would probably be desirable to leave spoofing on for the main office.
  But it wouldn't be a huge issue to disable spoofing for everyone. It
would also be possible to have a separate tproxy socket for people in
then main office although that would increase the complexity of the
squid config and netfilter rules, even though it reduces the complexity
of squid code.

I tend to think that since the ACL isn't constructed and tested in the
default case (and therefore for most people there is no performance
hit), I would err towards increased functionality rather than increased
performance.

-- 
  - Steve Hill
    Technical Director
    Opendium Limited     http://www.opendium.com
Direct contacts:
    Instant messager: xmpp:steve_at_opendium.com
    Email:            steve_at_opendium.com
    Phone:            sip:steve_at_opendium.com
Sales / enquiries contacts:
    Email:            sales_at_opendium.com
    Phone:            +44-844-9791439 / sip:sales_at_opendium.com
Support contacts:
    Email:            support_at_opendium.com
    Phone:            +44-844-4844916 / sip:support_at_opendium.com
Received on Tue Feb 26 2013 - 12:17:45 MST

This archive was generated by hypermail 2.2.0 : Tue Feb 26 2013 - 12:00:07 MST