Re: [PATCH] IPv6 transparent proxy support for Squid

On 21/06/2013 7:08 p.m., Alexis Robert wrote:
> Hi,
>
> Thanks for your reply and your comments.
>
> I've joined a patch which include your remarks.
>
> Alexis
>

+1. Thank you that looks fine to me now.

The only issue remaining is that iptables header problem. Am questioning
netfilter about it but suspect we will have to add some nasty #if macros
to autodetect working systems in the formal commit. I can handle that part.

Cheers
Amos

> On Thu, Jun 20, 2013 at 4:08 PM, Amos Jeffries <squid3_at_treenet.co.nz
> <mailto:squid3_at_treenet.co.nz>> wrote:
>
> On 20/06/2013 9:20 p.m., Alexis Robert wrote:
>
> Hi,
>
> As NAT support has been included for IPv6 in Linux 3.7 (along
> with REDIRECT/DNAT rules), as well as IP6T_SO_ORIGINAL_DST in
> Linux 3.8, I wrote a little patch to add support for
> transparent proxies over IPv6.
>
> It's my first patch for Squid, I hope I've done it correctly
> :) The patch is based on the bzr repository.
>
>
> It looks better than most first submissions. Thank you.
>
>
> The only thing I see which can cause trouble is a bug with
> linux/netfilter_ipv6/ip6_tables.h on C++ compilers, the bug
> report and the patch to fix it are here :
> https://lkml.org/lkml/2012/9/30/146. It's only used for the
> constant IP6T_SO_ORIGINAL_DST. Maybe there is a better (and
> clean) way to do so it doesn't force users to update their
> header file, but I've haven't found it yet.
>
> Have a nice day,
>
> Alexis
>
>
> Audit results:
>
> When we are manipulating a sockaddr which may be either
> sockaddr_in /sockaddr_in6 type it is preferrable to use the
> sockaddr_storage or addrinfo types.
>
> * please just change the type of "lookup" to sockaddr_storage.
> That and passing AF_UNSPEC as the second parameter to
> local.getSockAddr() will take care of the IPv4/IPv6 differences
> without needing most of the new if-statements.
>
> * in the debugs() statement removing the "SO_" so that the text
> just says "getsockopt(ORIGINAL_DST)" should be sufficient to
> remove the remaining if-statement. It will be clear from the
> printed socket IP:port details which option is in use.
>
> * please remove the new empty line before the return statement.
>
>
> Amos
>
>
Received on Sat Jun 22 2013 - 05:02:33 MDT