PATCH for transparent proxy on BSD using ip_filter

From: John Williams <sqlist@dont-contact.us>
Date: Fri, 26 Sep 1997 13:21:26 -0400 (EDT)

After checking through the mailing list, it appears that no-one has
actually tried using squid with ip_filter on BSD boxes, and that the
transparent proxying has only been tested on linux machines.

When I tried using squid-1.1.6 with ip_fil3.2beta2 running on
FreeBSD-2.2.2, the virtual host code found in icp.c does not return the
destination IP.

Looking at the current implementation, I assume that the linux software
(masq?) must set things up so that the getsockname returns the remote IP
after redirect.

To determine the remote IP with ip_filter, you need to issue an IOCTL to
the ip_filter device. I hacked the source (icp.c) to do this and i'll
include the patch at the end of this post. As I can't code, someone else
may want to look at this and formulate something more proper.

The alternative to something like this is to have the ip_filter guys
(avalon?) modify their package so that the getsockname function operates
the same as the linux one (for redirected packets only). I think this
would be the best solution.

To make this work, just define FOURNET in your Makefile. You'll also need
to make the NAT device readable (implications?!) by the squid process.
This may need to be done upon each reboot.

Anyways...

-- CUT HERE --
*** ./squid-1.1.16/src/icp.c.orig Thu Aug 21 15:20:04 1997
--- ./squid-1.1.16/src/icp.c Tue Sep 23 23:34:00 1997
***************
*** 106,111 ****
--- 106,132 ----
  
  #include "squid.h"
  
+ #ifdef FOURNET
+
+ #include <sys/ioctl.h>
+
+ #define IPN_TCP 0x01
+ #define IPL_NAT "/dev/ipnat"
+
+ typedef struct natlookup {
+ struct in_addr nl_inip;
+ struct in_addr nl_outip;
+ struct in_addr nl_realip;
+ int nl_flags;
+ u_short nl_inport;
+ u_short nl_outport;
+ u_short nl_realport;
+ } natlookup_t;
+
+ #define SIOCGNATL _IOWR('r', 83, struct natlookup)
+
+ #endif /* FOURNET */
+
  int neighbors_do_private_keys = 1;
  
  char *log_tags[] =
***************
*** 1580,1585 ****
--- 1601,1611 ----
      int req_hdr_sz;
      int url_sz;
  
+ #ifdef FOURNET
+ struct natlookup natlookup;
+ int natfd;
+ #endif /* FOURNET */
+
      /* Make sure a complete line has been received */
      if (strchr(icpState->inbuf, '\n') == NULL) {
          debug(12, 5, "Incomplete request line, waiting for more data\n");
***************
*** 1658,1667 ****
--- 1684,1720 ----
              /* Put the local socket IP address as the hostname */
              url_sz = strlen(url) + 32 + Config.appendDomainLen;
              icpState->url = xcalloc(url_sz, 1);
+ #ifndef FOURNET
              sprintf(icpState->url, "http://%s:%d%s",
                  inet_ntoa(icpState->me.sin_addr),
                  (int) Config.Accel.port,
                  url);
+ #else
+ natlookup.nl_inport = icpState->me.sin_port;
+ natlookup.nl_outport = icpState->peer.sin_port;
+ natlookup.nl_inip = icpState->me.sin_addr;
+ natlookup.nl_outip = icpState->peer.sin_addr;
+
+ natlookup.nl_flags = IPN_TCP;
+
+ if((natfd = open(IPL_NAT, O_RDONLY)) < 0) {
+ return -1;
+ }
+
+ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
+ syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
+ close(natfd);
+ return 0;
+ }
+
+ close(natfd);
+ sprintf(icpState->url, "http://%s:%d%s",
+ inet_ntoa(natlookup.nl_realip),
+ (int) Config.Accel.port,
+ url);
+
+ #endif /* FOURNET */
+
              debug(12, 5, "VHOST REWRITE: '%s'\n", icpState->url);
          } else if (opt_accel_uses_host && (t = mime_get_header(req_hdr, "Host"))) {
              /* If a Host: header was specified, use it to build the URL
-- CUT HERE --
Received on Fri Sep 26 1997 - 10:30:51 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:10 MST