Re: Transparent proxy probs...

From: Chris McGonagle <sqlist@dont-contact.us>
Date: Mon, 24 Nov 1997 14:34:19 -0500 (EST)

>
> > While trying to retrieve the URL:
> > http://195.102.240.153/<P>
>
> Hmm.. looks like you have some problems with the transparent proxy
> support:
> 1. Squid failed to get the correct destination IP. What is needed to get
> this when using ipfilter?
> 2. Much nicer if the Host: header is used when available. See above.
>
> ---
> Henrik Nordström

See my message below which includes a patch to make squid work with
ip_filter on BSD boxes.

This message was originally posted at the end of September to this list.

Chris.

-- INCLUDED MESSAGE --

After checking through the mailing list, it appears that no-one has
actually tried using squid with ip_filter on BSD boxes, and that the
transparent proxying has only been tested on linux machines.

When I tried using squid-1.1.6 with ip_fil3.2beta2 running on FreeBSD-2.2.2,
the virtual host code found in icp.c does not return the destination IP.

Looking at the current implementation, I assume that the linux software (masq?)
must set things up so that the getsockname returns the remote IP after redirect.

To determine the remote IP with ip_filter, you need to issue an IOCTL to
the ip_filter device. I hacked the source (icp.c) to do this and i'll
include the patch at the end of this post. As I can't code, someone else
may want to look at this and formulate something more proper.

The alternative to something like this is to have the ip_filter guys (avalon?)
modify their package so that the getsockname function operates the same as the
linux one (for redirected packets only). I think this would be the best solution.

To make this work, just define FOURNET in your Makefile. You'll also need
to make the NAT device readable (implications?!) by the squid process. This
may need to be done upone each reboot.

Anyways...

-- CUT HERE --
*** ./squid-1.1.16/src/icp.c.orig Thu Aug 21 15:20:04 1997
--- ./squid-1.1.16/src/icp.c Tue Sep 23 23:34:00 1997
***************
*** 106,111 ****
--- 106,132 ----
  
  #include "squid.h"
  
+ #ifdef FOURNET
+
+ #include <sys/ioctl.h>
+
+ #define IPN_TCP 0x01
+ #define IPL_NAT "/dev/ipnat"
+
+ typedef struct natlookup {
+ struct in_addr nl_inip;
+ struct in_addr nl_outip;
+ struct in_addr nl_realip;
+ int nl_flags;
+ u_short nl_inport;
+ u_short nl_outport;
+ u_short nl_realport;
+ } natlookup_t;
+
+ #define SIOCGNATL _IOWR('r', 83, struct natlookup)
+
+ #endif /* FOURNET */
+
  int neighbors_do_private_keys = 1;
  
  char *log_tags[] =
***************
*** 1580,1585 ****
--- 1601,1611 ----
      int req_hdr_sz;
      int url_sz;
  
+ #ifdef FOURNET
+ struct natlookup natlookup;
+ int natfd;
+ #endif /* FOURNET */
+
      /* Make sure a complete line has been received */
      if (strchr(icpState->inbuf, '\n') == NULL) {
          debug(12, 5, "Incomplete request line, waiting for more data\n");
***************
*** 1658,1667 ****
--- 1684,1720 ----
              /* Put the local socket IP address as the hostname */
              url_sz = strlen(url) + 32 + Config.appendDomainLen;
              icpState->url = xcalloc(url_sz, 1);
+ #ifndef FOURNET
              sprintf(icpState->url, "http://%s:%d%s",
                  inet_ntoa(icpState->me.sin_addr),
                  (int) Config.Accel.port,
                  url);
+ #else
+ natlookup.nl_inport = icpState->me.sin_port;
+ natlookup.nl_outport = icpState->peer.sin_port;
+ natlookup.nl_inip = icpState->me.sin_addr;
+ natlookup.nl_outip = icpState->peer.sin_addr;
+
+ natlookup.nl_flags = IPN_TCP;
+
+ if((natfd = open(IPL_NAT, O_RDONLY)) < 0) {
+ return -1;
+ }
+
+ if(ioctl(natfd, SIOCGNATL, &natlookup) == -1) {
+ syslog(LOG_ERR, "SIOCGNATL failed: %m\n");
+ close(natfd);
+ return 0;
+ }
+
+ close(natfd);
+ sprintf(icpState->url, "http://%s:%d%s",
+ inet_ntoa(natlookup.nl_realip),
+ (int) Config.Accel.port,
+ url);
+
+ #endif /* FOURNET */
+
              debug(12, 5, "VHOST REWRITE: '%s'\n", icpState->url);
          } else if (opt_accel_uses_host && (t = mime_get_header(req_hdr, "Host"))) {
              /* If a Host: header was specified, use it to build the URL
-- CUT HERE --
Received on Mon Nov 24 1997 - 11:45:04 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:43 MST