On Tue, 15 Sep 2009 04:13:20 +0200, Henrik Nordstrom <henrik@xxxxxxxxxxxxxxxxxxx> wrote: > tis 2009-09-15 klockan 12:28 +1200 skrev Amos Jeffries: > >> The big reason is that TPROXY passes the IPs to Squid inverted via >> accept(). There is no probe like the NAT ORIGINAL_DST to separate the >> TPROXY and non-TPROXY received connections. The only way to identify this >> IP inversion is the flags in squid.conf. > > Yes, but here we are talking about the other side, when Squid makes the > outgoing connection. That part do not need to depend in any way on how We are talking about setting http_port (incoming) options. Or so I thought. > the request arrived at Squid, just on where the request is heading > (routing of return traffic for the client via Squid server). > > Should in theory work to enable tproxy spoofing even for normal proxied > connections. That would be some other functionality not related to what the existing http_port tproxy flag does. Spoofing without handling inbound spoofed requests. IMO it is as nice to use as a certain login function turned out to be. You can try it I suppose. I suspect there is likely some kernel implementation bits that prevent random IP spoofing though. The only limit in Squid is that spoof_client_ip flag must be set before tcp outgoing address is selected. Amos
