Hi Henrik, Amos, etc
I've been trying to compile Squid-2.7.STABLE8 (squid-2.HEAD-20100222)
but am having difficulty applying the Visolve TProxy-4 patch
* http://www.visolve.com/squid/squid-tproxy.php
The patch no longer applies cleanly. I spent some time trying to
resolve the conflicts, and after successful compilation, Squid is
listening on its port, but also complains to cachelog as follows and
it's not spoofing the source IP:
{{{
Accepting proxy HTTP connections at 192.168.251.106, port 800, FD 27.
...
commBind: Cannot bind socket FD 31 to 192.168.251.106:800: (98)
Address already in use
}}}
I'm compiling on an Ubuntu 9.10 machine with Linux kernel
2.6.31-19-generic and Linux headers packages installed
{{{
aptitude search ~ilinux-headers
i linux-headers-2.6.31-19
- Header files related to Linux kernel version 2.6.31
i linux-headers-2.6.31-19-generic
- Linux kernel headers for version 2.6.31 on x86/x86_64
i A linux-headers-generic
- Generic Linux kernel headers
}}}
I'm deploying this on a Slackware based box with custom Linux Kernel
2.6.31.6 (TProxy module enabled)
{{{
cachebox# dmesg | grep -i tproxy
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
}}}
I think the problem might be caused by this recent patch to the libcap
code, particularly - around tools.c:
* http://www.squid-cache.org/Versions/v2/HEAD/changesets/12640.patch
It looked like the changes to tools.c that had previously been applied
by the Tproxy patch are now part of the 2.7 tree, but re-factored
slightly. Then again I may be totally off the mark :)
I've attached my latest version of the patch in which I rejected all
the Tproxy changes to tools.c.
Has anyone already prepared a more up to date version of the Tproxy
patch? If not, I'd like to help fix the patch, but perhaps someone can
quickly summarise what might be the problem and what needs doing.
-RichardW.
Index: configure
===================================================================
--- configure (revision 9786)
+++ configure (working copy)
@@ -9554,7 +9554,6 @@
grp.h \
libc.h \
linux/netfilter_ipv4.h \
- linux/netfilter_ipv4/ip_tproxy.h \
malloc.h \
math.h \
memory.h \
@@ -29104,10 +29103,10 @@
fi
if test "$LINUX_TPROXY"; then
- { $as_echo "$as_me:$LINENO: checking if TPROXY header files are installed" >&5
-$as_echo_n "checking if TPROXY header files are installed... " >&6; }
+ { echo "$as_me:$LINENO: checking if sys/capability header files are installed" >&5
+echo $ECHO_N "checking if sys/capability header files are installed... $ECHO_C" >&6; }
# hold on to your hats...
- if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
+ if test "$ac_cv_header_sys_capability_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
LINUX_TPROXY="yes"
cat >>confdefs.h <<\_ACEOF
@@ -29122,8 +29121,12 @@
_ACEOF
fi
- { $as_echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5
-$as_echo "$LINUX_TPROXY" >&6; }
+ { echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5
+echo "${ECHO_T}$LINUX_TPROXY" >&6; }
+
+ if test "$LINUX_TPROXY" = "no" ; then
+ echo "WARNING: Cannot find necessary system capability headers files"
+ echo " Linux TProxy-4 support WILL NOT be enabled"
if test "$use_libcap" != "yes"; then
{ $as_echo "$as_me:$LINENO: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&5
$as_echo "$as_me: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&2;}
@@ -29131,11 +29134,6 @@
sleep 10
fi
fi
-if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
- echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
- echo "tproxy package from:"
- echo " - lynx http://www.balabit.com/downloads/files/tproxy/";
- sleep 10
fi
if test -z "$USE_GNUREGEX" ; then
Index: configure.in
===================================================================
--- configure.in (revision 9786)
+++ configure.in (working copy)
@@ -1802,7 +1802,6 @@
grp.h \
libc.h \
linux/netfilter_ipv4.h \
- linux/netfilter_ipv4/ip_tproxy.h \
malloc.h \
math.h \
memory.h \
@@ -2946,9 +2945,9 @@
dnl Linux Netfilter/TPROXY support requires some specific header files and libcap
dnl Shamelessly copied from shamelessly copied from above
if test "$LINUX_TPROXY"; then
- AC_MSG_CHECKING(if TPROXY header files are installed)
+ AC_MSG_CHECKING(if sys/capability header files are installed)
# hold on to your hats...
- if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
+ if test "$ac_cv_header_sys_capability_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
LINUX_TPROXY="yes"
AC_DEFINE(LINUX_TPROXY, 1, [Enable real Transparent Proxy support for Netfilter TPROXY.])
else
@@ -2961,13 +2960,12 @@
LINUX_TPROXY="no"
sleep 10
fi
+
+ if test "$LINUX_TPROXY" = "no" ; then
+ echo "WARNING: Cannot find necessary system capability headers files"
+ echo " Linux TProxy-4 support WILL NOT be enabled"
+ fi
fi
-if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
- echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
- echo "tproxy package from:"
- echo " - lynx http://www.balabit.com/downloads/files/tproxy/";
- sleep 10
-fi
if test -z "$USE_GNUREGEX" ; then
case "$host" in
Index: src/ssl.c
===================================================================
--- src/ssl.c (revision 9786)
+++ src/ssl.c (working copy)
@@ -499,6 +499,11 @@
char *url = http->uri;
struct in_addr outgoing;
unsigned long tos;
+#ifdef LINUX_TPROXY
+ int flags;
+#endif
+
+
/*
* client_addr == no_addr indicates this is an "internal" request
* from peer_digest.c, asn.c, netdb.c, etc and should always
@@ -522,11 +527,17 @@
outgoing = getOutgoingAddr(request);
tos = getOutgoingTOS(request);
/* Create socket. */
+ flags = COMM_NONBLOCKING;
+#ifdef LINUX_TPROXY
+ if (request->flags.tproxy) {
+ flags |= COMM_TRANSPARENT;
+ }
+#endif
sock = comm_openex(SOCK_STREAM,
IPPROTO_TCP,
outgoing,
0,
- COMM_NONBLOCKING,
+ flags,
tos,
url);
if (sock == COMM_ERROR) {
Index: src/structs.h
===================================================================
--- src/structs.h (revision 9786)
+++ src/structs.h (working copy)
@@ -942,6 +942,7 @@
unsigned int close_on_exec:1;
unsigned int backoff:1; /* keep track of whether the fd is backed off */
unsigned int dnsfailed:1; /* did the dns lookup fail */
+ unsigned int transparent:1;
} flags;
comm_pending read_pending;
comm_pending write_pending;
Index: src/defines.h
===================================================================
--- src/defines.h (revision 9786)
+++ src/defines.h (working copy)
@@ -93,6 +93,9 @@
#define COMM_NONBLOCKING 0x01
#define COMM_NOCLOEXEC 0x02
#define COMM_REUSEADDR 0x04
+#ifdef LINUX_TPROXY
+#define COMM_TRANSPARENT 0x08
+#endif
#define do_debug(SECTION, LEVEL) \
((_db_level = (LEVEL)) <= debugLevels[SECTION])
Index: src/comm.c
===================================================================
--- src/comm.c (revision 9786)
+++ src/comm.c (working copy)
@@ -47,6 +47,12 @@
#include <netinet/tcp.h>
#endif
+#ifdef LINUX_TPROXY
+#ifndef IP_TRANSPARENT
+#define IP_TRANSPARENT 19
+#endif
+#endif
+
typedef struct {
char *host;
u_short port;
@@ -65,6 +71,9 @@
static void commSetReuseAddr(int);
static void commSetNoLinger(int);
static void CommWriteStateCallbackAndFree(int fd, int code);
+#ifdef LINUX_TPROXY
+static void commSetTransparent(int);
+#endif
#ifdef TCP_NODELAY
static void commSetTcpNoDelay(int);
#endif
@@ -258,6 +267,12 @@
if (opt_reuseaddr)
commSetReuseAddr(new_socket);
}
+#ifdef LINUX_TPROXY
+ if (flags & COMM_TRANSPARENT) {
+ F->flags.transparent = 1;
+ commSetTransparent(new_socket);
+ }
+#endif
if (addr.s_addr != no_addr.s_addr) {
if (commBind(new_socket, addr, port) != COMM_OK) {
comm_close(new_socket);
@@ -435,6 +450,12 @@
* yuck, this has assumptions about comm_open() arguments for
* the original socket
*/
+#ifdef LINUX_TPROXY
+ if (F->flags.transparent) {
+ commSetTransparent(cs->fd);
+ }
+#endif
+
if (commBind(cs->fd, F->local_addr, F->local_port) != COMM_OK) {
debug(5, 0) ("commResetFD: bind: %s\n", xstrerror());
return 0;
@@ -1534,3 +1555,19 @@
}
}
}
+
+#ifdef LINUX_TPROXY
+static void
+commSetTransparent(int fd)
+{
+ int on = 1;
+ debug(5, 3) ("commSetTransparent: FD %d\n", fd);
+ if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char*)&on, sizeof(on)) < 0) {
+ debug(5, 1) ("commSetTransparent: FD %d: %s\n", fd, xstrerror());
+ }
+ fd_table[fd].flags.transparent = 1;
+}
+#endif
+
+
+
Index: src/forward.c
===================================================================
--- src/forward.c (revision 9786)
+++ src/forward.c (working copy)
@@ -40,9 +40,6 @@
#include <linux/types.h>
#include <linux/netfilter_ipv4.h>
#endif
-#if LINUX_TPROXY
-#include <linux/netfilter_ipv4/ip_tproxy.h>
-#endif
static PSC fwdStartComplete;
static void fwdDispatch(FwdState *);
@@ -515,7 +512,7 @@
struct in_addr outgoing;
unsigned short tos;
#if LINUX_TPROXY
- struct in_tproxy itp;
+ int flags;
#endif
int idle = -1;
@@ -624,11 +621,19 @@
debug(17, 3) ("fwdConnectStart: got addr %s, tos %d\n",
inet_ntoa(outgoing), tos);
+ flags = COMM_NONBLOCKING;
+#ifdef LINUX_TPROXY
+ if ((outgoing.s_addr == INADDR_ANY) && fwdState->request->flags.tproxy) {
+ outgoing = fwdState->request->client_addr;
+ flags |= COMM_TRANSPARENT;
+ debug(17,3)("fwdConnectStart: setting outgoing.s_addr=%08X (will set TRANSPARENT)\n", outgoing.s_addr);
+ }
+#endif
fd = comm_openex(SOCK_STREAM,
IPPROTO_TCP,
outgoing,
0,
- COMM_NONBLOCKING,
+ flags,
tos,
url);
if (fd < 0) {
@@ -661,32 +666,6 @@
if (fs->peer) {
hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name);
} else {
-#if LINUX_TPROXY
- if (fwdState->request->flags.tproxy) {
-
- itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
- itp.v.addr.fport = 0;
-
- /* If these syscalls fail then we just fallback to connecting
- * normally by simply ignoring the errors...
- */
- itp.op = TPROXY_ASSIGN;
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
- debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
- inet_ntoa(itp.v.addr.faddr),
- itp.v.addr.faddr.s_addr,
- itp.v.addr.fport);
- } else {
- itp.op = TPROXY_FLAGS;
- itp.v.flags = ITP_CONNECT;
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
- debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n",
- itp.v.addr.faddr.s_addr,
- itp.v.addr.fport);
- }
- }
- }
-#endif
hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host);
}
Index: src/client_side.c
===================================================================
--- src/client_side.c (revision 9786)
+++ src/client_side.c (working copy)
@@ -5172,6 +5172,7 @@
{
http_port_list *s;
int fd;
+ int flags;
for (s = Config.Sockaddr.http; s; s = s->next) {
if (MAXHTTPPORTS == NHttpSockets) {
debug(1, 1) ("WARNING: You have too many 'http_port' lines.\n");
@@ -5193,11 +5194,17 @@
"HTTP Socket");
} else {
enter_suid();
+ flags = COMM_NONBLOCKING;
+#ifdef LINUX_TPROXY
+ if (s->tproxy) {
+ flags |= COMM_TRANSPARENT;
+ }
+#endif
fd = comm_open(SOCK_STREAM,
IPPROTO_TCP,
s->s.sin_addr,
ntohs(s->s.sin_port),
- COMM_NONBLOCKING,
+ flags,
"HTTP Socket");
leave_suid();
}
