Attachment #321530 for bug #353403

View | Details | Raw Unified | Return to bug 353403
Collapse All | Expand All




  --enable-large-cache-files
			  Enable support for large cache files (>2GB).
			  WARNING: on-disk cache format is changed by this option
  --enable-linux-tproxy
			  Enable real Transparent Proxy support for Netfilter TPROXY.
  --enable-leakfinder
			  Enable Leak Finding code.  Enabling this alone
			  does nothing; you also have to modify the source

	;;
esac

# Check whether --enable-linux-tproxy was given.
if test "${enable_linux_tproxy+set}" = set; then
  enableval=$enable_linux_tproxy;  if test "$enableval" = "yes" ; then
	echo "Linux Netfilter/TPROXY enabled"

cat >>confdefs.h <<\_ACEOF
#define LINUX_TPROXY 1
_ACEOF

	LINUX_TPROXY="yes"
        if test -z "$LINUX_NETFILTER"; then
	    echo "Linux-Netfilter Transparent Proxy automatically enabled"
	    LINUX_NETFILTER="yes"
	fi
  fi

fi


 if false; then
  MAKE_LEAKFINDER_TRUE=
  MAKE_LEAKFINDER_FALSE='#'

	grp.h \
	libc.h \
	linux/netfilter_ipv4.h \
	linux/netfilter_ipv4/ip_tproxy.h \
	malloc.h \
	math.h \
	memory.h \

    sleep 10
fi

if test "$LINUX_TPROXY"; then
    { $as_echo "$as_me:$LINENO: checking if TPROXY header files are installed" >&5
$as_echo_n "checking if TPROXY header files are installed... " >&6; }
    # hold on to your hats...
    if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
	LINUX_TPROXY="yes"

cat >>confdefs.h <<\_ACEOF
#define LINUX_TPROXY 1
_ACEOF

    else
	LINUX_TPROXY="no"

cat >>confdefs.h <<\_ACEOF
#define LINUX_TPROXY 0
_ACEOF

    fi
    { $as_echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5
$as_echo "$LINUX_TPROXY" >&6; }
    if test "$use_libcap" != "yes"; then
       { $as_echo "$as_me:$LINENO: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&5
$as_echo "$as_me: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&2;}
       LINUX_TPROXY="no"
       sleep 10
    fi
fi
if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
    echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
    echo "tproxy package from:"
    echo " - lynx http://www.balabit.com/downloads/files/tproxy/"
    sleep 10
fi

if test -z "$USE_GNUREGEX" ; then
    case "$host" in
    *-sun-solaris2.[0-4])




	;;
esac

dnl Enable Linux transparent proxy support
AC_ARG_ENABLE(linux-tproxy,
[  --enable-linux-tproxy
			  Enable real Transparent Proxy support for Netfilter TPROXY.],
[ if test "$enableval" = "yes" ; then
	echo "Linux Netfilter/TPROXY enabled"
	AC_DEFINE(LINUX_TPROXY, 1, [Enable real Transparent Proxy support for Netfilter TPROXY.])
	LINUX_TPROXY="yes"
        if test -z "$LINUX_NETFILTER"; then
	    echo "Linux-Netfilter Transparent Proxy automatically enabled"
	    LINUX_NETFILTER="yes"
	fi
  fi
])

AM_CONDITIONAL(MAKE_LEAKFINDER, false)
dnl Enable Leak Finding Functions
AC_ARG_ENABLE(leakfinder,

	grp.h \
	libc.h \
	linux/netfilter_ipv4.h \
	linux/netfilter_ipv4/ip_tproxy.h \
	malloc.h \
	math.h \
	memory.h \

    sleep 10
fi

dnl Linux Netfilter/TPROXY support requires some specific header files and libcap
dnl Shamelessly copied from shamelessly copied from above
if test "$LINUX_TPROXY"; then
    AC_MSG_CHECKING(if TPROXY header files are installed)
    # hold on to your hats...
    if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
	LINUX_TPROXY="yes"
	AC_DEFINE(LINUX_TPROXY, 1, [Enable real Transparent Proxy support for Netfilter TPROXY.])
    else
	LINUX_TPROXY="no"
	AC_DEFINE(LINUX_TPROXY, 0, [Enable real Transparent Proxy support for Netfilter TPROXY.])
    fi
    AC_MSG_RESULT($LINUX_TPROXY)
    if test "$use_libcap" != "yes"; then
       AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
       LINUX_TPROXY="no"
       sleep 10
    fi
fi
if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
    echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
    echo "tproxy package from:"
    echo " - lynx http://www.balabit.com/downloads/files/tproxy/"
    sleep 10
fi

if test -z "$USE_GNUREGEX" ; then
    case "$host" in
    *-sun-solaris2.[[0-4]])

Lines 42-47 Link Here

(-)squid-2.7.STABLE9.o/src/cache_cf.c (-2 / +8 lines)
42	#include "snmp.h"	42	#include "snmp.h"
43	#endif	43	#endif
44		44
		45	#if LINUX_NETFILTER
		46	#warning almafa
		47	#else
		48	#error krotefa
		49	#endif
		50
45	static const char *const T_SECOND_STR = "second";	51	static const char *const T_SECOND_STR = "second";
46	static const char *const T_MINUTE_STR = "minute";	52	static const char *const T_MINUTE_STR = "minute";
47	static const char *const T_HOUR_STR = "hour";	53	static const char *const T_HOUR_STR = "hour";
Lines 2897-2903 Link Here
2897	s->urlgroup = xstrdup(token + 9);	2903	s->urlgroup = xstrdup(token + 9);
2898	} else if (strncmp(token, "protocol=", 9) == 0) {	2904	} else if (strncmp(token, "protocol=", 9) == 0) {
2899	s->protocol = xstrdup(token + 9);	2905	s->protocol = xstrdup(token + 9);
2900	#if LINUX_TPROXY	2906	#if LINUX_NETFILTER
2901	} else if (strcmp(token, "tproxy") == 0) {	2907	} else if (strcmp(token, "tproxy") == 0) {
2902	s->tproxy = 1;	2908	s->tproxy = 1;
2903	need_linux_tproxy = 1;	2909	need_linux_tproxy = 1;
Lines 3003-3009 Link Here
3003	storeAppendPrintf(e, " protocol=%s", s->protocol);	3009	storeAppendPrintf(e, " protocol=%s", s->protocol);
3004	if (s->no_connection_auth)	3010	if (s->no_connection_auth)
3005	storeAppendPrintf(e, " no-connection-auth");	3011	storeAppendPrintf(e, " no-connection-auth");
3006	#if LINUX_TPROXY	3012	#if LINUX_NETFILTER
3007	if (s->tproxy)	3013	if (s->tproxy)
3008	storeAppendPrintf(e, " tproxy");	3014	storeAppendPrintf(e, " tproxy");
3009	#endif	3015	#endif

Lines 6-12 Link Here

(-)squid-2.7.STABLE9.o/src/cf_gen_defines (-1 lines)
6	print "struct { const char name; const char enable; int defined;} defines[] = {"	6	print "struct { const char name; const char enable; int defined;} defines[] = {"
7	define["DELAY_POOLS"]="--enable-delay-pools"	7	define["DELAY_POOLS"]="--enable-delay-pools"
8	define["HTTP_VIOLATIONS"]="--enable-http-violations"	8	define["HTTP_VIOLATIONS"]="--enable-http-violations"
9	define["LINUX_TPROXY"]="--enable-linux-tproxy"
10	define["MULTICAST_MISS_STREAM"]="--enable-multicast-miss"	9	define["MULTICAST_MISS_STREAM"]="--enable-multicast-miss"
11	define["SQUID_SNMP"]="--enable-snmp"	10	define["SQUID_SNMP"]="--enable-snmp"
12	define["USE_CACHE_DIGESTS"]="--enable-cache-digests"	11	define["USE_CACHE_DIGESTS"]="--enable-cache-digests"

Lines 4025-4031 Link Here

(-)squid-2.7.STABLE9.o/src/client_side.c (-2 / +8 lines)
4025	}	4025	}
4026	if (conn->port->urlgroup)	4026	if (conn->port->urlgroup)
4027	request->urlgroup = xstrdup(conn->port->urlgroup);	4027	request->urlgroup = xstrdup(conn->port->urlgroup);
4028	#if LINUX_TPROXY	4028	#if LINUX_NETFILTER
4029	request->flags.tproxy = conn->port->tproxy && need_linux_tproxy;	4029	request->flags.tproxy = conn->port->tproxy && need_linux_tproxy;
4030	#endif	4030	#endif
4031	request->flags.accelerated = http->flags.accel;	4031	request->flags.accelerated = http->flags.accel;
Lines 4941-4946 Link Here
4941	{	4941	{
4942	http_port_list *s;	4942	http_port_list *s;
4943	int fd;	4943	int fd;
		4944	int flags;
4944	for (s = Config.Sockaddr.http; s; s = s->next) {	4945	for (s = Config.Sockaddr.http; s; s = s->next) {
4945	if (MAXHTTPPORTS == NHttpSockets) {	4946	if (MAXHTTPPORTS == NHttpSockets) {
4946	debug(1, 1) ("WARNING: You have too many 'http_port' lines.\n");	4947	debug(1, 1) ("WARNING: You have too many 'http_port' lines.\n");
Lines 4962-4972 Link Here
4962	"HTTP Socket");	4963	"HTTP Socket");
4963	} else {	4964	} else {
4964	enter_suid();	4965	enter_suid();
		4966	flags = COMM_NONBLOCKING;
		4967	#if LINUX_NETFILTER
		4968	if (s->tproxy)
		4969	flags \|= COMM_TRANSPARENT;
		4970	#endif
4965	fd = comm_open(SOCK_STREAM,	4971	fd = comm_open(SOCK_STREAM,
4966	IPPROTO_TCP,	4972	IPPROTO_TCP,
4967	s->s.sin_addr,	4973	s->s.sin_addr,
4968	ntohs(s->s.sin_port),	4974	ntohs(s->s.sin_port),
4969	COMM_NONBLOCKING,	4975	flags,
4970	"HTTP Socket");	4976	"HTTP Socket");
4971	leave_suid();	4977	leave_suid();
4972	}	4978	}

Lines 47-52 Link Here

(-)squid-2.7.STABLE9.o/src/comm.c (+32 lines)
47	#include <netinet/tcp.h>	47	#include <netinet/tcp.h>
48	#endif	48	#endif
49		49
		50	#if LINUX_NETFILTER
		51	#ifndef IP_TRANSPARENT
		52	#define IP_TRANSPARENT 19
		53	#endif
		54	#endif
		55
50	typedef struct {	56	typedef struct {
51	char *host;	57	char *host;
52	u_short port;	58	u_short port;
Lines 63-68 Link Here
63	/* STATIC */	69	/* STATIC */
64	static int commBind(int s, struct in_addr, u_short port);	70	static int commBind(int s, struct in_addr, u_short port);
65	static void commSetReuseAddr(int);	71	static void commSetReuseAddr(int);
		72	#if LINUX_NETFILTER
		73	static void commSetTransparent(int);
		74	#endif
66	static void commSetNoLinger(int);	75	static void commSetNoLinger(int);
67	static void CommWriteStateCallbackAndFree(int fd, int code);	76	static void CommWriteStateCallbackAndFree(int fd, int code);
68	#ifdef TCP_NODELAY	77	#ifdef TCP_NODELAY
Lines 251-256 Link Here
251	if (opt_reuseaddr)	260	if (opt_reuseaddr)
252	commSetReuseAddr(new_socket);	261	commSetReuseAddr(new_socket);
253	}	262	}
		263	#if LINUX_NETFILTER
		264	if (flags & COMM_TRANSPARENT) {
		265	F->flags.transparent = 1;
		266	commSetTransparent(new_socket);
		267	}
		268	#endif
254	if (addr.s_addr != no_addr.s_addr) {	269	if (addr.s_addr != no_addr.s_addr) {
255	if (commBind(new_socket, addr, port) != COMM_OK) {	270	if (commBind(new_socket, addr, port) != COMM_OK) {
256	comm_close(new_socket);	271	comm_close(new_socket);
Lines 415-420 Link Here
415	* yuck, this has assumptions about comm_open() arguments for	430	* yuck, this has assumptions about comm_open() arguments for
416	* the original socket	431	* the original socket
417	*/	432	*/
		433	#if LINUX_NETFILTER
		434	if (F->flags.transparent)
		435	commSetTransparent(cs->fd);
		436	#endif
		437
418	if (commBind(cs->fd, F->local_addr, F->local_port) != COMM_OK) {	438	if (commBind(cs->fd, F->local_addr, F->local_port) != COMM_OK) {
419	debug(5, 0) ("commResetFD: bind: %s\n", xstrerror());	439	debug(5, 0) ("commResetFD: bind: %s\n", xstrerror());
420	return 0;	440	return 0;
Lines 978-983 Link Here
978	debug(5, 1) ("commSetReuseAddr: FD %d: %s\n", fd, xstrerror());	998	debug(5, 1) ("commSetReuseAddr: FD %d: %s\n", fd, xstrerror());
979	}	999	}
980		1000
		1001	#if LINUX_NETFILTER
		1002	static void
		1003	commSetTransparent(int fd)
		1004	{
		1005	int on = 1;
		1006	debug(5, 3) ("commSetTransparent: FD %d\n", fd);
		1007	if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char*)&on, sizeof(on)) < 0)
		1008	debug(5, 1) ("commSetTransparent: FD %d: %s\n", fd, xstrerror());
		1009	fd_table[fd].flags.transparent = 1;
		1010	}
		1011	#endif
		1012
981	static void	1013	static void
982	commSetTcpRcvbuf(int fd, int size)	1014	commSetTcpRcvbuf(int fd, int size)
983	{	1015	{

Lines 93-98 Link Here

(-)squid-2.7.STABLE9.o/src/defines.h (+3 lines)
93	#define COMM_NONBLOCKING 0x01	93	#define COMM_NONBLOCKING 0x01
94	#define COMM_NOCLOEXEC 0x02	94	#define COMM_NOCLOEXEC 0x02
95	#define COMM_REUSEADDR 0x04	95	#define COMM_REUSEADDR 0x04
		96	#if LINUX_NETFILTER
		97	#define COMM_TRANSPARENT 0x08
		98	#endif
96		99
97	#define do_debug(SECTION, LEVEL) \	100	#define do_debug(SECTION, LEVEL) \
98	((_db_level = (LEVEL)) <= debugLevels[SECTION])	101	((_db_level = (LEVEL)) <= debugLevels[SECTION])




#include <linux/types.h>
#include <linux/netfilter_ipv4.h>
#endif
#if LINUX_TPROXY
#include <linux/netfilter_ipv4/ip_tproxy.h>
#endif

static PSC fwdStartComplete;
static void fwdDispatch(FwdState *);

    int ftimeout = Config.Timeout.forward - (squid_curtime - fwdState->start);
    struct in_addr outgoing;
    unsigned short tos;
	int flags;
    struct in_tproxy itp;
#endif
    int idle = -1;

    assert(fs);

	fwdRestart(fwdState);
	return;
    }
#if LINUX_NETFILTER
    if (fd == -1 && fwdState->request->flags.tproxy)
	fd = pconnPop(name, port, domain, &fwdState->request->client_addr, 0, NULL);
	else
#endif
    if (fd == -1) {
	fd = pconnPop(name, port, domain, NULL, 0, &idle);


    debug(17, 3) ("fwdConnectStart: got addr %s, tos %d\n",
	inet_ntoa(outgoing), tos);

    flags = COMM_NONBLOCKING;
#if LINUX_NETFILTER
    if ((outgoing.s_addr == INADDR_ANY) && fwdState->request->flags.tproxy) {
        outgoing = fwdState->request->client_addr;
	flags |= COMM_TRANSPARENT;
	debug(17,3)("fwdConnectStart: setting outgoing.s_addr=%08X (will set TRANSPARENT)\n",
		outgoing.s_addr);
    }
#endif
    fd = comm_openex(SOCK_STREAM,
	IPPROTO_TCP,
	outgoing,
	0,
	flags,
	tos,
	url);
    if (fd < 0) {

    if (fs->peer) {
	hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name);
    } else {
#if LINUX_TPROXY
	if (fwdState->request->flags.tproxy) {

	    itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
	    itp.v.addr.fport = 0;

	    /* If these syscalls fail then we just fallback to connecting
	     * normally by simply ignoring the errors...
	     */
	    itp.op = TPROXY_ASSIGN;
	    if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
		debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
		    inet_ntoa(itp.v.addr.faddr),
		    itp.v.addr.faddr.s_addr,
		    itp.v.addr.fport);
	    } else {
		itp.op = TPROXY_FLAGS;
		itp.v.flags = ITP_CONNECT;
		if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
		    debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n",
			itp.v.addr.faddr.s_addr,
			itp.v.addr.fport);
		}
	    }
	}
#endif
	hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host);
    }
    commConnectStart(fd, host, port, fwdConnectDone, fwdState);

    fwdState->start = squid_curtime;
    fwdState->orig_entry_flags = e->flags;

#if LINUX_NETFILTER
    /* If we need to transparently proxy the request
     * then we need the client source address and port */
    fwdState->src.sin_family = AF_INET;

Lines 174-180 Link Here

(-)squid-2.7.STABLE9.o/src/globals.h (-1 / +1 lines)
174	#endif	174	#endif
175	extern int opt_send_signal; /* -1 */	175	extern int opt_send_signal; /* -1 */
176	extern int opt_no_daemon; /* 0 */	176	extern int opt_no_daemon; /* 0 */
177	#if LINUX_TPROXY	177	#if LINUX_NETFILTER
178	extern int need_linux_tproxy; /* 0 */	178	extern int need_linux_tproxy; /* 0 */
179	#endif	179	#endif
180	extern int opt_parse_cfg_only; /* 0 */	180	extern int opt_parse_cfg_only; /* 0 */

Lines 816-822 Link Here

(-)squid-2.7.STABLE9.o/src/http.c (-1 / +1 lines)
816	keep_alive = 0;	816	keep_alive = 0;
817	if (keep_alive) {	817	if (keep_alive) {
818	int pinned = 0;	818	int pinned = 0;
819	#if LINUX_TPROXY	819	#if LINUX_NETFILTER
820	if (orig_request->flags.tproxy) {	820	if (orig_request->flags.tproxy) {
821	client_addr = &httpState->request->client_addr;	821	client_addr = &httpState->request->client_addr;
822	}	822	}




    int fd = http->conn->fd;
    request_t *request = http->request;
    char *url = http->uri;
	int flags;
    struct in_addr outgoing;
    unsigned long tos;
    /*

    outgoing = getOutgoingAddr(request);
    tos = getOutgoingTOS(request);
    /* Create socket. */
	flags = COMM_NONBLOCKING;
#if LINUX_NETFILTER
	if (request->flags.tproxy)
		flags |= COMM_TRANSPARENT;
#endif
    sock = comm_openex(SOCK_STREAM,
	IPPROTO_TCP,
	outgoing,
	0,
	flags,
	tos,
	url);
    if (sock == COMM_ERROR) {




    int vport;			/* virtual port support */
    int no_connection_auth;	/* Don't support connection oriented auth */
    unsigned int http11;	/* HTTP/1.1 support */
#if LINUX_NETFILTER
    unsigned int tproxy;
#endif
    unsigned int act_as_origin;	/* Fake Date: headers in accelerator mode */

	unsigned int nodelay:1;
	unsigned int close_on_exec:1;
	unsigned int backoff:1;	/* keep track of whether the fd is backed off */
	unsigned int transparent:1;
    } flags;
    comm_pending read_pending;
    comm_pending write_pending;

    unsigned int no_connection_auth:1;	/* Connection oriented auth can not be supported */
    unsigned int pinned:1;	/* Request seont on a pinned connection */
    unsigned int auth_sent:1;	/* Authentication forwarded */
#if LINUX_NETFILTER
    unsigned int tproxy:1;
#endif
    unsigned int collapsed:1;	/* This request was collapsed. Don't trust the store entry to be valid */




#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && USE_LIBCAP
    if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
	/* Silent failure unless TPROXY is required. Maybe not started as root */
#if LINUX_NETFILTER
	if (need_linux_tproxy)
	    debug(1, 1) ("Error - tproxy support requires capability setting which has failed.  Continuing without tproxy support\n");
	need_linux_tproxy = 0;

    else
	caps = cap_init();
    if (!caps) {
#if LINUX_NETFILTER
	if (need_linux_tproxy)
	    debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
	need_linux_tproxy = 0;

	int rc = 0;
	cap_value_t cap_list[10];
	cap_list[ncaps++] = CAP_NET_BIND_SERVICE;
#if LINUX_NETFILTER
	if (need_linux_tproxy) {
	    cap_list[ncaps++] = CAP_NET_ADMIN;
	    cap_list[ncaps++] = CAP_NET_BROADCAST;
	}
#endif
	cap_clear_flag(caps, CAP_EFFECTIVE);

	rc |= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);
	if (rc || cap_set_proc(caps) != 0) {
	    /* Silent failure unless TPROXY is required */
#if LINUX_NETFILTER
	    if (need_linux_tproxy)
		debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
	    need_linux_tproxy = 0;

	}
    }
#else /* !USE_LIBCAP */
#if LINUX_NETFILTER
    if (need_linux_tproxy)
	debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n");
    need_linux_tproxy = 0;

Return to bug 353403

Lines 1630-1637 Link Here

(-)squid-2.7.STABLE9.o/configure (-57 lines)
1630	--enable-large-cache-files	1630	--enable-large-cache-files
1631	Enable support for large cache files (>2GB).	1631	Enable support for large cache files (>2GB).
1632	WARNING: on-disk cache format is changed by this option	1632	WARNING: on-disk cache format is changed by this option
1633	--enable-linux-tproxy
1634	Enable real Transparent Proxy support for Netfilter TPROXY.
1635	--enable-leakfinder	1633	--enable-leakfinder
1636	Enable Leak Finding code. Enabling this alone	1634	Enable Leak Finding code. Enabling this alone
1637	does nothing; you also have to modify the source	1635	does nothing; you also have to modify the source
Lines 5449-5473 Link Here
5449	;;	5447	;;
5450	esac	5448	esac
5451		5449
5452	# Check whether --enable-linux-tproxy was given.
5453	if test "${enable_linux_tproxy+set}" = set; then
5454	enableval=$enable_linux_tproxy; if test "$enableval" = "yes" ; then
5455	echo "Linux Netfilter/TPROXY enabled"
5456
5457	cat >>confdefs.h <<\_ACEOF
5458	#define LINUX_TPROXY 1
5459	_ACEOF
5460
5461	LINUX_TPROXY="yes"
5462	if test -z "$LINUX_NETFILTER"; then
5463	echo "Linux-Netfilter Transparent Proxy automatically enabled"
5464	LINUX_NETFILTER="yes"
5465	fi
5466	fi
5467
5468	fi
5469
5470
5471	if false; then	5450	if false; then
5472	MAKE_LEAKFINDER_TRUE=	5451	MAKE_LEAKFINDER_TRUE=
5473	MAKE_LEAKFINDER_FALSE='#'	5452	MAKE_LEAKFINDER_FALSE='#'
Lines 8224-8230 Link Here
8224	grp.h \	8203	grp.h \
8225	libc.h \	8204	libc.h \
8226	linux/netfilter_ipv4.h \	8205	linux/netfilter_ipv4.h \
8227	linux/netfilter_ipv4/ip_tproxy.h \
8228	malloc.h \	8206	malloc.h \
8229	math.h \	8207	math.h \
8230	memory.h \	8208	memory.h \
Lines 27988-28028 Link Here
27988	sleep 10	27966	sleep 10
27989	fi	27967	fi
27990		27968
27991	if test "$LINUX_TPROXY"; then
27992	{ $as_echo "$as_me:$LINENO: checking if TPROXY header files are installed" >&5
27993	$as_echo_n "checking if TPROXY header files are installed... " >&6; }
27994	# hold on to your hats...
27995	if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
27996	LINUX_TPROXY="yes"
27997
27998	cat >>confdefs.h <<\_ACEOF
27999	#define LINUX_TPROXY 1
28000	_ACEOF
28001
28002	else
28003	LINUX_TPROXY="no"
28004
28005	cat >>confdefs.h <<\_ACEOF
28006	#define LINUX_TPROXY 0
28007	_ACEOF
28008
28009	fi
28010	{ $as_echo "$as_me:$LINENO: result: $LINUX_TPROXY" >&5
28011	$as_echo "$LINUX_TPROXY" >&6; }
28012	if test "$use_libcap" != "yes"; then
28013	{ $as_echo "$as_me:$LINENO: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&5
28014	$as_echo "$as_me: WARNING: Missing needed capabilities (libcap or libcap2) for TPROXY" >&2;}
28015	LINUX_TPROXY="no"
28016	sleep 10
28017	fi
28018	fi
28019	if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
28020	echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
28021	echo "tproxy package from:"
28022	echo " - lynx http://www.balabit.com/downloads/files/tproxy/"
28023	sleep 10
28024	fi
28025
28026	if test -z "$USE_GNUREGEX" ; then	27969	if test -z "$USE_GNUREGEX" ; then
28027	case "$host" in	27970	case "$host" in
28028	*-sun-solaris2.[0-4])	27971	*-sun-solaris2.[0-4])

Lines 1136-1156 Link Here

(-)squid-2.7.STABLE9.o/configure.in (-42 lines)
1136	;;	1136	;;
1137	esac	1137	esac
1138		1138
1139	dnl Enable Linux transparent proxy support
1140	AC_ARG_ENABLE(linux-tproxy,
1141	[ --enable-linux-tproxy
1142	Enable real Transparent Proxy support for Netfilter TPROXY.],
1143	[ if test "$enableval" = "yes" ; then
1144	echo "Linux Netfilter/TPROXY enabled"
1145	AC_DEFINE(LINUX_TPROXY, 1, [Enable real Transparent Proxy support for Netfilter TPROXY.])
1146	LINUX_TPROXY="yes"
1147	if test -z "$LINUX_NETFILTER"; then
1148	echo "Linux-Netfilter Transparent Proxy automatically enabled"
1149	LINUX_NETFILTER="yes"
1150	fi
1151	fi
1152	])
1153
1154	AM_CONDITIONAL(MAKE_LEAKFINDER, false)	1139	AM_CONDITIONAL(MAKE_LEAKFINDER, false)
1155	dnl Enable Leak Finding Functions	1140	dnl Enable Leak Finding Functions
1156	AC_ARG_ENABLE(leakfinder,	1141	AC_ARG_ENABLE(leakfinder,
Lines 1634-1640 Link Here
1634	grp.h \	1619	grp.h \
1635	libc.h \	1620	libc.h \
1636	linux/netfilter_ipv4.h \	1621	linux/netfilter_ipv4.h \
1637	linux/netfilter_ipv4/ip_tproxy.h \
1638	malloc.h \	1622	malloc.h \
1639	math.h \	1623	math.h \
1640	memory.h \	1624	memory.h \
Lines 2791-2822 Link Here
2791	sleep 10	2775	sleep 10
2792	fi	2776	fi
2793		2777
2794	dnl Linux Netfilter/TPROXY support requires some specific header files and libcap
2795	dnl Shamelessly copied from shamelessly copied from above
2796	if test "$LINUX_TPROXY"; then
2797	AC_MSG_CHECKING(if TPROXY header files are installed)
2798	# hold on to your hats...
2799	if test "$ac_cv_header_linux_netfilter_ipv4_ip_tproxy_h" = "yes" && test "$LINUX_NETFILTER" = "yes"; then
2800	LINUX_TPROXY="yes"
2801	AC_DEFINE(LINUX_TPROXY, 1, [Enable real Transparent Proxy support for Netfilter TPROXY.])
2802	else
2803	LINUX_TPROXY="no"
2804	AC_DEFINE(LINUX_TPROXY, 0, [Enable real Transparent Proxy support for Netfilter TPROXY.])
2805	fi
2806	AC_MSG_RESULT($LINUX_TPROXY)
2807	if test "$use_libcap" != "yes"; then
2808	AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
2809	LINUX_TPROXY="no"
2810	sleep 10
2811	fi
2812	fi
2813	if test "$LINUX_TPROXY" = "no" && test "$LINUX_NETFILTER" = "yes"; then
2814	echo "WARNING: Cannot find TPROXY headers, you need to patch your kernel with the"
2815	echo "tproxy package from:"
2816	echo " - lynx http://www.balabit.com/downloads/files/tproxy/"
2817	sleep 10
2818	fi
2819
2820	if test -z "$USE_GNUREGEX" ; then	2778	if test -z "$USE_GNUREGEX" ; then
2821	case "$host" in	2779	case "$host" in
2822	*-sun-solaris2.[[0-4]])	2780	*-sun-solaris2.[[0-4]])

Lines 371-377 Link Here

(-)squid-2.7.STABLE9.o/src/structs.h (-2 / +3 lines)
371	int vport; /* virtual port support */	371	int vport; /* virtual port support */
372	int no_connection_auth; /* Don't support connection oriented auth */	372	int no_connection_auth; /* Don't support connection oriented auth */
373	unsigned int http11; /* HTTP/1.1 support */	373	unsigned int http11; /* HTTP/1.1 support */
374	#if LINUX_TPROXY	374	#if LINUX_NETFILTER
375	unsigned int tproxy;	375	unsigned int tproxy;
376	#endif	376	#endif
377	unsigned int act_as_origin; /* Fake Date: headers in accelerator mode */	377	unsigned int act_as_origin; /* Fake Date: headers in accelerator mode */
Lines 921-926 Link Here
921	unsigned int nodelay:1;	921	unsigned int nodelay:1;
922	unsigned int close_on_exec:1;	922	unsigned int close_on_exec:1;
923	unsigned int backoff:1; /* keep track of whether the fd is backed off */	923	unsigned int backoff:1; /* keep track of whether the fd is backed off */
		924	unsigned int transparent:1;
924	} flags;	925	} flags;
925	comm_pending read_pending;	926	comm_pending read_pending;
926	comm_pending write_pending;	927	comm_pending write_pending;
Lines 1883-1889 Link Here
1883	unsigned int no_connection_auth:1; /* Connection oriented auth can not be supported */	1884	unsigned int no_connection_auth:1; /* Connection oriented auth can not be supported */
1884	unsigned int pinned:1; /* Request seont on a pinned connection */	1885	unsigned int pinned:1; /* Request seont on a pinned connection */
1885	unsigned int auth_sent:1; /* Authentication forwarded */	1886	unsigned int auth_sent:1; /* Authentication forwarded */
1886	#if LINUX_TPROXY	1887	#if LINUX_NETFILTER
1887	unsigned int tproxy:1;	1888	unsigned int tproxy:1;
1888	#endif	1889	#endif
1889	unsigned int collapsed:1; /* This request was collapsed. Don't trust the store entry to be valid */	1890	unsigned int collapsed:1; /* This request was collapsed. Don't trust the store entry to be valid */

Lines 1349-1355 Link Here

(-)squid-2.7.STABLE9.o/src/tools.c (-6 / +5 lines)
1349	#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && USE_LIBCAP	1349	#if HAVE_PRCTL && defined(PR_SET_KEEPCAPS) && USE_LIBCAP
1350	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {	1350	if (prctl(PR_SET_KEEPCAPS, 1, 0, 0, 0)) {
1351	/* Silent failure unless TPROXY is required. Maybe not started as root */	1351	/* Silent failure unless TPROXY is required. Maybe not started as root */
1352	#if LINUX_TPROXY	1352	#if LINUX_NETFILTER
1353	if (need_linux_tproxy)	1353	if (need_linux_tproxy)
1354	debug(1, 1) ("Error - tproxy support requires capability setting which has failed. Continuing without tproxy support\n");	1354	debug(1, 1) ("Error - tproxy support requires capability setting which has failed. Continuing without tproxy support\n");
1355	need_linux_tproxy = 0;	1355	need_linux_tproxy = 0;
Lines 1368-1374 Link Here
1368	else	1368	else
1369	caps = cap_init();	1369	caps = cap_init();
1370	if (!caps) {	1370	if (!caps) {
1371	#if LINUX_TPROXY	1371	#if LINUX_NETFILTER
1372	if (need_linux_tproxy)	1372	if (need_linux_tproxy)
1373	debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");	1373	debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
1374	need_linux_tproxy = 0;	1374	need_linux_tproxy = 0;
Lines 1378-1387 Link Here
1378	int rc = 0;	1378	int rc = 0;
1379	cap_value_t cap_list[10];	1379	cap_value_t cap_list[10];
1380	cap_list[ncaps++] = CAP_NET_BIND_SERVICE;	1380	cap_list[ncaps++] = CAP_NET_BIND_SERVICE;
1381	#if LINUX_TPROXY	1381	#if LINUX_NETFILTER
1382	if (need_linux_tproxy) {	1382	if (need_linux_tproxy) {
1383	cap_list[ncaps++] = CAP_NET_ADMIN;	1383	cap_list[ncaps++] = CAP_NET_ADMIN;
1384	cap_list[ncaps++] = CAP_NET_BROADCAST;
1385	}	1384	}
1386	#endif	1385	#endif
1387	cap_clear_flag(caps, CAP_EFFECTIVE);	1386	cap_clear_flag(caps, CAP_EFFECTIVE);
Lines 1389-1395 Link Here
1389	rc \|= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);	1388	rc \|= cap_set_flag(caps, CAP_PERMITTED, ncaps, cap_list, CAP_SET);
1390	if (rc \|\| cap_set_proc(caps) != 0) {	1389	if (rc \|\| cap_set_proc(caps) != 0) {
1391	/* Silent failure unless TPROXY is required */	1390	/* Silent failure unless TPROXY is required */
1392	#if LINUX_TPROXY	1391	#if LINUX_NETFILTER
1393	if (need_linux_tproxy)	1392	if (need_linux_tproxy)
1394	debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");	1393	debug(50, 1) ("Error enabling needed capabilities. Will continue without tproxy support\n");
1395	need_linux_tproxy = 0;	1394	need_linux_tproxy = 0;
Lines 1397-1403 Link Here
1397	}	1396	}
1398	}	1397	}
1399	#else /* !USE_LIBCAP */	1398	#else /* !USE_LIBCAP */
1400	#if LINUX_TPROXY	1399	#if LINUX_NETFILTER
1401	if (need_linux_tproxy)	1400	if (need_linux_tproxy)
1402	debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n");	1401	debug(50, 1) ("Missing needed capability support. Will continue without tproxy support\n");
1403	need_linux_tproxy = 0;	1402	need_linux_tproxy = 0;

Lines 40-48 Link Here

(-)squid-2.7.STABLE9.o/src/forward.c (-35 / +15 lines)
40	#include <linux/types.h>	40	#include <linux/types.h>
41	#include <linux/netfilter_ipv4.h>	41	#include <linux/netfilter_ipv4.h>
42	#endif	42	#endif
43	#if LINUX_TPROXY
44	#include <linux/netfilter_ipv4/ip_tproxy.h>
45	#endif
46		43
47	static PSC fwdStartComplete;	44	static PSC fwdStartComplete;
48	static void fwdDispatch(FwdState *);	45	static void fwdDispatch(FwdState *);
Lines 523-531 Link Here
523	int ftimeout = Config.Timeout.forward - (squid_curtime - fwdState->start);	520	int ftimeout = Config.Timeout.forward - (squid_curtime - fwdState->start);
524	struct in_addr outgoing;	521	struct in_addr outgoing;
525	unsigned short tos;	522	unsigned short tos;
526	#if LINUX_TPROXY	523	int flags;
527	struct in_tproxy itp;
528	#endif
529	int idle = -1;	524	int idle = -1;
530		525
531	assert(fs);	526	assert(fs);
Lines 576-584 Link Here
576	fwdRestart(fwdState);	571	fwdRestart(fwdState);
577	return;	572	return;
578	}	573	}
579	#if LINUX_TPROXY	574	#if LINUX_NETFILTER
580	if (fd == -1 && fwdState->request->flags.tproxy)	575	if (fd == -1 && fwdState->request->flags.tproxy)
581	fd = pconnPop(name, port, domain, &fwdState->request->client_addr, 0, NULL);	576	fd = pconnPop(name, port, domain, &fwdState->request->client_addr, 0, NULL);
		577	else
582	#endif	578	#endif
583	if (fd == -1) {	579	if (fd == -1) {
584	fd = pconnPop(name, port, domain, NULL, 0, &idle);	580	fd = pconnPop(name, port, domain, NULL, 0, &idle);
Lines 630-640 Link Here
630		626
631	debug(17, 3) ("fwdConnectStart: got addr %s, tos %d\n",	627	debug(17, 3) ("fwdConnectStart: got addr %s, tos %d\n",
632	inet_ntoa(outgoing), tos);	628	inet_ntoa(outgoing), tos);
		629
		630	flags = COMM_NONBLOCKING;
		631	#if LINUX_NETFILTER
		632	if ((outgoing.s_addr == INADDR_ANY) && fwdState->request->flags.tproxy) {
		633	outgoing = fwdState->request->client_addr;
		634	flags \|= COMM_TRANSPARENT;
		635	debug(17,3)("fwdConnectStart: setting outgoing.s_addr=%08X (will set TRANSPARENT)\n",
		636	outgoing.s_addr);
		637	}
		638	#endif
633	fd = comm_openex(SOCK_STREAM,	639	fd = comm_openex(SOCK_STREAM,
634	IPPROTO_TCP,	640	IPPROTO_TCP,
635	outgoing,	641	outgoing,
636	0,	642	0,
637	COMM_NONBLOCKING,	643	flags,
638	tos,	644	tos,
639	url);	645	url);
640	if (fd < 0) {	646	if (fd < 0) {
Lines 667-698 Link Here
667	if (fs->peer) {	673	if (fs->peer) {
668	hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name);	674	hierarchyNote(&fwdState->request->hier, fs->code, fs->peer->name);
669	} else {	675	} else {
670	#if LINUX_TPROXY
671	if (fwdState->request->flags.tproxy) {
672
673	itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
674	itp.v.addr.fport = 0;
675
676	/* If these syscalls fail then we just fallback to connecting
677	* normally by simply ignoring the errors...
678	*/
679	itp.op = TPROXY_ASSIGN;
680	if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
681	debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
682	inet_ntoa(itp.v.addr.faddr),
683	itp.v.addr.faddr.s_addr,
684	itp.v.addr.fport);
685	} else {
686	itp.op = TPROXY_FLAGS;
687	itp.v.flags = ITP_CONNECT;
688	if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) {
689	debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n",
690	itp.v.addr.faddr.s_addr,
691	itp.v.addr.fport);
692	}
693	}
694	}
695	#endif
696	hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host);	676	hierarchyNote(&fwdState->request->hier, fs->code, fwdState->request->host);
697	}	677	}
698	commConnectStart(fd, host, port, fwdConnectDone, fwdState);	678	commConnectStart(fd, host, port, fwdConnectDone, fwdState);
Lines 953-959 Link Here
953	fwdState->start = squid_curtime;	933	fwdState->start = squid_curtime;
954	fwdState->orig_entry_flags = e->flags;	934	fwdState->orig_entry_flags = e->flags;
955		935
956	#if LINUX_TPROXY	936	#if LINUX_NETFILTER
957	/* If we need to transparently proxy the request	937	/* If we need to transparently proxy the request
958	* then we need the client source address and port */	938	* then we need the client source address and port */
959	fwdState->src.sin_family = AF_INET;	939	fwdState->src.sin_family = AF_INET;

Lines 497-502 Link Here

(-)squid-2.7.STABLE9.o/src/ssl.c (-1 / +7 lines)
497	int fd = http->conn->fd;	497	int fd = http->conn->fd;
498	request_t *request = http->request;	498	request_t *request = http->request;
499	char *url = http->uri;	499	char *url = http->uri;
		500	int flags;
500	struct in_addr outgoing;	501	struct in_addr outgoing;
501	unsigned long tos;	502	unsigned long tos;
502	/*	503	/*
Lines 523-533 Link Here
523	outgoing = getOutgoingAddr(request);	524	outgoing = getOutgoingAddr(request);
524	tos = getOutgoingTOS(request);	525	tos = getOutgoingTOS(request);
525	/* Create socket. */	526	/* Create socket. */
		527	flags = COMM_NONBLOCKING;
		528	#if LINUX_NETFILTER
		529	if (request->flags.tproxy)
		530	flags \|= COMM_TRANSPARENT;
		531	#endif
526	sock = comm_openex(SOCK_STREAM,	532	sock = comm_openex(SOCK_STREAM,
527	IPPROTO_TCP,	533	IPPROTO_TCP,
528	outgoing,	534	outgoing,
529	0,	535	0,
530	COMM_NONBLOCKING,	536	flags,
531	tos,	537	tos,
532	url);	538	url);
533	if (sock == COMM_ERROR) {	539	if (sock == COMM_ERROR) {