Hi,
Here is the second cut of the linux tproxy patch aiming for inclusion
with squid-2.5 branch. The diff is versus squid-2.5.STABLE1. Comments
are most welcome :)
The patch adds a new onoff config 'linux_tproxy' (if you configure with
--enable-linux-tproxy) which when set will spoof the source address of
outgoing server connections to be the same as the original client
address. To take advantage of this code you need Linux 2.4 with
netfilter and with the TPROXY patches installed from:
http://www.balabit.com/downloads/tproxy/linux-2.4/
There are four small nits with the code:
1. Server persistent connections are mutually exclusive with this patch.
This is because squid will use any connection to server X, but that
pre-existing connection may be spoofed from a different users IP.
2. You must supply a tcp_outgoing_address in your squid.conf, this is
because of some deep magic in the Linux TCP/IP stack. If anyone would
like me to explain the reasons more thoroughly just ask.
3. Squid must run as root in order to do the connection spoofing bits.
4. I have not tested the autoconf stuff because both my debian and rh8
automakes and autoconfs (of varying versions) all failed for one
reason or another.
Anyone got any advice on what auto(conf|make) versions I should be
using? Would you accept patches to make it work on my version (if they
are correct of course)?
TODO:
o Fix server pconns.
o Port all changes to cvs HEAD branch.
o Attempt to fix connect(2) problem in kernel which requires bind(2) to
local address.
o Fix kernel space code so squid doesn't need to run as root.
o TPROXY as it is breaks end-to-end requirement of the internet, need
to develop a better API for controlling these features from
userspace.
Enjoy! :)
-- // Gianni Tedesco (gianni at scaramanga dot co dot uk) lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import 8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:31 MST