[SQU] [PATCH] Squid 2.4.DEVEL4 on Linux 2.4 Transparent Proxy?

From: Evan Jones <ejones@dont-contact.us>
Date: Tue, 28 Nov 2000 10:40:32 -0500

Here is a message and a patch from a discussion I had with Adrian Chadd
<adrian@squid-cache.org> about Linux 2.4 Transparent Proxy support. Any
feedback would be appreciated.

On Thu, 23 Nov 2000, Adrian Chadd wrote:
> Is this a non-modified squid source? If it is, I can bounce this to
> the squid-dev list and get someone to look at it.

I'm a moron. The DNS lookup was failing because I had the following lines
in my squid.conf, from the Squid FAQ:

httpd_accel_host virtual
httpd_accel_port 80
httpd_accel_with_proxy on
httpd_accel_uses_host_header on

There is one other VERY important line:

httpd_accel_single_host off

Of course Squid was trying to rewrite any transparent proxy request to the
host "virtual". I feel stupid now. Can this be changed in the
FAQ/documentation somewhere? However, transparent proxying will only work
out of the box under Linux 2.4 with a Host header. To support clients that
do not provide it, you will need my attached patch.

About the patch:

- The change is made in client_side.c so the extra system call (getsockopt)
is only made if it is needed. The alternative is to change conn_accept and
make the extra system call on every request.
- I made the required changes to configure.in and include/autoconf.h.in to
implement the --enable-linux-netfilter command line switch. I think that
the test in configure.in should probably enable this option automatically
if it finds the required header file (linux/netfilter_ipv4.h), so that
anyone compiling Squid on Linux 2.4 (or with the Linux 2.4 kernel headers)
automatically gets a working transparent proxy. It should probably also
print a warning if it is being configured on Linux 2.4 without that header.
Unfortunately, I don't know enough about automake to do it.

Here is the patch:

diff -ur --minimal squid-2.4.DEVEL4.orig/configure.in
squid-2.4.DEVEL4/configure.in
--- squid-2.4.DEVEL4.orig/configure.in Tue Jul 18 02:16:19 2000
+++ squid-2.4.DEVEL4/configure.in Thu Nov 23 11:55:15 2000
@@ -584,6 +584,17 @@
   fi
 ])
 
+dnl Enable Linux Netfilter (2.4) Transparent Proxy
+AC_ARG_ENABLE(linux-netfilter,
+[ --enable-linux-netfilter
+ Enable Transparent Proxy support for Linux
2.4.],
+[ if test "$enableval" = "yes" ; then
+ echo "Linux-Netfilter Transparent Proxy enabled"
+ AC_DEFINE(LINUX_NETFILTER)
+ LINUX_NETFILTER="yes"
+ fi
+])
+
 dnl Enable Leak Finding Functions
 AC_ARG_ENABLE(leakfinder,
 [ --enable-leakfinder
@@ -798,6 +809,7 @@
         ip_nat.h \
         libc.h \
         limits.h \
+ linux/netfilter_ipv4.h \
         malloc.h \
         math.h \
         memory.h \
@@ -1255,6 +1267,26 @@
 if test "$IPF_TRANSPARENT" = "no" ; then
     echo "WARNING: Cannot find necessary IP-Filter header files"
     echo " Transparent Proxy support WILL NOT be enabled"
+ sleep 10
+fi
+
+dnl Linux-Netfilter support requires Linux 2.4 kernel header files.
+dnl Shamelessly copied from above
+if test "$LINUX_NETFILTER" ; then
+ AC_MSG_CHECKING(if Linux 2.4 kernel header files are installed)
+ # hold on to your hats...
+ if test "$ac_cv_header_linux_netfilter_ipv4_h" = "yes"; then
+ LINUX_NETFILTER="yes"
+ AC_DEFINE(LINUX_NETFILTER, 1)
+ else
+ LINUX_NETFILTER="no"
+ AC_DEFINE(LINUX_NETFILTER, 0)
+ fi
+ AC_MSG_RESULT($LINUX_NETFILTER)
+fi
+if test "$LINUX_NETFILTER" = "no" ; then
+ echo "WARNING: Cannot find necessary Linux 2.4 kernel header files"
+ echo " Linux 2.4 Transparent Proxy support WILL NOT be
enabled"
     sleep 10
 fi
 
diff -ur --minimal squid-2.4.DEVEL4.orig/include/autoconf.h.in
squid-2.4.DEVEL4/include/autoconf.h.in
--- squid-2.4.DEVEL4.orig/include/autoconf.h.in Tue Jul 18 02:16:39 2000
+++ squid-2.4.DEVEL4/include/autoconf.h.in Thu Nov 23 11:54:41 2000
@@ -229,6 +229,11 @@
 #undef IPF_TRANSPARENT
 
 /*
+ * Enable support for Transparent Proxy on Linux 2.4 systems
+ */
+#undef LINUX_NETFILTER
+
+/*
  * Enable code for assiting in finding memory leaks. Hacker stuff only.
  */
 #undef USE_LEAKFINDER
Only in squid-2.4.DEVEL4: index.html
Only in squid-2.4.DEVEL4: squid
Only in squid-2.4.DEVEL4: squid-2.4.DEVEL4.orig
Only in squid-2.4.DEVEL4/src: SciTE.properties
diff -ur --minimal squid-2.4.DEVEL4.orig/src/client_side.c
squid-2.4.DEVEL4/src/client_side.c
--- squid-2.4.DEVEL4.orig/src/client_side.c Tue Jul 18 02:16:41 2000
+++ squid-2.4.DEVEL4/src/client_side.c Thu Nov 23 11:59:27 2000
@@ -62,6 +62,9 @@
 #endif
 #endif
 
+#if LINUX_NETFILTER
+#include <linux/netfilter_ipv4.h>
+#endif
 
 
 #if LINGERING_CLOSE
@@ -2227,6 +2230,9 @@
     struct natlookup natLookup;
     static int natfd = -1;
 #endif
+#if LINUX_NETFILTER
+ size_t sock_sz = sizeof(conn->me);
+#endif
 
     if ((req_sz = headersEnd(conn->in.buf, conn->in.offset)) == 0) {
         debug(33, 5) ("Incomplete request, waiting for end of headers\n");
@@ -2402,6 +2408,11 @@
                     inet_ntoa(natLookup.nl_realip),
                     vport, url);
 #else
+#if LINUX_NETFILTER
+ /* If the call fails the address structure will be unchanged */
+ getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz );
+ debug(33, 5) ("parseHttpRequest: addr = %s",
inet_ntoa(conn->me.sin_addr) );
+#endif
             snprintf(http->uri, url_sz, "http://%s:%d%s",
                 inet_ntoa(http->conn->me.sin_addr),
                 vport, url);

-- 
Evan Jones - ejones@netwinder.org
Technology with Attitude - Rebel.com
--
To unsubscribe, see http://www.squid-cache.org/mailing-lists.html
Received on Tue Nov 28 2000 - 08:36:54 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:56:37 MST