Revision: 14249 Author: adrian.chadd Date: Sun Jul 26 21:46:32 2009 Log: Address Issue 48 - add an option to cache_peer to disable the tproxy source address spoofing.
http://code.google.com/p/lusca-cache/source/detail?r=14249 Modified: /branches/LUSCA_HEAD/src/cache_cf.c /branches/LUSCA_HEAD/src/cf.data.pre /branches/LUSCA_HEAD/src/forward.c /branches/LUSCA_HEAD/src/neighbors.c /branches/LUSCA_HEAD/src/structs.h ======================================= --- /branches/LUSCA_HEAD/src/cache_cf.c Wed Jul 22 07:37:20 2009 +++ /branches/LUSCA_HEAD/src/cache_cf.c Sun Jul 26 21:46:32 2009 @@ -1898,6 +1898,8 @@ p->idle = xatoi(token + 5); } else if (strcmp(token, "http11") == 0) { p->options.http11 = 1; + } else if (strcmp(token, "no-tproxy") == 0) { + p->options.no_tproxy = 1; } else { debug(3, 0) ("parse_peer: token='%s'\n", token); self_destruct(); ======================================= --- /branches/LUSCA_HEAD/src/cf.data.pre Wed Jul 22 07:37:20 2009 +++ /branches/LUSCA_HEAD/src/cf.data.pre Sun Jul 26 21:46:32 2009 @@ -1551,6 +1551,7 @@ connection-auth[=on|off|auto] idle=n http11 + no-tproxy use 'proxy-only' to specify objects fetched from this cache should not be saved locally. @@ -1798,6 +1799,10 @@ Note: The HTTP/1.1 support is still incomplete, with an internal HTTP/1.0 hop. As result 1xx responses will not be forwarded. + + Use 'no-tproxy' to not use the client-spoof TPROXY support + when forwarding requests; instead simply use the normal + source selection method (eg tcp_outgoing_addr.) DOC_END NAME: cache_peer_domain cache_host_domain ======================================= --- /branches/LUSCA_HEAD/src/forward.c Thu Jul 23 03:58:36 2009 +++ /branches/LUSCA_HEAD/src/forward.c Sun Jul 26 21:46:32 2009 @@ -509,6 +509,14 @@ return aclMapTOS(Config.accessList.outgoing_tos, &ch); } +/* + * Create the outbound socket to the given forward server. + * + * This function handles the socket creation side of the forwarding process. + * It will look up the current TOS and outbound IP address to use. + * If the tproxy flag is set then TPROXY is attempted; the per-peer no-tproxy + * override is checked here. + */ static int fwdConnectCreateSocket(FwdState *fwdState, FwdServer *fs) { @@ -516,15 +524,19 @@ struct in_addr outgoing; unsigned short tos; const char *url = storeUrl(fwdState->entry); + int do_tproxy = 1; outgoing = getOutgoingAddr(fwdState->request); tos = getOutgoingTOS(fwdState->request); fwdState->request->out_ip = outgoing; + if (fwdState->servers && fwdState->servers->peer && fwdState->servers->peer->options.no_tproxy) + do_tproxy = 0; + debug(17, 3) ("fwdConnectStart: got addr %s, tos %d\n", inet_ntoa(outgoing), tos); /* If tproxy then try with the tproxy details. If this fails then retry w/ non-tproxy */ - if (fwdState->request->flags.tproxy) { + if (fwdState->request->flags.tproxy && do_tproxy) { fd = comm_open(SOCK_STREAM, IPPROTO_TCP, fwdState->src.sin_addr, 0, COMM_NONBLOCKING | COMM_TPROXY_REM, tos, url); } @@ -552,6 +564,7 @@ struct in_addr outgoing; unsigned short tos; int idle = -1; + int do_tproxy = 1; assert(fs); assert(fwdState->server_fd == -1); @@ -601,7 +614,15 @@ fwdRestart(fwdState); return; } - if (fd == -1 && fwdState->request->flags.tproxy) + + /* + * Check whether an idle pconn exists for this given host. + * If the current forward server is a peer then make sure the peer + * allows tproxy or we don't bother doing the tproxy-based lookup. + */ + if (fs->peer && fs->peer->options.no_tproxy) + do_tproxy = 0; + if (fd == -1 && fwdState->request->flags.tproxy && do_tproxy) fd = pconnPop(name, port, domain, &fwdState->request->client_addr, 0, NULL); if (fd == -1) { fd = pconnPop(name, port, domain, NULL, 0, &idle); ======================================= --- /branches/LUSCA_HEAD/src/neighbors.c Fri Apr 10 09:16:52 2009 +++ /branches/LUSCA_HEAD/src/neighbors.c Sun Jul 26 21:46:32 2009 @@ -1363,6 +1363,9 @@ else storeAppendPrintf(sentry, " monitorsize=%d", p->monitor.min); } + if (p->options.no_tproxy) + storeAppendPrintf(sentry, " no-tproxy"); + if (p->domain) storeAppendPrintf(sentry, " forceddomain=%s", p->domain); if (p->connect_fail_limit != PEER_TCP_MAGIC_COUNT) ======================================= --- /branches/LUSCA_HEAD/src/structs.h Wed Jul 22 07:37:20 2009 +++ /branches/LUSCA_HEAD/src/structs.h Sun Jul 26 21:46:32 2009 @@ -1248,6 +1248,7 @@ unsigned int sourcehash:1; unsigned int carp:1; unsigned int http11:1; /* HTTP/1.1 support */ + unsigned int no_tproxy:1; } options; int weight; struct { --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "lusca-commit" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/lusca-commit?hl=en -~----------~----~----~----~------~----~------~--~---
