On 13-05-06 11:18 AM, Marc Branchaud wrote:
> On 13-05-04 07:03 PM, Bruno Araújo wrote:
>> Hi,
>>
>> How can I use TS as transparent proxy, like squid tproxy, on a FreeBSD
>> bridge QoS?
>
> Our solution is likely to not work for anyone else, but I'll describe it
> anyway just in case.
>
> We use a custom (and older) FreeBSD kernel that we've hacked to allow bind()
> to spoof IP addresses without privileges.
>
> To get transparent TS in our environment, I taught the build a
> --tproxy=nosockopt which enables transparent proxying without trying to
> setsockopt(IP_TRANSPARENT). I can make this patch available if you like.
> Conceivably this might allow you do have transparent TS if you run it as
> root, but I haven't tried that.
Bruno expressed an interest in trying this, so here's the patch.
(Is there a preferred way to exchange such patches? I'm not familiar with
TS, or Apache, policies...)
M.
diff --git a/configure.ac b/configure.ac
index e6a595b..01727f8 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1271,6 +1271,9 @@ tproxy_usage_default="
tproxy_usage_numeric="
--enable-tproxy=X where X is numeric
Enable, use X for sockopt value, no validation."
+tproxy_usage_nosockopt="
+ --enable-tproxy=nosockopt
+ Enable without setting a sockopt value, no validation."
tproxy_usage_disable="
--disable-tproxy Disable feature, no validation."
proxy_usage="$tproxy_usage_enable$tproxy_usage_default$tproxy_usage_numeric$tproxy_usage_disable"
@@ -1278,11 +1281,19 @@ proxy_usage="$tproxy_usage_enable$tproxy_usage_default$tproxy_usage_numeric$tpro
AC_MSG_CHECKING([whether to enable transparent proxy])
AS_IF([test "x$enable_tproxy" != "xno"], [
AS_IF([test "$use_posix_cap" -eq 0], [
- AS_IF([test "x$enable_tproxy" = xauto], [
- AC_MSG_RESULT([no])
- ],[
- AC_MSG_FAILURE([TPROXY feature requires POSIX capabilities.])
- ])
+ case "$enable_tproxy" in
+ nosockopt)
+ ip_transparent=-1
+ use_tproxy=2
+ AC_MSG_RESULT([enabled without socket option])
+ ;;
+ auto)
+ AC_MSG_RESULT([no])
+ ;;
+ *)
+ AC_MSG_FAILURE([tproxy feature either requires POSIX capabilities, or may be explicitly set with$tproxy_usage_nosockopt])
+ ;;
+ esac
],[
AC_MSG_CHECKING([for TPROXY sockopt IP_TRANSPARENT])
case "$enable_tproxy" in
diff --git a/iocore/net/Connection.cc b/iocore/net/Connection.cc
index 47e0728..3551804 100644
--- a/iocore/net/Connection.cc
+++ b/iocore/net/Connection.cc
@@ -241,12 +241,14 @@ Server::setup_fd_for_listen(
if (transparent) {
#if TS_USE_TPROXY
+# if TS_USE_TPROXY == 1
int transparent_value = 1;
Debug("http_tproxy", "Listen port inbound transparency enabled.\n");
if (setsockopt(fd, SOL_IP, TS_IP_TRANSPARENT, &transparent_value, sizeof(transparent_value)) == -1) {
Error("[Server::setup_fd_for_listen] Unable to set transparent socket option [%d] %s\n", errno, strerror(errno));
_exit(1);
}
+# endif // TS_USE_TPROXY == 1
#else
Error("[Server::setup_fd_for_listen] Transparency requested but TPROXY not configured\n");
#endif
@@ -361,12 +363,14 @@ Server::listen(bool non_blocking, int recv_bufsize, int send_bufsize, bool trans
if (transparent) {
#if TS_USE_TPROXY
+# if TS_USE_TPROXY == 1
int transparent_value = 1;
Debug("http_tproxy", "Listen port inbound transparency enabled.\n");
if (setsockopt(fd, SOL_IP, TS_IP_TRANSPARENT, &transparent_value, sizeof(transparent_value)) == -1) {
Error("[Server::listen] Unable to set transparent socket option [%d] %s\n", errno, strerror(errno));
_exit(1);
}
+# endif // TS_USE_TPROXY == 1
#else
Error("[Server::listen] Transparency requested but TPROXY not configured\n");
#endif
diff --git a/iocore/net/UnixConnection.cc b/iocore/net/UnixConnection.cc
index e0df92d..293efbe 100644
--- a/iocore/net/UnixConnection.cc
+++ b/iocore/net/UnixConnection.cc
@@ -256,8 +256,9 @@ Connection::open(NetVCOptions const& opt)
return -errno;
if (NetVCOptions::FOREIGN_ADDR == opt.addr_binding) {
- static char const * const DEBUG_TEXT = "::open setsockopt() IP_TRANSPARENT";
#if TS_USE_TPROXY
+# if TS_USE_TPROXY == 1
+ static char const * const DEBUG_TEXT = "::open setsockopt() IP_TRANSPARENT";
int value = 1;
if (-1 == safe_setsockopt(fd, SOL_IP, TS_IP_TRANSPARENT,
reinterpret_cast<char*>(&value), sizeof(value)
@@ -267,8 +268,9 @@ Connection::open(NetVCOptions const& opt)
} else {
Debug("socket", "%s set", DEBUG_TEXT);
}
+# endif // TS_USE_TPROXY == 1
#else
- Debug("socket", "%s - requested but TPROXY not configured", DEBUG_TEXT);
+ Debug("socket", "Transparency requested but TPROXY not configured");
#endif
}
diff --git a/mgmt/LocalManager.cc b/mgmt/LocalManager.cc
index 7c5fb9e..852296b 100644
--- a/mgmt/LocalManager.cc
+++ b/mgmt/LocalManager.cc
@@ -1223,11 +1223,13 @@ LocalManager::bindProxyPort(HttpProxyPort& port)
if (port.m_inbound_transparent_p) {
#if TS_USE_TPROXY
+# if TS_USE_TPROXY == 1
Debug("http_tproxy", "Listen port %d inbound transparency enabled.\n", port.m_port);
if (setsockopt(port.m_fd, SOL_IP, TS_IP_TRANSPARENT, &one, sizeof(one)) == -1) {
mgmt_elog(stderr, "[bindProxyPort] Unable to set transparent socket option [%d] %s\n", errno, strerror(errno));
_exit(1);
}
+# endif // TS_USE_TPROXY == 1
#else
Debug("lm", "[bindProxyPort] Transparency requested but TPROXY not configured\n");
#endif
