Re: TPROXY support in Squid 3

Mon, 07 Apr 2008 22:59:54 -0700 

Adrian Chadd wrote:

On Mon, Apr 07, 2008, Amos Jeffries wrote:


We have come up with a 'final-beta' patch for squid-3 now.
http://treenet.co.nz/projects/squid/patches/tproxy-squid-3_20080407.patch
Just waiting on Laszlo final approval.

It's pretty much:

 * adding a COMM_TRANSPARENT flag to comm_openex(...)


This is the only thing I'm a bit weird on. This means that the same flag
to TPROXY is used for outgoing sockets and incoming sockets?
The sockets open either as listening (needs IP_TRANSPARENT option set for the OS to track new inbound connections as TPROXY targets etc.)
Or as outbound spoofed connects (needs IP_TRANSPARENT option set for the OS to track the connection for special TPROXY handling.)
Both need the sockopt set in the same manner on connect. Sequence matters for one, but not the other. So its done the same way for both and in sequence where it handles both nicely. 



I'm thinking about seperating them just to make it absolutely clear -
it doesn't matter that the backend sends the same sockopt and calls the same
bind().


Make what clear? that is a socket involved with transparent handling?
Thats all the information that is needed by squid to operate well.
It's simpler to keep it in squid as a boolean flag. Tri-states can get messy. Especially in squid case where we already have the non-transparent intercept handling for non-tproxy methods intertwined at higher levels. 

Keep-it-simple and all that.



I don't think it matters in the FreeBSD case either as I'm pretty sure
the patch I have here uses the same flag for incoming and outgoing sockets.

What do you (and others) think?
I think we need to clean up the two flags floating around squid rather than adding more state. 

Currently:
  fde::flags::transparent == 'intercept/non-intercept'
  fde::flags::tproxy == real-transparent/non-transparent
  (new) COMM_TRANSPARENT == real-transparent
Their use is currently good for what they do. A small re-naming is all that is needed there. I'm thinking flags::intercept and flags::realtransparent. 

Amos
--
Please use Squid 2.6.STABLE19 or 3.0.STABLE4

Reply via email to