I'd like to propose the attached patch, to rename the build option
--enable-linux-netfilter to --enable-nf-transparent. This is for 2
reasons:
1. It is consistent with the remainder of the transparent proxy options
(ifpw-transparent, ipf-transparent, pf-transparent).
2. It causes less confusion with my proposed netfilter marking patch,
which also relies on netfilter libraries, but different ones.
--enable-linux-netfilter implies the whole of the netfilter libraries
are being included, when in actual fact it is only one for the purposes
of transparent proxying.
Netfilter marking patch to follow soon...
Regards,
Andy
# Bazaar merge directive format 2 (Bazaar 0.90)
# revision_id: a...@andybev.com-20100731220533-vfdiehk6tplxcpio
# target_branch: file:///home/andrew/squid-repo/trunk/
# testament_sha1: feb94d9d6fa4acfcb0d195c816049f70d0c466a6
# timestamp: 2010-07-31 23:05:40 +0100
# base_revision_id: squ...@treenet.co.nz-20100731141830-\
# 60bm8quxdd78f5rz
#
# Begin patch
=== modified file 'configure.in'
--- configure.in 2010-07-31 14:18:30 +0000
+++ configure.in 2010-07-31 22:05:33 +0000
@@ -1302,14 +1302,19 @@
#will be AC_DEFINEd later, after checking for appropriate infrastructure
AC_MSG_NOTICE([PF-based transparent proxying requested: ${enable_pf_transparent:=auto}])
+# Tell people the enable-linux-netfilter option has been renamed
+AC_ARG_ENABLE(linux-netfilter, , [
+ AC_MSG_ERROR(--enable-linux-netfilter has been renamed to --enable-nf-transparent.)
+])
+
# Linux Netfilter Transparent Proxy
-AC_ARG_ENABLE(linux-netfilter,
- AS_HELP_STRING([--enable-linux-netfilter],
+AC_ARG_ENABLE(nf-transparent,
+ AS_HELP_STRING([--enable-nf-transparent],
[Enable Transparent Proxy support for Linux (Netfilter)]), [
SQUID_YESNO([$enableval],
- [unrecognized argument to --enable-linux-netfilter: $enableval])
+ [unrecognized argument to --enable-nf-transparent: $enableval])
])
-AC_MSG_NOTICE([Linux Netfilter support requested: ${enable_linux_netfilter:=auto}])
+AC_MSG_NOTICE([Netfilter based transparent proxying requested: ${enable_nf_transparent:=auto}])
#will be AC_DEFINEd later, after checking for appropriate infrastructure
dnl Enable Large file support
@@ -3116,25 +3121,25 @@
SQUID_DEFINE_BOOL(PF_TRANSPARENT,$enable_pf_transparent,
[Enable support for PF-style transparent proxying])
-if test "$enable_linux_netfilter" != "no" ; then
+if test "$enable_nf_transparent" != "no" ; then
if test "$ac_cv_header_linux_netfilter_ipv4_h" = "yes"; then
- if test "$enable_linux_netfilter" = "auto" ; then
- enable_linux_netfilter=yes
+ if test "$enable_nf_transparent" = "auto" ; then
+ enable_nf_transparent=yes
fi
else
- if test "$enable_linux_netfilter" = "auto" ; then
- enable_linux_netfilter=no
+ if test "$enable_nf_transparent" = "auto" ; then
+ enable_nf_transparent=no
else
- AC_MSG_ERROR([Linux Netfilter support requested but needed headers not found])
+ AC_MSG_ERROR([Netfilter based transparent proxying requested but needed headers not found])
fi
fi
fi
-SQUID_DEFINE_BOOL(LINUX_NETFILTER,$enable_linux_netfilter,
+SQUID_DEFINE_BOOL(NF_TRANSPARENT,$enable_nf_transparent,
[Enable support for Transparent Proxy on Linux via Netfilter])
dnl Netfilter TPROXY depends on libcap but the NAT parts can still work.
-AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $enable_linux_netfilter])
-if test "$enable_linux_netfilter" = "yes" && test "$use_libcap" != "yes" ; then
+AC_MSG_NOTICE([Support for Netfilter-based interception proxy requested: $enable_nf_transparent])
+if test "$enable_nf_transparent" = "yes" && test "$use_libcap" != "yes" ; then
AC_MSG_WARN([Missing needed capabilities (libcap or libcap2) for TPROXY])
AC_MSG_WARN([Linux Transparent Proxy support WILL NOT be enabled])
AC_MSG_WARN([Reduced support to Interception Proxy])
=== modified file 'src/cf.data.pre'
--- src/cf.data.pre 2010-07-29 13:04:44 +0000
+++ src/cf.data.pre 2010-07-31 22:05:33 +0000
@@ -904,7 +904,7 @@
NAME: tproxy_uses_indirect_client
COMMENT: on|off
TYPE: onoff
-IFDEF: FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER
+IFDEF: FOLLOW_X_FORWARDED_FOR&&NF_TRANSPARENT
DEFAULT: off
LOC: Config.onoff.tproxy_uses_indirect_client
DOC_START
=== modified file 'src/cf_gen_defines'
--- src/cf_gen_defines 2010-05-25 11:12:20 +0000
+++ src/cf_gen_defines 2010-07-31 22:05:33 +0000
@@ -9,7 +9,7 @@
define["FOLLOW_X_FORWARDED_FOR"]="--enable-follow-x-forwarded-for"
define["FOLLOW_X_FORWARDED_FOR&&DELAY_POOLS"]="--enable-follow-x-forwarded-for and --enable-delay-pools"
define["FOLLOW_X_FORWARDED_FOR&&ICAP_CLIENT"]="--enable-follow-x-forwarded-for and --enable-icap-client"
- define["FOLLOW_X_FORWARDED_FOR&&LINUX_NETFILTER"]="--enable-follow-x-forwarded-for and --enable-linux-netfilter"
+ define["FOLLOW_X_FORWARDED_FOR&&NF_TRANSPARENT"]="--enable-follow-x-forwarded-for and --enable-nf-transparent"
define["HTTP_VIOLATIONS"]="--enable-http-violations"
define["ICAP_CLIENT"]="--enable-icap-client"
define["SQUID_SNMP"]="--enable-snmp"
=== modified file 'src/forward.cc'
--- src/forward.cc 2010-07-13 16:49:48 +0000
+++ src/forward.cc 2010-07-31 22:05:33 +0000
@@ -1347,7 +1347,7 @@
{
if (request && request->flags.spoof_client_ip) {
if (!dst_peer || !dst_peer->options.no_tproxy) {
-#if FOLLOW_X_FORWARDED_FOR && LINUX_NETFILTER
+#if FOLLOW_X_FORWARDED_FOR && NF_TRANSPARENT
if (Config.onoff.tproxy_uses_indirect_client)
return request->indirect_client_addr;
else
=== modified file 'src/ip/Intercept.cc'
--- src/ip/Intercept.cc 2010-07-25 08:10:12 +0000
+++ src/ip/Intercept.cc 2010-07-31 22:05:33 +0000
@@ -86,7 +86,7 @@
#endif /* HAVE_NET_PFVAR_H */
#endif /* PF_TRANSPARENT required headers */
-#if LINUX_NETFILTER
+#if NF_TRANSPARENT
#include <linux/netfilter_ipv4.h>
#endif
@@ -114,7 +114,7 @@
int
Ip::Intercept::NetfilterInterception(int fd, const Ip::Address &me, Ip::Address &dst, int silent)
{
-#if LINUX_NETFILTER
+#if NF_TRANSPARENT
struct addrinfo *lookup = NULL;
dst.GetAddrInfo(lookup,AF_INET);
@@ -145,7 +145,7 @@
int
Ip::Intercept::NetfilterTransparent(int fd, const Ip::Address &me, Ip::Address &client, int silent)
{
-#if LINUX_NETFILTER
+#if NF_TRANSPARENT
/* Trust the user configured properly. If not no harm done.
* We will simply attempt a bind outgoing on our own IP.
@@ -349,11 +349,11 @@
int
Ip::Intercept::NatLookup(int fd, const Ip::Address &me, const Ip::Address &peer, Ip::Address &client, Ip::Address &dst)
{
- /* --enable-linux-netfilter */
+ /* --enable-nf-transparent */
/* --enable-ipfw-transparent */
/* --enable-ipf-transparent */
/* --enable-pf-transparent */
-#if IPF_TRANSPARENT || LINUX_NETFILTER || IPFW_TRANSPARENT || PF_TRANSPARENT
+#if IPF_TRANSPARENT || NF_TRANSPARENT || IPFW_TRANSPARENT || PF_TRANSPARENT
client = me;
dst = peer;
=== modified file 'src/ip/Intercept.h'
--- src/ip/Intercept.h 2010-05-02 19:32:42 +0000
+++ src/ip/Intercept.h 2010-07-31 22:05:33 +0000
@@ -170,7 +170,7 @@
time_t last_reported; /**< Time of last error report. Throttles NAT error display to 1 per minute */
};
-#if LINUX_NETFILTER && !defined(IP_TRANSPARENT)
+#if NF_TRANSPARENT && !defined(IP_TRANSPARENT)
/// \ingroup IpInterceptAPI
#define IP_TRANSPARENT 19
#endif
=== modified file 'src/structs.h'
--- src/structs.h 2010-07-29 13:04:44 +0000
+++ src/structs.h 2010-07-31 22:05:33 +0000
@@ -432,7 +432,7 @@
int acl_uses_indirect_client;
int delay_pool_uses_indirect_client;
int log_uses_indirect_client;
-#if LINUX_NETFILTER
+#if NF_TRANSPARENT
int tproxy_uses_indirect_client;
#endif
#endif /* FOLLOW_X_FORWARDED_FOR */
=== modified file 'test-suite/buildtests/layer-01-minimal.opts'
--- test-suite/buildtests/layer-01-minimal.opts 2010-04-20 15:37:43 +0000
+++ test-suite/buildtests/layer-01-minimal.opts 2010-07-31 22:05:33 +0000
@@ -62,7 +62,7 @@
--disable-ipfw-transparent \
--disable-ipf-transparent \
--disable-pf-transparent \
- --disable-linux-netfilter \
+ --disable-nf-transparent \
--disable-linux-tproxy \
--disable-leakfinder \
--disable-follow-x-forwarded-for \
=== modified file 'test-suite/buildtests/os-debian.opts'
--- test-suite/buildtests/os-debian.opts 2010-04-23 14:34:23 +0000
+++ test-suite/buildtests/os-debian.opts 2010-07-31 22:05:33 +0000
@@ -46,7 +46,7 @@
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" \
--with-filedescriptors=65536 \
--enable-epoll \
- --enable-linux-netfilter \
+ --enable-nf-transparent \
"
# Debian for some reason builds using explicit 'cc' instead of 'gcc' or automatic
=== modified file 'test-suite/buildtests/os-ubuntu.opts'
--- test-suite/buildtests/os-ubuntu.opts 2010-04-23 14:34:23 +0000
+++ test-suite/buildtests/os-ubuntu.opts 2010-07-31 22:05:33 +0000
@@ -45,7 +45,7 @@
--enable-external-acl-helpers="ip_user,ldap_group,session,unix_group,wbinfo_group" \
--with-filedescriptors=65536 \
--enable-epoll \
- --enable-linux-netfilter \
+ --enable-nf-transparent \
"
# Ubuntu for some reason built using 'cc' instead of gcc
# Begin bundle
IyBCYXphYXIgcmV2aXNpb24gYnVuZGxlIHY0CiMKQlpoOTFBWSZTWc4qNAIAB8rfgHAwfXf//3/n
/s6////+YAzu+bLa2t9rFAAAABmHstHK02M62tBDbRW4SKTImqbNU9NoKfpojU0ZlGTCepoaABpo
0aANAkpSe0GqflT0j0myCBoGgBGAaADRGAAOMmTRoDRpiMjQxDAmjTEGI0GEABg00QKnkjQ0ekDN
E9QAAANAAAAAEUpo00mITRPTRPEp4JH6FNMTQaMg09QGJkehAkiAgAI1NCno0wgTUNpDT0gABoaA
0JVpVkBUBMFTyStxzWZZ59Gt7LNjJdJRG1D5dXTNPHPEXkkojWNwrdwcNnkOZSDMDerWGRA+dUHQ
ymVU9FE7JRjq8jiHIBKzgue50+lr2XNK6Eq0pOdKzvlEtaVrRhRo2PdOys7wE6+1hdR6YI9iPNdX
ynhz8ufWSEe4RfENtDYNpNoG2MbG27egQqbK7MmNCxNJ9mDseZchVDFIzqkiIF5QliIEPInKmE6C
LNC+dBweHFxmMGV6q4yZQpR6waUYM8zRVSxi4sndQftrKfros64GZhD8vv241HKzdIfMzMRLqvwz
VotBEbIkBH2zkMf1q0kjIM3BF/0hfZc54LknD3r2aTbK2rhFECJJTIi6RKlrMk9agq4khEYSqQa+
AjHL1RYndKWqPMEV9zq5gURhAzCGPYB0DRMQdqa1EB5fb65vUTs+iuvFzQ5NcNBuU3OW/5YzDWKe
qm2KZ1VmbSzCRSBUIiIYQFQUMFQDNGgk358MiggAtIZVqIVNsZdBl/Z0CklqCrz0DQVYKP7hj7SS
YVmEwig3ge4+HwEY2AKR8XuaD4LAdFfuQbmVzYYOnwp8K/HBUVFg/6/b5+cS3LMS4TObDOV2wpEK
TFYzIwoYNoCDIslKdleMbKQ2QFtCRBAzW4gAKlO45jbtrRCxxKuQsFZUqK45lISPn+RMqnHPIWxe
YWFDS4BWMQJbVkMmHLWByCTEkCHL3O4xKUsSag4VLxF6YuVpzHYzMCYRJFS47zG0lOuBgVLDEjUc
FF0hfStJAlcEQxCUi6IrEml9k90TIoQV+UbDuOXTI+uaUxuNh0oQS2uIxzkZhwRHkOX4PEbJj90J
sgXaxs2sZlMdp7dISpKccbLFAYkwZM/AmvgpFg5E1Oma5gmmDKSaZuOnMiR7d8K0xKa2Cywa8K5D
lTCLUTmR28EYFAs1+axZxuIHWCY3EcjmSNdDpZf17yK9qOZHtI5Z7ohsnyYpqM0p8PCkawhByAkK
FIoAtBhijinCTxZAoHpS4JigLSgUFaXFmQRnpZ2mVjldy85kJyLzOLjSLmH0Buu2UyZLoAwxaaFf
A68kUQug3kFxgNLQvp5ZkLKT0XOWbNzlB+ReJwFq1ZBUYoWi8yo5aFHGcBME6uK0krRr6OK5nsAU
HhYTT6OYZRGuLhSImZg5IvMu2JG1znInljeVeBkVXrS6zNFRzoUNi4zOhqaEz7uEreRaTs2w0dpE
zRQ1GHBb9j63A0i0HIgPb2XjhPY50GKHiYlC6nnecy2Qd92hEvYtEyiwxzp1YSJkiebESmY8cnZR
vSOQMFt5EvMDLIyMj7j0C7D3pX557X2xfHV3cmNRxya7zTM2eVHXF0RivkhoAMAmIMbj8pKc53jE
oHcSiS9MJFpkZlC4iMRGLsjE4Jl4cdMy8v9WmweAvM9JaXPtls40cmd5TXrGCZg4t4G6mD9NK1Oo
sJjFpncWQGxDCITbChMgVH4nS3g2LDuL9bSpoYELTFgXovHMOAewsMC0eZM5HqOVwCxORnyu5M8X
aAQUi4IGxJxEihiTKykw4wJeqhiVWZcRgUIGasNA59lpM5SBYkTgwNBjx4MSZ78xdetkA1vuaBq0
GpALcyOo5BUJbpDjusSJv4/MKpeT7oG9QceJabFxefNQqam1BjswKFRi81OLrurE226CgXHBYWyM
BzY1DYgF54BIoT21oYW2wvzd+yLTAdKlWoMXFSJMJ0HHIGww4dUSyL2mBttc7+gzVUtxZDmN7QIh
AtGHNzIkORBYblpwbllpAzND0XdTfzjLJBJxwwbG574tyC9MkRgCcJ4zNIuCCeh5EeZIZ729d2+G
w2202wZ2YZxEINTNtttDbGJvtSLOURs76Dz/Jc9DtT2Gg0dtR5he59wvwJ6L7YiIAhYhj1Fnon7S
scjzTrm+w/Myf20g9tCQsG9QujA4rBzzYhIhtO4K/Se/RvTyH6Xnd4yHfc2AQZ6J+8EXSsNIsxe0
tuxb8amCGWgxdAuFIlErE0C4MMAGQcQGqr4B4lRJNXiSJGJhEJUPn+YLHkUibZhC9Mnr/2nSVbRi
2ukGutVyCJLbwCO24OC31zK7BqsGNDBgLe55gRJA1xnCYCJISOQ8ZIGkZGcZFujDYN86iUtaeAwH
NyGSlYYkoTziwVqxMWSwPQZS78kfN9z5vyyi6HXJt3ec0qQJP4fFBmiUV+rCFIJGLeJ0sJdVVgpT
HmQem0uW2ZajyyYvFYeZgwixbVk0hxnjhmcSmE7jEL40LtsvlQwvRjyY7yYlNJAqByx0kNDIaULx
Uu8kIqLGeFYLQ42JQjqcuhM2GN7CZ1HQmQNzqFM595f9gqzSy3WqXL1sM3Q8O1xMkzYlyMmELspV
veAtzELcE8cxiB4mQWoGvdzqrRrXBwmF0iKbhjAq5fzAgCjEqVNC5CJWkCpudFErAqcwwMZnPUu5
f2+z63QaTYZAHSpf0nOtR9HDqy2XhufXMQensrUttGHQmUROI8jg6y+Bp2S7Mp6bS9bx7ztPd6aF
5cVMDxOs6g9hYSMBHAjRWehl5Mk/XwI0Qu90HQmnIKotxY0G3HNYPiaSkKsRsllzI6R6Ki2nosAJ
2umWMvvqO2/gCRpeQ6yFj4p/3rKj03NEuKh4YWIUOxgHwa15yTrHxRBq2SA23V3TeJ4wwokXtTWP
aQEbUHl8mYWaJKlylBM7rOXlIO8bg2iRPJw8/YcyJFas1yvQVPaQ9LkBj43SwLT2mIC1MCCRaapG
ixX1CPoEeIjhKSJaxZjT4/S0Y8BgqVlyktFJLwHCJcSoJHE61rNoYW2nKZTkjqEjcvOkRbRgD/Va
dYCyOxAEyFkfUvF+tLp60jXqRI7/sdQDRx965vcRYpyMy9qRDBod7vt6KSKd83VFT8Ac+EN62mQC
umdgwW6bzb3DDqQ5ua0TgyzPKdhum6ixeld0eI8A/eSkA9WL0I6mHiX53L2BBCg5oMR58NVC6etC
cEMI8ML13WW7OvhzXrGADWI8xkHEJTcW9TqhyYb8zYZOoq1F9wWqToFLCoqaksY8OTwyEmxCp0iQ
9i27SLkafzIQZFtKnquTBDVAcSE2bKHXD59fVflvMUSBA9RRKmIBral6DMnN2VnWygqU4kgTZFVk
IMoJKHlqZGTG5C0ojdIZPKMEQzPFu5O9OexS9/B1ZvoXe0qb5+aF3sk4hnBRmkRwqG4Ce4Balpsr
arc+NXQyDvOrOJ8DA6EFqkfD4hqSCYXFA5MgZ0L2boRaEkpBLdbrroh9jegJDp/c6RtYLvJ/Ev8O
xYEKLAlVealJuidQA4gj2DPAkmmgkNapJXiSjjrkV2m/JxpCmUSiMCTaXBvQBnROsaJzBjgyCCFS
Pg0VaSx4PnuwRF1rS+Aj7xa65uhu0jIlz57TJAvoBKnCsJVNfSvBUutJsAleK1JTLm0GI2OUwRvN
sS5gHjCZHEkMBBxJOgXMMDc31g8cNXQb7dQzm/NyG8c4vG8ZybsJ/1Nt/XCib5Un5mS1CwOxAsQy
8RWR+iifnyAToXt4enpOEKFxsudoeJcTOcoDWGCJ0GMyCWGMMHkPCLObaBcDQLSWLj7xSXivbKwy
IhcxX1lSG8ESQNAzfpX1T+i7kinChIZxUaAQ
