Article delegate-en/4340 of [1-5169] on the server localhost:119
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[Reference:<_A4339@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Few questions about transparent proxy & srcif
08 Jan 2009 19:44:50 GMT feedback@delegate.org (Yutaka Sato)
The DeleGate Project


In message <_A4339@delegate-en.ML_> on 01/09/09(02:11:58) I wrote:
 | |"odst.-" requires SO_ORIGINAL_DST option of setsockopt() and it is enabled
 | |maybe only on Linux.  It is hardcoded as follows in "nbio.c".
 |...
 | |As this code shows, it irequires SOL_IP and EOPNOTSUPP to be defined to
 | |be enabled.  If it is not the case in FreeBSD, and SO_ORIGINAL_DST is
 | |available, you can add the conditions for FreeBSD.
 | |Anyway I'll modify the code to automatically detect the availability of
 | |SO_ORIGINAL_DST in the next release.
 |
 |I noticed that maybe FreeBSD does not support SO_ORIGINAL_DST, but
 |instead (?) it substitutes the result of getsockname() with the
 |destination host and port.  I feel it unbelievablly xxxy ;) because
 |I don't know how I can get the real getsockname() of self, but anyway

This is bad because a proxy will cause loop when a transparent-proxy
is used also as a non-transparent-proxy and if the getsockname()
returns the entrance port of itself (to be used as the destination
address by "odst.-").

But I noticed that I can get the real interface from the socket to
be used to do accept() if the socket is not in wild-card as "-P9999"
but bound to a specific interface as "-Pxxx:9999".  And even with a
wild-card socket, we can detect whether the getsockname() is
translated one or not if the port number is not the same.

So I revised the modification as the enclosed patch.

 |I can cope with it as the enclosed patch.  I confirmed it to work
 |by the following test:
 |
 |  XXX.1% sudo ipfw add 1000 fwd 127.0.0.1:9999 tcp from YYY to any 80
 |  XXX.2% delegated -fv -P9999 SERVER=http://odst.-:-
 |  YYY.3% sudo route add -host 210.155.199.28 XXX
 |  YYY.5% telnet www.delegate.org 80
 |  GET / HTTP/1.0
 |  Host: www.delegate.org
 |

I should have said that I'm testing these under MacOSX.  I also have
FreeBSD (4, 5, 6 and 7 for testing the binary distribution of DeleGate) but
"ipfw fwd" on them fail with "ipfw: getsockopt(IP_FW_ADD): Invalid argument"
(and I'm not so interested in FreeBSD:p)

Using the same proxy under the same configuration, with the patch,
I confirmed it can be used also as a virtual Host based proxy and
a usual proxy, and an origin server by the following test.

  YYY.6% telnet XXX 9999
  GET / HTTP/1.0
  Host: www.delegate.org

  YYY.7% telnet XXX 9999
  GET http://www.delegate.org HTTP/1.0

  YYY.8% telnet XXX 9999
  GET / HTTP/1.0
  Host: XXX:9999

  ----[YYY.6%]---- Host based transparent-proxy (RELAY=vhost)
  01/09 04:26:37.41 [23699] 1+0: -- Fork(SequentialServer): 23694 -> 23699
  01/09 04:26:37.58 [23699] 1+1: (0) accepted [25] -@[YY]YY:62033 (0.167s)(1)
  01/09 04:26:45.66 [23699] 1+1: Proxy: host=YY; User-Agent: ; DIRECT
  01/09 04:26:45.66 [23699] 1+1: REQUEST - GET / HTTP/1.0^M
  01/09 04:26:45.66 [23699] 1+1: PATH> http://www.delegate.org:80!YY.localdomain:9999!YY:62033!anonymous@YY;1231442797
  01/09 04:26:45.66 [23699] 1+1: REQUEST = [http://www.delegate.org:80/] GET / HTTP/1.0^M
  01/09 04:26:45.69 [23699] 1+1: checking delegate-internal: self=0 GET / HTTP/1.0^M
  01/09 04:26:45.69 [23699] 1+1: forwarding by RELAY=vhost [www.delegate.org:80]
  01/09 04:26:45.70 [23699] 1+1: gethostbyname(odst.-) unknown[0.00s] 
  01/09 04:26:45.70 [23699] 1+1: ConnectToServer: DFLT=http://odst.-:80 REAL=http://www.delegate.org:80
  01/09 04:26:45.71 [23699] 1+1: ConnectToServer connected [26] {210.155.199.28:80 <- 192.168.1.20:60365} [0.001s]

  ----[YYY.7%]---- non-tranparent proxy
  01/09 04:28:20.99 [23712] 2+0: -- Fork(SequentialServer): 23694 -> 23712
  01/09 04:28:21.04 [23712] 2+1: (0) accepted [47] -@[YY]YY:62034 (0.057s)(1)
  01/09 04:28:28.93 [23712] 2+1: Proxy: host=YY; User-Agent: ; DIRECT
  01/09 04:28:28.93 [23712] 2+1: REQUEST - GET http://www.delegate.org HTTP/1.0^M
  01/09 04:28:28.94 [23712] 2+1: PATH> http://www.delegate.org:80!YY.localdomain:9999!YY:62034!anonymous@YY;1231442901
  01/09 04:28:28.94 [23712] 2+1: REQUEST = [http://www.delegate.org:80/] GET / HTTP/1.0^M
  01/09 04:28:28.96 [23712] 2+1: ConnectToServer connected [25] {210.155.199.28:80 <- YY:60374} [0.001s]

  ----[YYY.8%]---- origin server
  01/09 04:39:35.90 [23828] 3+0: -- Fork(SequentialServer): 23694 -> 23828
  01/09 04:39:36.09 [23828] 3+1: (0) accepted [54] -@[YY]YY:62037 (0.191s)(1)
  01/09 04:39:47.92 [23828] 3+1: Proxy: host=YY; User-Agent: ; DIRECT
  01/09 04:39:47.93 [23828] 3+1: REQUEST - GET / HTTP/1.0^M
  01/09 04:39:47.93 [23828] 3+1: PATH> http://YY:9999!YY.localdomain:9999!YY:62037!anonymous@YY;1231443576
  01/09 04:39:47.93 [23828] 3+1: REQUEST = [http://YY:9999/] GET / HTTP/1.0^M
  01/09 04:39:47.93 [23828] 3+1: checking delegate-internal: self=1 GET / HTTP/1.0^M

Cheers,
Yutaka
--
  9 9   Yutaka Sato <y.sato@delegate.org> http://delegate.org/y.sato/
 ( ~ )  National Institute of Advanced Industrial Science and Technology
_<   >_ 1-1-4 Umezono, Tsukuba, Ibaraki, 305-8568 Japan
Do the more with the less -- B. Fuller

diff -cr dist/src/delegate9.9.1-pre6/rary/nbio.c ./rary/nbio.c
*** dist/src/delegate9.9.1-pre6/rary/nbio.c	Sun Dec 28 20:33:49 2008
--- ./rary/nbio.c	Fri Jan  9 01:49:14 2009
***************
*** 1571,1576 ****
--- 1571,1579 ----
  	return -1;
  }
  int getorigdst(int sock,struct sockaddr *dst,int *dstlen){
+ 	if( lORIGDST() ){
+ 		return getsockname(sock,dst,dstlen);
+ 	}
  	return -1;
  }
  int getorigsrc(int sock,struct sockaddr *src,int *srclen){
diff -cr dist/src/delegate9.9.1-pre6/src/delegated.c ./src/delegated.c
*** dist/src/delegate9.9.1-pre6/src/delegated.c	Sat Jan  3 22:38:53 2009
--- ./src/delegated.c	Fri Jan  9 04:02:15 2009
***************
*** 3784,3789 ****
--- 3784,3801 ----
  
  extern int CACHE_READONLY;
  
+ int withORIGINAL_DST();
+ static void setCLIF(Connection *Conn,int csock){
+ 	/* BSD,MacOSX */
+ 	int asock = Conn->clif._acceptSock;
+ 	CLIF_PORT = gethostAddr(asock,AVStr(CLIF_HOST));
+ 	if( streq(CLIF_HOST,"0.0.0.0") ){
+ 		/* can't get real interface for wild-card -Pxxx ? */
+ 		VA_HostPortIFclnt(Conn,csock,AVStr(CLIF_HOST),VStrNULL,NULL);
+ 	}else{
+ 		VA_HostPortIFclnt(Conn,asock,AVStr(CLIF_HOST),VStrNULL,NULL);
+ 	}
+ }
  static void initConn(Connection *Conn,int csock)
  {
  	int asock = AcceptSock;
***************
*** 3800,3805 ****
--- 3812,3820 ----
  	clear_DGconn(Conn);
  
  	if( 0 <= csock ){
+ 		if( lORIGDST() && !withORIGINAL_DST() ){
+ 			setCLIF(Conn,csock);
+ 		}else
  	CLIF_PORT = VA_HostPortIFclnt(Conn,csock,AVStr(CLIF_HOST),VStrNULL,NULL);
  	sprintf(CLIF_HOSTPORT,"%s:%d",CLIF_HOST,CLIF_PORT);
  	}else{

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V