2009/1/8 Yutaka Sato <feedback@delegate.org>: > In message <_A4339@delegate-en.ML_> on 01/09/09(02:11:58) I wrote: > | |"odst.-" requires SO_ORIGINAL_DST option of setsockopt() and it is enabled > | |maybe only on Linux. It is hardcoded as follows in "nbio.c". > |... > | |As this code shows, it irequires SOL_IP and EOPNOTSUPP to be defined to > | |be enabled. If it is not the case in FreeBSD, and SO_ORIGINAL_DST is > | |available, you can add the conditions for FreeBSD. > | |Anyway I'll modify the code to automatically detect the availability of > | |SO_ORIGINAL_DST in the next release. > | > |I noticed that maybe FreeBSD does not support SO_ORIGINAL_DST, but > |instead (?) it substitutes the result of getsockname() with the > |destination host and port. I feel it unbelievablly xxxy ;) because > |I don't know how I can get the real getsockname() of self, but anyway > > This is bad because a proxy will cause loop when a transparent-proxy > is used also as a non-transparent-proxy and if the getsockname() > returns the entrance port of itself (to be used as the destination > address by "odst.-"). > > But I noticed that I can get the real interface from the socket to > be used to do accept() if the socket is not in wild-card as "-P9999" > but bound to a specific interface as "-Pxxx:9999". And even with a > wild-card socket, we can detect whether the getsockname() is > translated one or not if the port number is not the same. > > So I revised the modification as the enclosed patch. > > |I can cope with it as the enclosed patch. I confirmed it to work > |by the following test: > | > | XXX.1% sudo ipfw add 1000 fwd 127.0.0.1:9999 tcp from YYY to any 80 > | XXX.2% delegated -fv -P9999 SERVER=http://odst.-:- > | YYY.3% sudo route add -host 210.155.199.28 XXX > | YYY.5% telnet www.delegate.org 80 > | GET / HTTP/1.0 > | Host: www.delegate.org > | > > I should have said that I'm testing these under MacOSX. I also have > FreeBSD (4, 5, 6 and 7 for testing the binary distribution of DeleGate) but > "ipfw fwd" on them fail with "ipfw: getsockopt(IP_FW_ADD): Invalid argument" > (and I'm not so interested in FreeBSD:p) Seems as kernel rebuilding with "options IPFIREWALL_FORWARD" required. > Using the same proxy under the same configuration, with the patch, > I confirmed it can be used also as a virtual Host based proxy and > a usual proxy, and an origin server by the following test. Thanks. I patched 9.9.0 with attached patch & confirm that transparent proxy now works on freebsd 6.3-p2 with configuration like: -P127.0.0.1:3128 SRCIF=192.168.77.11 SERVER="tcprelay://odst.-:-/*" RELAY=vhost But seems at least error reporting to client and proxy forwarding in transparent mode are broken. Client receives blank white page in both cases. PS. Seems you miss my second question about SRCIF and disabling default gateway routing (Q2 in first mail). Additional information: If I add string for proxy forwarding like: PROXY="XX.XX.XX.XX:3128:*,!192.168.0.0/16,!10.130.0.0/16,!10.250.0.0/16,!212.3.128.0/19" I receive a blank white page, log: 1/10 21:32:25.29 [22379] 1+0: -- Fork(SequentialServer): 22370 -> 22379 01/10 21:32:25.33 [22379] 1+1: ##NAT clif/localhost:3129 odst/ya.RU:80 clnt/n100.p100.internet.gnet:17778 01/10 21:32:25.33 [22379] 1+1: (0) accepted [37] -@[10.1.100.100]n100.p100.internet.gnet:17778 ##NAT213.180.204.8/ya.RU:80 (0.045s)(1) 01/10 21:32:25.34 [22379] 1+1: ##NAT (3) redirect: 213.180.204.8:80 (odst.-:8701) 01/10 21:32:25.34 [22379] 1+1: ##NAT mapped port 80 <- 8701 80 [0](3) 01/10 21:32:25.34 [22379] 1+1: PATH: tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17778!anonymous@n100.p100.internet.gnet;1231612345 01/10 21:32:25.34 [22379] 1+1: default netmask 127.0.0.1/. = FFFFFF00 01/10 21:32:25.34 [22379] 1+1: ## hostIFto 10.1.100.100 < 10.1.100.1 (ff000000) 01/10 21:32:25.36 [22379] 1+1: ROUTE: tcprelay://XX.XX.XX.XX:3128// 01/10 21:32:25.36 [22379] 1+1: [14] source port = 192.168.77.11:0 = 192.168.77.11:51154 01/10 21:32:25.47 [22379] 1+1: ConnectToServer connected [14] {XX.XX.XX.XX:3128 <- 192.168.77.11:51154} [0.116s] 01/10 21:32:25.47 [22379] 1+1: willSTLS_SV: ServerFlags=10000000 01/10 21:32:25.86 [22379] 1+1: MASTER[-1] says(1): DeleGate-HELLO 9.8.2-pre41 <11293.1231612346@xx..ru>^M 01/10 21:32:25.86 [22379] 1+1: forwarding to [14] delegate://XX.XX.ru:3128 01/10 21:32:27.18 [22379] 1+1: MASTER[-1] says(2): 200 OK: good^M 01/10 21:32:27.18 [22379] 1+1: willSTLS_SV: ServerFlags=10000000 01/10 21:32:27.18 [22379] 1+1: relays(2) start: timeout=600000msec 01/10 21:32:27.27 [22379] 1+1: relays[1]: [14->EOF] -1(-1i+0o) 01/10 21:32:27.27 [22379] 1+1: relays[0]: [37->14] 380 bytes / 1 -> 380 01/10 21:32:27.27 [22379] 1+1: relays[1]: [14->37] -1 bytes / 1 -> 0 01/10 21:32:27.27 [22379] 1+1: disconnected [37] -@[10.1.100.100]n100.p100.internet.gnet:17778 ##NAT213.180.204.8/ya.RU:80 (1.983s)(0) 01/10 21:32:27.36 [22370] 1+0: AcceptByMain: locked out*1/0 by Sticky*1 0/0 01/10 21:32:27.36 [22379] 1+2: ##NAT clif/localhost:3129 odst/ya.RU:80 clnt/n100.p100.internet.gnet:17779 01/10 21:32:27.36 [22379] 1+2: (0) accepted [39] -@[10.1.100.100]n100.p100.internet.gnet:17779 ##NAT213.180.204.8/ya.RU:80 (0.001s)(1) 01/10 21:32:27.36 [22379] 1+2: ##NAT (3) redirect: 213.180.204.8:80 (odst.-:8701) 01/10 21:32:27.36 [22379] 1+2: ##NAT mapped port 80 <- 8701 80 [0](3) 01/10 21:32:27.36 [22379] 1+2: PATH: tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17779!anonymous@n100.p100.internet.gnet;1231612347 01/10 21:32:27.36 [22379] 1+2: default netmask 127.0.0.1/. = FFFFFF00 01/10 21:32:27.36 [22379] 1+2: ROUTE: tcprelay://XX.XX.XX.XX:3128// 01/10 21:32:27.36 [22379] 1+2: [22] source port = 192.168.77.11:0 = 192.168.77.11:49973 01/10 21:32:27.69 [22379] 1+2: ConnectToServer connected [22] {XX.XX.XX.XX:3128 <- 192.168.77.11:49973} [0.324s] 01/10 21:32:27.69 [22379] 1+2: willSTLS_SV: ServerFlags=10000000 01/10 21:32:27.80 [22379] 1+2: MASTER[-1] says(1): DeleGate-HELLO 9.8.2-pre41 <11293.1231612348@xx..ru>^M 01/10 21:32:27.80 [22379] 1+2: forwarding to [22] delegate://XX.XX.ru:3128 01/10 21:32:33.40 [22379] 1+2: MASTER[-1] says(2): 200 OK: good^M 01/10 21:32:33.40 [22379] 1+2: willSTLS_SV: ServerFlags=10000000 01/10 21:32:33.40 [22379] 1+2: relays(2) start: timeout=600000msec 01/10 21:32:33.48 [22379] 1+2: relays[1]: [22->EOF] -1(-1i+0o) 01/10 21:32:33.48 [22379] 1+2: relays[0]: [39->22] 351 bytes / 1 -> 351 01/10 21:32:33.48 [22379] 1+2: relays[1]: [22->39] -1 bytes / 1 -> 0 01/10 21:32:33.48 [22379] 1+2: disconnected [39] -@[10.1.100.100]n100.p100.internet.gnet:17779 ##NAT213.180.204.8/ya.RU:80 (6.120s)(0) 01/10 21:32:34.14 [22379] 1+3: ##NAT clif/localhost:3129 odst/ya.RU:80 clnt/n100.p100.internet.gnet:17792 01/10 21:32:34.14 [22379] 1+3: (0) accepted [51] -@[10.1.100.100]n100.p100.internet.gnet:17792 ##NAT213.180.204.8/ya.RU:80 (0.002s)(1) 01/10 21:32:34.14 [22379] 1+3: ##NAT (3) redirect: 213.180.204.8:80 (odst.-:8701) 01/10 21:32:34.14 [22379] 1+3: ##NAT mapped port 80 <- 8701 80 [0](3) 01/10 21:32:34.14 [22379] 1+3: PATH: tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17792!anonymous@n100.p100.internet.gnet;1231612354 01/10 21:32:34.14 [22379] 1+3: default netmask 127.0.0.1/. = FFFFFF00 01/10 21:32:34.14 [22379] 1+3: ROUTE: tcprelay://XX.XX.XX.XX:3128// 01/10 21:32:34.14 [22379] 1+3: [24] source port = 192.168.77.11:0 = 192.168.77.11:60961 01/10 21:32:34.22 [22379] 1+3: ConnectToServer connected [24] {XX.XX.XX.XX:3128 <- 192.168.77.11:60961} [0.081s] 01/10 21:32:34.22 [22379] 1+3: willSTLS_SV: ServerFlags=10000000 01/10 21:32:35.56 [22379] 1+3: MASTER[-1] says(1): DeleGate-HELLO 9.8.2-pre41 <11964.1231612356@xx..ru>^M 01/10 21:32:35.56 [22379] 1+3: forwarding to [24] delegate://XX.XX.ru:3128 01/10 21:32:45.56 [22379] 1+3: MASTER closed 01/10 21:32:45.56 [22379] 1+3: E-C: Can't connect: n100.p100.internet.gnet:17792 => tcprelay://213.180.204.8:80 (noRoute) 01/10 21:32:45.56 [22379] 1+3: willSTLS_SV: ServerFlags=0 01/10 21:32:45.56 [22379] 1+3: disconnected [51] -@[10.1.100.100]n100.p100.internet.gnet:17792 ##NAT213.180.204.8/ya.RU:80 (11.423s)(0) 01/10 21:33:15.58 [22379] 1+3: StickyServer done [timeout] 3 req / 3+0/1 conn / 50 sec If I add for example REJECT="*" then same blank white page appeared instead of access error message like expected, log: 01/10 21:37:22.49 [23849] 1+0: -- Fork(SequentialServer): 23844 -> 23849 01/10 21:37:22.50 [23849] 1+1: ##NAT clif/localhost:3129 odst/noc.masterhost.RU:80 clnt/n100.p100.internet.gnet:18304 01/10 21:37:22.50 [23849] 1+1: (0) accepted [29] -@[10.1.100.100]n100.p100.internet.gnet:18304 ##NAT217.16.22.60/noc.masterhost.RU:80 (0.007s)(1) 01/10 21:37:22.50 [23849] 1+1: ##NAT (3) redirect: 217.16.22.60:80 (odst.-:8701) 01/10 21:37:22.50 [23849] 1+1: ##NAT mapped port 80 <- 8701 80 [0](3) 01/10 21:37:22.50 [23849] 1+1: PATH: tcprelay://217.16.22.60:80!noc.masterhost.RU:80!n100.p100.internet.gnet:18304!anonymous@n100.p100.internet.gnet;1231612642 01/10 21:37:22.50 [23849] 1+1: default netmask 127.0.0.1/. = FFFFFF00 01/10 21:37:22.50 [23849] 1+1: ## hostIFto 10.1.100.100 < 10.1.100.1 (ff000000) 01/10 21:37:22.50 [23849] 1+1: default netmask 127.0.0.1/. = FFFFFF00 01/10 21:37:22.50 [23849] 1+1: E-P: No permission: n100.p100.internet.gnet:18304 => tcprelay://217.16.22.60:80 (matched REJECT) 01/10 21:37:22.50 [23849] 1+1: bind_insock(14,127.0.0.1,0) = 0, errno=0 01/10 21:37:23.50 [23849] 1+1: ## connect[14] TIMEOUT(1000) 01/10 21:37:23.50 [23849] 1+1: ### IDENT CONNECT(n100.p100.internet.gnet:113) TIMEOUT(1000ms) (60) (UNIX) 21:37:23.538 [23849] connect(22) REFUSED*1, retry after 500ms ... 01/10 21:37:24.05 [23849] 1+1: [22] doDelay connect failed 127.0.0.1:65107 [0.51s] errno=61 01/10 21:37:24.07 [23849] 1+1: doDelay: clear old errors: count=17,age=991,delay=60 01/10 21:37:24.07 [23849] 1+1: E-C: Can't connect: n100.p100.internet.gnet:18304 => tcprelay://217.16.22.60:80 (?) 01/10 21:37:24.07 [23849] 1+1: willSTLS_SV: ServerFlags=0 01/10 21:37:24.07 [23849] 1+1: disconnected [29] -@[10.1.100.100]n100.p100.internet.gnet:18304 ##NAT217.16.22.60/noc.masterhost.RU:80 (1.584s)(0)