[PATCH] linux netfilter transparency

From: Gianni Tedesco <gianni@dont-contact.us>
Date: 07 Mar 2003 16:21:16 +0000

Hi,

Here is the first cut of the patch against squid-2.5, it is all fairly
self-explanatory. Still a couple of things I need to do.

The patch adds a new onoff config 'linux_tproxy' which when set will
spoof the source address of outgoing server connections to be the same
as the original client address. There is one slight bogon which is
disabling the euid==0 check because squid needs to run as root to use
the tproxy functionality. Perhaps this could be more fine-grained and
only allow euid==0 when linux_tproxy is enabled. If it came to it I
could always fix minor warts like this with some interesting kernel
kludge instead (eg: echo 666 > /proc/sys/tproxy_gid).

TODO

----
 o Document the weird stuff, you need to set a tcp_outgoing_address when
   using netfilter TPROXY and disable server persistent connections.
 o Bail with an error if server persistent connections is enabled in
   conjunction with linux_tproxy.
 o Remove euid-check wart
 o port to HEAD ;)
Still not had time to checkout HEAD but will do before going home
tonight if I get time, have you any technical thoughts on implementing
'connection-pinning' both for 2.5 and 3.0? I think that will be the next
thing to do. Should be fun :)
Thanks.
-- 
// Gianni Tedesco (gianni at scaramanga dot co dot uk)
lynx --source www.scaramanga.co.uk/gianni-at-ecsc.asc | gpg --import
8646BE7D: 6D9F 2287 870E A2C9 8F60 3A3C 91B5 7669 8646 BE7D

Received on Fri Mar 07 2003 - 09:20:50 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:31 MST