Index: include/ip_tproxy.h =================================================================== --- include/ip_tproxy.h (.../vendor/haproxy/1.2.15) (revision 0) +++ include/ip_tproxy.h (.../trunk/vendor/haproxy-1.2.15) (revision 39233) @@ -0,0 +1,45 @@ +/* + * Transparent proxy support for Linux/iptables + * + * Copyright (c) 2002 BalaBit IT Ltd. + * Author: Balázs Scheidler + * + * This code is under GPLv2. + */ + +#ifndef _IP_TPROXY_H +#define _IP_TPROXY_H + +#ifdef __KERNEL__ +#include +#include +#else +#include +#endif + +/* + * used in setsockopt(SOL_IP, IP_TPROXY_*) should not collide + * with values in + */ +#define IP_TPROXY_ASSIGN 20 +#define IP_TPROXY_UNASSIGN 21 +#define IP_TPROXY_QUERY 22 +#define IP_TPROXY_FLAGS 23 + +/* bitfields in IP_TPROXY_FLAGS */ +#define ITP_CONNECT 0x00000001 +#define ITP_LISTEN 0x00000002 +#define ITP_ESTABLISHED 0x00000004 + +#define ITP_ONCE 0x00010000 +#define ITP_MARK 0x00020000 +#define ITP_APPLIED 0x00040000 +#define ITP_UNIDIR 0x00080000 + +/* structure passed to setsockopt(SOL_IP, IP_TPROXY) */ +struct in_tproxy { + struct in_addr itp_faddr; + u_int16_t itp_fport; +}; + +#endif Index: haproxy.c =================================================================== --- haproxy.c (.../vendor/haproxy/1.2.15) (revision 39233) +++ haproxy.c (.../trunk/vendor/haproxy-1.2.15) (revision 39233) @@ -63,6 +63,8 @@ #if defined(TPROXY) && defined(NETFILTER) #include +#include +#include "include/ip_tproxy.h" #endif #if defined(__dietlibc__) @@ -381,6 +383,7 @@ #define PR_O_BALANCE (PR_O_BALANCE_RR | PR_O_BALANCE_SH) #define PR_O_ABRT_CLOSE 0x00800000 /* immediately abort request when client closes */ #define PR_O_SSL3_CHK 0x01000000 /* use SSLv3 CLIENT_HELLO packets for server health */ +#define PR_O_TPROXY 0x02000000 /* use tproxy to make the service tranparent from the server's perspective */ /* various session flags, bits values 0x01 to 0x20 (shift 0) */ #define SN_DIRECT 0x00000001 /* connection made on the server matching the client cookie */ @@ -2464,6 +2467,10 @@ */ int connect_server(struct session *s) { int fd, err; +#if defined(TPROXY) + struct in_tproxy itp; + int flags; +#endif if (!(s->flags & SN_ADDR_SET)) { err = assign_server_address(s); @@ -2535,8 +2542,28 @@ s->proxy->id, s->srv->id); return SN_ERR_RESOURCE; } +#if defined(TPROXY) + if (s->proxy->options & PR_O_TPROXY) { +// itp.op = TPROXY_ASSIGN; +// inet_aton(FOREIGN_IP, (struct in_addr *) &itp.v.addr.faddr); +// itp.v.addr.faddr = (struct in_addr)&((struct sockaddr_in *)&s->cli_addr)->sin_addr; + itp.itp_faddr = ((struct sockaddr_in *)&s->cli_addr)->sin_addr; + itp.itp_fport = ((struct sockaddr_in *)&s->cli_addr)->sin_port; + if (setsockopt(fd, SOL_IP, IP_TPROXY_ASSIGN, &itp, sizeof(itp)) == -1) { + Alert("setsockopt(SOL_IP, IP_TPROXY, TPROXY_ASSIGN)\n"); + perror("TPROXY_ASSIGN"); + return SN_ERR_RESOURCE; + } + /* set connect flag on socket */ +// itp.op = TPROXY_FLAGS; + flags = ITP_CONNECT; + if (setsockopt(fd, SOL_IP, IP_TPROXY_FLAGS, &flags, sizeof(flags)) == -1) { + Alert("setsockopt(SOL_IP, IP_TPROXY, TPROXY_FLAGS)\n"); + return SN_ERR_RESOURCE; + } + } +#endif } - if ((connect(fd, (struct sockaddr *)&s->srv_addr, sizeof(s->srv_addr)) == -1) && (errno != EINPROGRESS) && (errno != EALREADY) && (errno != EISCONN)) { @@ -8816,6 +8843,11 @@ curproxy->source_addr = *str2sa(args[1]); curproxy->options |= PR_O_BIND_SRC; } +#if defined(TPROXY) + else if (!strcmp(args[0], "tproxy")) { /* operate in client adress transparent mode */ + curproxy->options |= PR_O_TPROXY; + } +#endif else if (!strcmp(args[0], "cliexp") || !strcmp(args[0], "reqrep")) { /* replace request header from a regex */ regex_t *preg; if (curproxy == &defproxy) { Index: Makefile =================================================================== --- Makefile (.../vendor/haproxy/1.2.15) (revision 39233) +++ Makefile (.../trunk/vendor/haproxy-1.2.15) (revision 39233) @@ -20,8 +20,8 @@ # By default, we use libc's regex. WARNING! On Solaris 8/Sparc, group # references seem broken using libc ! Use pcre instead. -REGEX=libc -#REGEX=pcre +#REGEX=libc +REGEX=pcre #REGEX=static-pcre # tools options