Article delegate-en <_A4342@delegate-en.ML_>
  upper oldest olders older1 this newer1 newers latest
search
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
[delegate-en/4342] [Reference:<_A4340@delegate-en.ML_>]
Newsgroups: mail-lists.delegate-en

[DeleGate-En] Re: Few questions about transparent proxy & srcif
10 Jan 2009 19:26:56 GMT "Master NoSFeRaTU" <peihqbdyi.ml@delegate.org>

2009/1/8 Yutaka Sato <feedback@delegate.org>:
> In message <_A4339@delegate-en.ML_> on 01/09/09(02:11:58) I wrote:
>  | |"odst.-" requires SO_ORIGINAL_DST option of setsockopt() and it is enabled
>  | |maybe only on Linux.  It is hardcoded as follows in "nbio.c".
>  |...
>  | |As this code shows, it irequires SOL_IP and EOPNOTSUPP to be defined to
>  | |be enabled.  If it is not the case in FreeBSD, and SO_ORIGINAL_DST is
>  | |available, you can add the conditions for FreeBSD.
>  | |Anyway I'll modify the code to automatically detect the availability of
>  | |SO_ORIGINAL_DST in the next release.
>  |
>  |I noticed that maybe FreeBSD does not support SO_ORIGINAL_DST, but
>  |instead (?) it substitutes the result of getsockname() with the
>  |destination host and port.  I feel it unbelievablly xxxy ;) because
>  |I don't know how I can get the real getsockname() of self, but anyway
>
> This is bad because a proxy will cause loop when a transparent-proxy
> is used also as a non-transparent-proxy and if the getsockname()
> returns the entrance port of itself (to be used as the destination
> address by "odst.-").
>
> But I noticed that I can get the real interface from the socket to
> be used to do accept() if the socket is not in wild-card as "-P9999"
> but bound to a specific interface as "-Pxxx:9999".  And even with a
> wild-card socket, we can detect whether the getsockname() is
> translated one or not if the port number is not the same.
>
> So I revised the modification as the enclosed patch.
>
>  |I can cope with it as the enclosed patch.  I confirmed it to work
>  |by the following test:
>  |
>  |  XXX.1% sudo ipfw add 1000 fwd 127.0.0.1:9999 tcp from YYY to any 80
>  |  XXX.2% delegated -fv -P9999 SERVER=http://odst.-:-
>  |  YYY.3% sudo route add -host 210.155.199.28 XXX
>  |  YYY.5% telnet www.delegate.org 80
>  |  GET / HTTP/1.0
>  |  Host: www.delegate.org
>  |
>
> I should have said that I'm testing these under MacOSX.  I also have
> FreeBSD (4, 5, 6 and 7 for testing the binary distribution of DeleGate) but
> "ipfw fwd" on them fail with "ipfw: getsockopt(IP_FW_ADD): Invalid argument"
> (and I'm not so interested in FreeBSD:p)
Seems as kernel rebuilding with "options IPFIREWALL_FORWARD" required.

> Using the same proxy under the same configuration, with the patch,
> I confirmed it can be used also as a virtual Host based proxy and
> a usual proxy, and an origin server by the following test.
Thanks. I patched 9.9.0 with attached patch & confirm that transparent
proxy now works on freebsd 6.3-p2 with configuration like:
-P127.0.0.1:3128
SRCIF=192.168.77.11
SERVER="tcprelay://odst.-:-/*"
RELAY=vhost

But seems at least error reporting to client and proxy forwarding in
transparent mode are broken. Client receives blank white page in both
cases.
PS. Seems you miss my second question about SRCIF and disabling
default gateway routing (Q2 in first mail).

Additional information:
If I add string for proxy forwarding like:
PROXY="XX.XX.XX.XX:3128:*,!192.168.0.0/16,!10.130.0.0/16,!10.250.0.0/16,!212.3.128.0/19"

I receive a blank white page, log:
1/10 21:32:25.29 [22379] 1+0: -- Fork(SequentialServer): 22370 -> 22379
01/10 21:32:25.33 [22379] 1+1: ##NAT clif/localhost:3129 odst/ya.RU:80
clnt/n100.p100.internet.gnet:17778
01/10 21:32:25.33 [22379] 1+1: (0) accepted [37]
-@[10.1.100.100]n100.p100.internet.gnet:17778
##NAT213.180.204.8/ya.RU:80 (0.045s)(1)
01/10 21:32:25.34 [22379] 1+1: ##NAT (3) redirect: 213.180.204.8:80
(odst.-:8701)
01/10 21:32:25.34 [22379] 1+1: ##NAT mapped port 80 <- 8701 80 [0](3)
01/10 21:32:25.34 [22379] 1+1: PATH:
tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17778!anonymous@n100.p100.internet.gnet;1231612345
01/10 21:32:25.34 [22379] 1+1: default netmask 127.0.0.1/. = FFFFFF00
01/10 21:32:25.34 [22379] 1+1: ## hostIFto 10.1.100.100 < 10.1.100.1 (ff000000)
01/10 21:32:25.36 [22379] 1+1: ROUTE: tcprelay://XX.XX.XX.XX:3128//
01/10 21:32:25.36 [22379] 1+1: [14] source port = 192.168.77.11:0 =
192.168.77.11:51154
01/10 21:32:25.47 [22379] 1+1: ConnectToServer connected [14]
{XX.XX.XX.XX:3128 <- 192.168.77.11:51154} [0.116s]
01/10 21:32:25.47 [22379] 1+1: willSTLS_SV: ServerFlags=10000000
01/10 21:32:25.86 [22379] 1+1: MASTER[-1] says(1): DeleGate-HELLO
9.8.2-pre41 <11293.1231612346@xx..ru>^M
01/10 21:32:25.86 [22379] 1+1: forwarding to [14] delegate://XX.XX.ru:3128
01/10 21:32:27.18 [22379] 1+1: MASTER[-1] says(2): 200 OK: good^M
01/10 21:32:27.18 [22379] 1+1: willSTLS_SV: ServerFlags=10000000
01/10 21:32:27.18 [22379] 1+1: relays(2) start: timeout=600000msec
01/10 21:32:27.27 [22379] 1+1: relays[1]: [14->EOF] -1(-1i+0o)
01/10 21:32:27.27 [22379] 1+1: relays[0]: [37->14] 380 bytes / 1 -> 380
01/10 21:32:27.27 [22379] 1+1: relays[1]: [14->37] -1 bytes / 1 -> 0
01/10 21:32:27.27 [22379] 1+1: disconnected [37]
-@[10.1.100.100]n100.p100.internet.gnet:17778
##NAT213.180.204.8/ya.RU:80 (1.983s)(0)
01/10 21:32:27.36 [22370] 1+0: AcceptByMain: locked out*1/0 by Sticky*1 0/0
01/10 21:32:27.36 [22379] 1+2: ##NAT clif/localhost:3129 odst/ya.RU:80
clnt/n100.p100.internet.gnet:17779
01/10 21:32:27.36 [22379] 1+2: (0) accepted [39]
-@[10.1.100.100]n100.p100.internet.gnet:17779
##NAT213.180.204.8/ya.RU:80 (0.001s)(1)
01/10 21:32:27.36 [22379] 1+2: ##NAT (3) redirect: 213.180.204.8:80
(odst.-:8701)
01/10 21:32:27.36 [22379] 1+2: ##NAT mapped port 80 <- 8701 80 [0](3)
01/10 21:32:27.36 [22379] 1+2: PATH:
tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17779!anonymous@n100.p100.internet.gnet;1231612347
01/10 21:32:27.36 [22379] 1+2: default netmask 127.0.0.1/. = FFFFFF00
01/10 21:32:27.36 [22379] 1+2: ROUTE: tcprelay://XX.XX.XX.XX:3128//
01/10 21:32:27.36 [22379] 1+2: [22] source port = 192.168.77.11:0 =
192.168.77.11:49973
01/10 21:32:27.69 [22379] 1+2: ConnectToServer connected [22]
{XX.XX.XX.XX:3128 <- 192.168.77.11:49973} [0.324s]
01/10 21:32:27.69 [22379] 1+2: willSTLS_SV: ServerFlags=10000000
01/10 21:32:27.80 [22379] 1+2: MASTER[-1] says(1): DeleGate-HELLO
9.8.2-pre41 <11293.1231612348@xx..ru>^M
01/10 21:32:27.80 [22379] 1+2: forwarding to [22] delegate://XX.XX.ru:3128
01/10 21:32:33.40 [22379] 1+2: MASTER[-1] says(2): 200 OK: good^M
01/10 21:32:33.40 [22379] 1+2: willSTLS_SV: ServerFlags=10000000
01/10 21:32:33.40 [22379] 1+2: relays(2) start: timeout=600000msec
01/10 21:32:33.48 [22379] 1+2: relays[1]: [22->EOF] -1(-1i+0o)
01/10 21:32:33.48 [22379] 1+2: relays[0]: [39->22] 351 bytes / 1 -> 351
01/10 21:32:33.48 [22379] 1+2: relays[1]: [22->39] -1 bytes / 1 -> 0
01/10 21:32:33.48 [22379] 1+2: disconnected [39]
-@[10.1.100.100]n100.p100.internet.gnet:17779
##NAT213.180.204.8/ya.RU:80 (6.120s)(0)
01/10 21:32:34.14 [22379] 1+3: ##NAT clif/localhost:3129 odst/ya.RU:80
clnt/n100.p100.internet.gnet:17792
01/10 21:32:34.14 [22379] 1+3: (0) accepted [51]
-@[10.1.100.100]n100.p100.internet.gnet:17792
##NAT213.180.204.8/ya.RU:80 (0.002s)(1)
01/10 21:32:34.14 [22379] 1+3: ##NAT (3) redirect: 213.180.204.8:80
(odst.-:8701)
01/10 21:32:34.14 [22379] 1+3: ##NAT mapped port 80 <- 8701 80 [0](3)
01/10 21:32:34.14 [22379] 1+3: PATH:
tcprelay://213.180.204.8:80!ya.RU:80!n100.p100.internet.gnet:17792!anonymous@n100.p100.internet.gnet;1231612354
01/10 21:32:34.14 [22379] 1+3: default netmask 127.0.0.1/. = FFFFFF00
01/10 21:32:34.14 [22379] 1+3: ROUTE: tcprelay://XX.XX.XX.XX:3128//
01/10 21:32:34.14 [22379] 1+3: [24] source port = 192.168.77.11:0 =
192.168.77.11:60961
01/10 21:32:34.22 [22379] 1+3: ConnectToServer connected [24]
{XX.XX.XX.XX:3128 <- 192.168.77.11:60961} [0.081s]
01/10 21:32:34.22 [22379] 1+3: willSTLS_SV: ServerFlags=10000000
01/10 21:32:35.56 [22379] 1+3: MASTER[-1] says(1): DeleGate-HELLO
9.8.2-pre41 <11964.1231612356@xx..ru>^M
01/10 21:32:35.56 [22379] 1+3: forwarding to [24] delegate://XX.XX.ru:3128
01/10 21:32:45.56 [22379] 1+3: MASTER closed
01/10 21:32:45.56 [22379] 1+3: E-C: Can't connect:
n100.p100.internet.gnet:17792 => tcprelay://213.180.204.8:80 (noRoute)
01/10 21:32:45.56 [22379] 1+3: willSTLS_SV: ServerFlags=0
01/10 21:32:45.56 [22379] 1+3: disconnected [51]
-@[10.1.100.100]n100.p100.internet.gnet:17792
##NAT213.180.204.8/ya.RU:80 (11.423s)(0)
01/10 21:33:15.58 [22379] 1+3: StickyServer done [timeout] 3 req /
3+0/1 conn / 50 sec

If I add for example REJECT="*" then same blank white page appeared
instead of access error message like expected, log:
01/10 21:37:22.49 [23849] 1+0: -- Fork(SequentialServer): 23844 -> 23849
01/10 21:37:22.50 [23849] 1+1: ##NAT clif/localhost:3129
odst/noc.masterhost.RU:80 clnt/n100.p100.internet.gnet:18304
01/10 21:37:22.50 [23849] 1+1: (0) accepted [29]
-@[10.1.100.100]n100.p100.internet.gnet:18304
##NAT217.16.22.60/noc.masterhost.RU:80 (0.007s)(1)
01/10 21:37:22.50 [23849] 1+1: ##NAT (3) redirect: 217.16.22.60:80 (odst.-:8701)
01/10 21:37:22.50 [23849] 1+1: ##NAT mapped port 80 <- 8701 80 [0](3)
01/10 21:37:22.50 [23849] 1+1: PATH:
tcprelay://217.16.22.60:80!noc.masterhost.RU:80!n100.p100.internet.gnet:18304!anonymous@n100.p100.internet.gnet;1231612642
01/10 21:37:22.50 [23849] 1+1: default netmask 127.0.0.1/. = FFFFFF00
01/10 21:37:22.50 [23849] 1+1: ## hostIFto 10.1.100.100 < 10.1.100.1 (ff000000)
01/10 21:37:22.50 [23849] 1+1: default netmask 127.0.0.1/. = FFFFFF00
01/10 21:37:22.50 [23849] 1+1: E-P: No permission:
n100.p100.internet.gnet:18304 => tcprelay://217.16.22.60:80 (matched
REJECT)
01/10 21:37:22.50 [23849] 1+1: bind_insock(14,127.0.0.1,0) = 0, errno=0
01/10 21:37:23.50 [23849] 1+1: ## connect[14] TIMEOUT(1000)
01/10 21:37:23.50 [23849] 1+1: ### IDENT
CONNECT(n100.p100.internet.gnet:113) TIMEOUT(1000ms) (60)
(UNIX) 21:37:23.538 [23849] connect(22) REFUSED*1, retry after 500ms ...
01/10 21:37:24.05 [23849] 1+1: [22] doDelay connect failed
127.0.0.1:65107 [0.51s] errno=61
01/10 21:37:24.07 [23849] 1+1: doDelay: clear old errors:
count=17,age=991,delay=60
01/10 21:37:24.07 [23849] 1+1: E-C: Can't connect:
n100.p100.internet.gnet:18304 => tcprelay://217.16.22.60:80 (?)
01/10 21:37:24.07 [23849] 1+1: willSTLS_SV: ServerFlags=0
01/10 21:37:24.07 [23849] 1+1: disconnected [29]
-@[10.1.100.100]n100.p100.internet.gnet:18304
##NAT217.16.22.60/noc.masterhost.RU:80 (1.584s)(0)

  admin search upper oldest olders older1 this newer1 newers latest
[Top/Up] [oldest] - [Older+chunk] - [Newer+chunk] - [newest + Check]
@_@V