extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-20 09:47:51 +02:00
Code Issues Packages Projects Releases Wiki Activity

Make TPROXY actually work!

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2012-05-10 11:19:23 -07:00
parent 4d4fc315e0
commit 69d735ea0a
11 changed files with 144 additions and 132 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
Shorewall/Perl/Shorewall/Config.pm
View File

@ -4097,7 +4097,7 @@ sub get_configuration( $$$ ) {
fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30; fatal_error 'Invalid Packet Mark layout' if $config{ZONE_BITS} + $globals{ZONE_OFFSET} > 30;
$globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} ); $globals{EXCLUSION_MASK} = 1 << ( $globals{ZONE_OFFSET} + $config{ZONE_BITS} );
$globals{TPROXY_MASK} = $globals{EXCLUSION_MASK} << 1; $globals{TPROXY_MARK} = $globals{EXCLUSION_MASK} << 1;
$globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET}; $globals{PROVIDER_MIN} = 1 << $config{PROVIDER_OFFSET};
$globals{TC_MAX} = make_mask( $config{TC_BITS} ); $globals{TC_MAX} = make_mask( $config{TC_BITS} );

67
Shorewall/Perl/Shorewall/Providers.pm
View File

@ -396,8 +396,8 @@ sub process_a_provider() {
$gateway = ''; $gateway = '';
} }
my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $local , $load ) = my ( $loose, $track, $balance , $default, $default_balance, $optional, $mtu, $tproxy , $load ) =
(0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0 ); (0, $config{TRACK_PROVIDERS}, 0 , 0, $config{USE_DEFAULT_RT} ? 1 : 0, interface_is_optional( $interface ), '' , 0 , 0 );
unless ( $options eq '-' ) { unless ( $options eq '-' ) {
for my $option ( split_list $options, 'option' ) { for my $option ( split_list $options, 'option' ) {
@ -434,10 +434,10 @@ sub process_a_provider() {
} elsif ( $option eq 'fallback' ) { } elsif ( $option eq 'fallback' ) {
$default = -1; $default = -1;
$default_balance = 0; $default_balance = 0;
} elsif ( $option eq 'local' ) { } elsif ( $option eq 'tproxy' ) {
$local = 1; $tproxy = 1;
$track = 0 if $config{TRACK_PROVIDERS}; $track = 0 if $config{TRACK_PROVIDERS};
$default_balance = 0 if $config{USE_DEFAULT_RT}; $default_balance = 0 if $config{USE_DEFAULT_RT};
} elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) { } elsif ( $option =~ /^load=(0?\.\d{1,8})/ ) {
$load = $1; $load = $1;
require_capability 'STATISTIC_MATCH', "load=$load", 's'; require_capability 'STATISTIC_MATCH', "load=$load", 's';
@ -455,11 +455,12 @@ sub process_a_provider() {
$maxload += $load; $maxload += $load;
} }
if ( $local ) { if ( $tproxy ) {
fatal_error "GATEWAY not valid with 'local' provider" unless $gatewaycase eq 'none'; fatal_error "GATEWAY not valid with 'tproxy' provider" unless $gatewaycase eq 'none';
fatal_error "'track' not valid with 'local'" if $track; fatal_error "'track' not valid with 'tproxy'" if $track;
fatal_error "DUPLICATE not valid with 'local'" if $duplicate ne '-'; fatal_error "DUPLICATE not valid with 'tproxy'" if $duplicate ne '-';
fatal_error "MARK required with 'local'" unless $mark; fatal_error "MARK not allowed with 'tproxy'" if $mark ne '-';
$mark = $globals{TPROXY_MARK};
} }
my $val = 0; my $val = 0;
@ -471,24 +472,29 @@ sub process_a_provider() {
require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' ); require_capability( 'MANGLE_ENABLED' , 'Provider marks' , '' );
$val = numeric_value $mark; if ( $tproxy ) {
$val = $globals{TPROXY_MARK};
$pref = 1;
} else {
$val = numeric_value $mark;
fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val; fatal_error "Invalid Mark Value ($mark)" unless defined $val && $val;
verify_mark $mark; verify_mark $mark;
fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val; fatal_error "Invalid Mark Value ($mark)" unless ( $val & $globals{PROVIDER_MASK} ) == $val;
fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS}; fatal_error "Provider MARK may not be specified when PROVIDER_BITS=0" unless $config{PROVIDER_BITS};
for my $providerref ( values %providers ) { for my $providerref ( values %providers ) {
fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val; fatal_error "Duplicate mark value ($mark)" if numeric_value( $providerref->{mark} ) == $val;
}
$lastmark = $val;
$pref = 10000 + $number - 1;
} }
$pref = 10000 + $number - 1;
$lastmark = $val;
} }
unless ( $loose ) { unless ( $loose ) {
@ -526,7 +532,7 @@ sub process_a_provider() {
loose => $loose , loose => $loose ,
duplicate => $duplicate , duplicate => $duplicate ,
address => $address , address => $address ,
local => $local , tproxy => $tproxy ,
load => $load , load => $load ,
rules => [] , rules => [] ,
routes => [] , routes => [] ,
@ -578,7 +584,7 @@ sub add_a_provider( $$ ) {
my $loose = $providerref->{loose}; my $loose = $providerref->{loose};
my $duplicate = $providerref->{duplicate}; my $duplicate = $providerref->{duplicate};
my $address = $providerref->{address}; my $address = $providerref->{address};
my $local = $providerref->{local}; my $tproxy = $providerref->{tproxy};
my $load = $providerref->{load}; my $load = $providerref->{load};
my $dev = chain_base $physical; my $dev = chain_base $physical;
@ -600,7 +606,7 @@ sub add_a_provider( $$ ) {
$provider_interfaces{$interface} = $table; $provider_interfaces{$interface} = $table;
if ( $gatewaycase eq 'none' ) { if ( $gatewaycase eq 'none' ) {
if ( $local ) { if ( $tproxy ) {
emit 'run_ip route add local ' . ALLIP . " dev $physical table $number"; emit 'run_ip route add local ' . ALLIP . " dev $physical table $number";
} else { } else {
emit "run_ip route add default dev $physical table $number"; emit "run_ip route add default dev $physical table $number";
@ -632,12 +638,13 @@ CEOF
setup_interface_proc( $interface ); setup_interface_proc( $interface );
if ( $mark ne '-' ) { if ( $mark ne '-' ) {
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex $globals{PROVIDER_MASK} : ''; my $hexmark = in_hex( $mark );
my $mask = have_capability 'FWMARK_RT_MASK' ? '/' . in_hex( $globals{ $tproxy ? 'TPROXY_MARK' : 'PROVIDER_MASK' } ) : '';
emit ( "qt \$IP -$family rule del fwmark ${mark}${mask}" ) if $config{DELETE_THEN_ADD}; emit ( "qt \$IP -$family rule del fwmark ${hexmark}${mask}" ) if $config{DELETE_THEN_ADD};
emit ( "run_ip rule add fwmark ${mark}${mask} pref $pref table $number", emit ( "run_ip rule add fwmark ${hexmark}${mask} pref $pref table $number",
"echo \"qt \$IP -$family rule del fwmark ${mark}${mask}\" >> \${VARDIR}/undo_${table}_routing" "echo \"qt \$IP -$family rule del fwmark ${hexmark}${mask}\" >> \${VARDIR}/undo_${table}_routing"
); );
} }
@ -697,7 +704,7 @@ CEOF
qq( qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) , qq( qt \$IP -6 rule add from all table ) . DEFAULT_TABLE . qq( prio 32767\n) ,
qq(fi) ) if $family == F_IPV6; qq(fi) ) if $family == F_IPV6;
unless ( $local ) { unless ( $tproxy ) {
emit ''; emit '';
if ( $loose ) { if ( $loose ) {

63
Shorewall/Perl/Shorewall/Tc.pm
View File

@ -163,18 +163,16 @@ my @tcclasses;
my %tcclasses; my %tcclasses;
my %restrictions = ( tcpre => PREROUTE_RESTRICT , my %restrictions = ( tcpre => PREROUTE_RESTRICT ,
tproxy => PREROUTE_RESTRICT ,
tcpost => POSTROUTE_RESTRICT , tcpost => POSTROUTE_RESTRICT ,
tcfor => NO_RESTRICT , tcfor => NO_RESTRICT ,
tcin => INPUT_RESTRICT , tcin => INPUT_RESTRICT ,
tcout => OUTPUT_RESTRICT ); tcout => OUTPUT_RESTRICT ,
);
my $family; my $family;
# my $divertref; # DIVERT chain
# Variables supporting DIVERT
#
my $divert; #Next chain sequence number
my %diversions; #Map of marks -> chains. We use a hash rather than an array because mark values can be huge
# #
# Rather than initializing globals in an INIT block or during declaration, # Rather than initializing globals in an INIT block or during declaration,
@ -187,18 +185,17 @@ my %diversions; #Map of marks -> chains. We use a hash rather than an array
# able to re-initialize its dependent modules' state. # able to re-initialize its dependent modules' state.
# #
sub initialize( $ ) { sub initialize( $ ) {
$family = shift; $family = shift;
%classids = (); %classids = ();
@tcdevices = (); @tcdevices = ();
%tcdevices = (); %tcdevices = ();
@tcclasses = (); @tcclasses = ();
%tcclasses = (); %tcclasses = ();
%diversions = (); @devnums = ();
@devnums = (); $devnum = 0;
$devnum = 0; $sticky = 0;
$sticky = 0; $ipp2p = 0;
$ipp2p = 0; $divertref = 0;
$divert = 0;
} }
sub process_tc_rule( ) { sub process_tc_rule( ) {
@ -305,30 +302,18 @@ sub process_tc_rule( ) {
}, },
DIVERT => sub() { DIVERT => sub() {
fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest; fatal_error "Invalid DIVERT specification( $cmd/$rest )" if $rest;
fatal_error "DIVERT requires TC_EXPERT=Yes" unless $config{TC_EXPERT};
$chain = 'tcpre'; $chain = 'tproxy';
$cmd =~ /DIVERT\((.+?)\)$/; $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
$mark = $1;
fatal_error "Invalid DIVERT specification( $cmd )" unless defined $mark;
my $val = numeric_value( $mark );
validate_mark $val . '/' . in_hex( $globals{PROVIDER_MASK} );
my $divertref = $diversions{$val};
unless ( $divertref ) { unless ( $divertref ) {
$divertref = $diversions{$val} = new_chain( 'mangle', 'DIVERT' . ( $divert ? $divert : '' ) ); $divertref = new_chain( 'mangle', 'divert' );
$divert++; add_ijump( $divertref , j => 'MARK', targetopts => "--set-mark $mark" );
add_ijump( $divertref , j => 'MARK', targetopts => '--set-mark ' . in_hex( $val ) . '/' . in_hex( $globals{PROVIDER_MASK} ) );
add_ijump( $divertref , j => 'ACCEPT' ); add_ijump( $divertref , j => 'ACCEPT' );
} }
$target = $divertref->{name}; $target = 'divert';
$matches = '! --tcp-flags FIN,SYN,RST,ACK SYN -m socket --transparent '; $matches = '! --tcp-flags FIN,SYN,RST,ACK SYN -m socket --transparent ';
}, },
@ -337,7 +322,7 @@ sub process_tc_rule( ) {
fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest; fatal_error "Invalid TPROXY specification( $cmd/$rest )" if $rest;
$chain = 'tcpre'; $chain = 'tproxy';
$cmd =~ /TPROXY\((.+?)\)$/; $cmd =~ /TPROXY\((.+?)\)$/;
@ -345,7 +330,7 @@ sub process_tc_rule( ) {
fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params; fatal_error "Invalid TPROXY specification( $cmd )" unless defined $params;
( $mark, my $port, my $ip, my $bad ) = split ',', $params; ( my $port, my $ip, my $bad ) = split ',', $params;
fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad; fatal_error "Invalid TPROXY specification( $cmd )" if defined $bad;
@ -368,7 +353,7 @@ sub process_tc_rule( ) {
$target .= ' --tproxy-mark'; $target .= ' --tproxy-mark';
$mark = "$mark/" . in_hex( $globals{PROVIDER_MASK} ); $mark = in_hex( $globals{TPROXY_MARK} ) . '/' . in_hex( $globals{TPROXY_MARK} );
}, },
TTL => sub() { TTL => sub() {
fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6; fatal_error "TTL is not supported in IPv6 - use HL instead" if $family == F_IPV6;
@ -1958,6 +1943,7 @@ sub setup_tc() {
ensure_mangle_chain 'tcfor'; ensure_mangle_chain 'tcfor';
ensure_mangle_chain 'tcpost'; ensure_mangle_chain 'tcpost';
ensure_mangle_chain 'tcin'; ensure_mangle_chain 'tcin';
ensure_mangle_chain 'tproxy';
} }
my @mark_part; my @mark_part;
@ -1975,6 +1961,7 @@ sub setup_tc() {
} }
} }
add_ijump $mangle_table->{PREROUTING} , j => 'tproxy' if $mangle_table->{tproxy}{referenced};
add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part; add_ijump $mangle_table->{PREROUTING} , j => 'tcpre', @mark_part;
add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part; add_ijump $mangle_table->{OUTPUT} , j => 'tcout', @mark_part;

13
Shorewall/manpages/shorewall-providers.xml
View File

@ -270,6 +270,19 @@
<filename>shorewall.conf</filename>.</para> <filename>shorewall.conf</filename>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">tproxy</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
action in shorewall-tcrules(5). See <ulink
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
When specified, the MARK, DUPLICATE and GATEWAY columns should
be empty, INTERFACE should be set to 'lo' and
<option>tproxy</option> should be the only OPTION.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>

37
Shorewall/manpages/shorewall-tcrules.xml
View File

@ -408,36 +408,29 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">DIVERT</emphasis></para>
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed <para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
each TPROXY rule and should specify the same the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
<replaceable>mark</replaceable> value. DIVERT avoids sending PORT tcp 80 respectively (assuming that tcp port 80 is being
packets to the TPROXY target once a socket connection to Squid3 proxied). DIVERT avoids sending packets to the TPROXY target
has been established by TPROXY. DIVERT marks the packet with the once a socket connection to Squid3 has been established by
specified <replaceable>mark</replaceable> and exempts it from TPROXY. DIVERT marks the packet with a unique mark and exempts
any rules that follow.</para> it from any rules that follow.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>[,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para> role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,<replaceable>address</replaceable>])</para>
<para>Transparently redirects a packet without altering the IP <para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink header. Requires a tproxy provider to be defined in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para> url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
<para>There are three parameters to TPROXY - only the first <para>There are three parameters to TPROXY - neither is
(mark) is required:</para> required:</para>
<itemizedlist> <itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall-providers.html">shorewall-providers</ulink>(5).</para>
</listitem>
<listitem> <listitem>
<para><replaceable>port</replaceable> - the port on which <para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original the proxy server is listening. If omitted, the original
@ -451,12 +444,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para> request arrives.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>

13
Shorewall6/manpages/shorewall6-providers.xml
View File

@ -245,6 +245,19 @@
column is assumed.</para> column is assumed.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><emphasis role="bold">tproxy</emphasis></term>
<listitem>
<para>Added in Shorewall 4.5.4. Used for supporting the TPROXY
action in shorewall-tcrules(5). See <ulink
url="http://www.shorewall.net/Shorewall_Squid_Usage.html">http://www.shorewall.net/Shorewall_Squid_Usage.html</ulink>.
When specified, the MARK, DUPLICATE and GATEWAY columns should
be empty, INTERFACE should be set to 'lo' and
<option>tproxy</option> should be the only OPTION.</para>
</listitem>
</varlistentry>
</variablelist> </variablelist>
</listitem> </listitem>
</varlistentry> </varlistentry>

31
Shorewall6/manpages/shorewall6-tcrules.xml
View File

@ -305,21 +305,20 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis role="bold">DIVERT</emphasis></para>
role="bold">DIVERT</emphasis>(<replaceable>mark</replaceable>)</para>
<para>Added in Shorewall 4.5.3. A DIVERT rule should preceed <para>Added in Shorewall 4.5.3. Two DIVERT rule should preceed
each TPROXY rule and should specify the same the TPROXY rule and should select DEST PORT tcp 80 and SOURCE
<replaceable>mark</replaceable> value. DIVERT avoids sending PORT tcp 80 respectively (assuming that tcp port 80 is being
packets to the TPROXY target once a socket connection to Squid3 proxied). DIVERT avoids sending packets to the TPROXY target
has been established by TPROXY. DIVERT marks the packet with the once a socket connection to Squid3 has been established by
specified <replaceable>mark</replaceable> and exempts it from TPROXY. DIVERT marks the packet with a unique mark and exempts
any rules that follow.</para> it from any rules that follow.</para>
</listitem> </listitem>
<listitem> <listitem>
<para><emphasis <para><emphasis
role="bold">TPROXY</emphasis>(<replaceable>mark</replaceable>][,[<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para> role="bold">TPROXY</emphasis>([<replaceable>port</replaceable>][,[<replaceable>address</replaceable>]]])</para>
<para>Transparently redirects a packet without altering the IP <para>Transparently redirects a packet without altering the IP
header. Requires a local provider to be defined in <ulink header. Requires a local provider to be defined in <ulink
@ -329,12 +328,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
(mark) is required:</para> (mark) is required:</para>
<itemizedlist> <itemizedlist>
<listitem>
<para><replaceable>mark</replaceable> - the MARK value
corresponding to the local provider in <ulink
url="shorewall6-providers.html">shorewall6-providers</ulink>(5).</para>
</listitem>
<listitem> <listitem>
<para><replaceable>port</replaceable> - the port on which <para><replaceable>port</replaceable> - the port on which
the proxy server is listening. If omitted, the original the proxy server is listening. If omitted, the original
@ -348,12 +341,6 @@ SAME $FW 0.0.0.0/0 tcp 80,443</programlisting>
request arrives.</para> request arrives.</para>
</listitem> </listitem>
</itemizedlist> </itemizedlist>
<note>
<para>A DIVERT rule specifying the same
<replaceable>mark</replaceable> value and other column values
should preceed each TPROXY rule.</para>
</note>
</listitem> </listitem>
<listitem> <listitem>

4
docs/PacketMarking.xml
View File

@ -398,6 +398,10 @@ tcp 6 19 TIME_WAIT src=206.124.146.176 dst=192.136.34.98 sport=58597 dport=
<command>shorewall update</command> (<command>shorewall6 update</command>) <command>shorewall update</command> (<command>shorewall6 update</command>)
command will set the above options based on the settings of WIDE_TC_MARKS command will set the above options based on the settings of WIDE_TC_MARKS
and HIGH_ROUTE_MARKS.</para> and HIGH_ROUTE_MARKS.</para>
<para>In Shorewall 4.5.4, a <firstterm>TPROXY mark</firstterm> was added
for TPROXY support. It is a single bit wide and is to the immediate left
of the exclusion mark.</para>
</section> </section>
<section id="Shorewall"> <section id="Shorewall">

46
docs/Shorewall_Squid_Usage.xml
View File

@ -312,15 +312,25 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
<section id="TPROXY"> <section id="TPROXY">
<title>Transparent with TPROXY</title> <title>Transparent with TPROXY</title>
<para>Shorewall 4.4.7 contains support for TPROXY. TPROXY differs from <para>Shorewall 4.5.4 contains support for TPROXY. TPROXY differs from
REDIRECT in that it does not modify the IP header. Because the IP header REDIRECT in that it does not modify the IP header and requires Squid 3 or
stays intact, TPROXY requires policy routing to direct the packets to the later. Because the IP header stays intact, TPROXY requires policy routing
proxy server running on the firewall. This approach requires TPROXY to direct the packets to the proxy server running on the firewall. This
support in your kernel and iptables and Squid 3. See <ulink approach requires TPROXY support in your kernel and iptables and Squid 3.
See <ulink
url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para> url="http://wiki.squid-cache.org/Features/Tproxy4">http://wiki.squid-cache.org/Features/Tproxy4</ulink>.</para>
<note>
<para>Support for the TPROXY action in shorewall-tcrules(5) and the
<option>local</option> option in shorewall-providers(5) has been
available since Shoreall 4.4.7. That support required additional rules
to be added in the 'start' extention script to make it work
reliable.</para>
</note>
<para>The following configuration works with Squid running on the firewall <para>The following configuration works with Squid running on the firewall
itself (assume that Squid is listening on port 3128).</para> itself (assume that Squid is listening on port 3129 for TPROXY
connections).</para>
<para><filename>/etc/shorewall/interfaces:</filename></para> <para><filename>/etc/shorewall/interfaces:</filename></para>
@ -330,21 +340,25 @@ ACCEPT $FW net tcp 80,443</programlisting></para>
<para><filename>/etc/shorewall/providers</filename>:</para> <para><filename>/etc/shorewall/providers</filename>:</para>
<programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY <programlisting>#NAME NUMBER MARK DUPLICATE INTERFACE GATEWAY OPTIONS COPY
Tproxy 1 1 - lo - local</programlisting> Tproxy 1 - - lo - tproxy</programlisting>
<note>
<para>Notice that the MARK, DUPLICATE and GATEWAY columns are empty and
that the only option is <option>tproxy</option>.</para>
</note>
<para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is <para><filename>/etc/shorewall/tcrules</filename> (assume loc interface is
eth1):</para> eth1):</para>
<programlisting>MARK SOURCE DEST PROTO PORT(S) <programlisting>MARK SOURCE DEST PROTO DEST SOURCE
DIVERT(1) eth1 0.0.0.0/0 tcp 80 PORT(S) PORT(S)
TPROXY(1,3128) eth1 0.0.0.0/0 tcp 80</programlisting> DIVERT - 0.0.0.0/0 tcp 80
DIVERT - 0.0.0.0/0 tcp - 80
TPROXY(3129) eth1 0.0.0.0/0 tcp 80</programlisting>
<note> <para>The DIVERT rules are used to avoid unnecessary invocation of TPROXY
<para>The DIVERT action was added in Shorewall 4.5.3; user's running for request packets after the connection is established and to direct
earlier versions of Shorewall will need to use the <ulink response packets back to Squid3.</para>
url="extension_scripts.htm">start extension script</ulink> to add the
DIVERT logic mentioned in the Squid article linked above.</para>
</note>
<para>/etc/shorewall/rules:</para> <para>/etc/shorewall/rules:</para>

BIN
docs/images/MarkGeometry.dia
View File

Binary file not shown.

BIN
docs/images/MarkGeometry.png
View File

Binary file not shown.
Side by Side Swipe Overlay

Before

Width:  |  Height:  |  Size: 18 KiB

After

Width:  |  Height:  |  Size: 19 KiB