Re: Transparent IPv6 proxying on OpenBSD

On 08.03.2012 00:13, Marios Makassikis wrote:
<snip>
>
> I tried to find where the problem might be coming from, but I haven't
> found anything.
> Using debug_options, I had this message at some point:
>
> comm_openex: Opened socket local=[ client_ipv6_address ] remote=[::]
> FD 14 flags=1 : family=24, type=1, protocol=6
> Write.cc(132) HandleWrite: FD 14 write failure: (32) Broken pipe.
>
> write(2) manpage says the following:
> [EPIPE] An attempt is made to write to a socket of
> type
> SOCK_STREAM that is not connected to a peer
> socket.
>
> Which seems to confirm my suspicions.
> Is the remote address reported by comm_openex normal? I'd expect to
> see the destination's
> IP in there.

Your expectation is correct.
For outgoing connections comm_openex() should always receive a
destination IP address and port in the remote field.

<snip>
> diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
> index 446b3ea..64e0891 100644
> --- a/src/ip/Intercept.cc
> +++ b/src/ip/Intercept.cc
<snip>
> @@ -428,8 +428,36 @@ Ip::Intercept::ProbeForTproxy(Ip::Address &test)
> }
> }
>
> -#else /* undefined IP_TRANSPARENT */
> - debugs(3, 3, "setsockopt(IP_TRANSPARENT) not supported on this
> platform. Disabling TPROXYv4.");
> +#elif _SQUID_OPENBSD_
> + debugs(3, 3, "Detect BINDANY support on port " << test);
> +
> + int tos = 1;
> + int tmp_sock = -1;
> +
> + if (test.IsIPv6()) {
> + debugs(3, 3, "...Probing for IPv6 SO_BINDANY support.");
> +
> + struct sockaddr_in6 tmp_ipv6;
> + struct in6_addr tempaddr = { };
> + if (!IN6_IS_ADDR_UNSPECIFIED(&tempaddr)) {
> + inet_pton(AF_INET6, "2001:db8:100::1", &tempaddr);
> + }

The above is wrong. tempaddr should always meet the not-set test
immediately after being allocated.

+ struct in6_addr tempaddr = { };
+ inet_pton(AF_INET6, "2001:db8:100::1", &tempaddr);

Please also use an identifiably bogus address provided the test still
works reliably with it. The Linux tests use ::2 for this purpose.

Amos
Received on Thu Mar 08 2012 - 00:50:49 MST