[MINOR] add transparent proxy support for balabit's Tproxy v4
Balabit's TPROXY version 4 which replaces CTTPROXY provides a similar
API to the previous proxy, but relies on IP_FREEBIND instead of
IP_TRANSPARENT. Let's add it.
diff --git a/include/common/compat.h b/include/common/compat.h
index 3c51fb2..9cce1f5 100644
--- a/include/common/compat.h
+++ b/include/common/compat.h
@@ -66,8 +66,11 @@
#include <linux/netfilter_ipv4.h>
#endif
-/* On Linux, IP_TRANSPARENT generally requires a kernel patch */
+/* On Linux, IP_TRANSPARENT and/or IP_FREEBIND generally require a kernel patch */
#if defined(CONFIG_HAP_LINUX_TPROXY)
+#if !defined(IP_FREEBIND)
+#define IP_FREEBIND 15
+#endif /* !IP_FREEBIND */
#if !defined(IP_TRANSPARENT)
#define IP_TRANSPARENT 19
#endif /* !IP_TRANSPARENT */
diff --git a/src/backend.c b/src/backend.c
index 8e1ec11..aadc650 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -1136,7 +1136,8 @@
#ifdef CONFIG_HAP_LINUX_TPROXY
static int ip_transp_working = 1;
if (flags && ip_transp_working) {
- if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0)
+ if (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == 0
+ || setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == 0)
foreign_ok = 1;
else
ip_transp_working = 0;
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 78d9367..d68941b 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -156,7 +156,8 @@
#endif
#ifdef CONFIG_HAP_LINUX_TPROXY
if ((listener->options & LI_O_FOREIGN)
- && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)) {
+ && (setsockopt(fd, SOL_IP, IP_TRANSPARENT, (char *) &one, sizeof(one)) == -1)
+ && (setsockopt(fd, SOL_IP, IP_FREEBIND, (char *) &one, sizeof(one)) == -1)) {
msg = "cannot make listening socket transparent";
err |= ERR_ALERT;
}