MAJOR: tproxy: remove support for cttproxy
This was the first transparent proxy technology supported by haproxy
circa 2005 but it was obsoleted in 2007 by Tproxy 4.0 which removed a
lot of the earlier versions' shortcomings and was finally merged into
the kernel. Since nobody has been using cttproxy for many years now
and nobody has even just tried to compile the files, it's time to
remove it. The doc was updated as well.
diff --git a/src/backend.c b/src/backend.c
index 39efd17..6f0175c 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -953,7 +953,7 @@
*/
static void assign_tproxy_address(struct stream *s)
{
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
+#if defined(CONFIG_HAP_TRANSPARENT)
struct server *srv = objt_server(s->target);
struct conn_src *src;
struct connection *cli_conn;
diff --git a/src/cfgparse.c b/src/cfgparse.c
index a7d49c6..b5747ad 100644
--- a/src/cfgparse.c
+++ b/src/cfgparse.c
@@ -2630,7 +2630,7 @@
curproxy->conn_src.iface_name = strdup(defproxy.conn_src.iface_name);
curproxy->conn_src.iface_len = defproxy.conn_src.iface_len;
curproxy->conn_src.opts = defproxy.conn_src.opts;
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
+#if defined(CONFIG_HAP_TRANSPARENT)
curproxy->conn_src.tproxy_addr = defproxy.conn_src.tproxy_addr;
#endif
}
@@ -5898,15 +5898,7 @@
cur_arg = 2;
while (*(args[cur_arg])) {
if (!strcmp(args[cur_arg], "usesrc")) { /* address to use outside */
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
-#if !defined(CONFIG_HAP_TRANSPARENT)
- if (!is_inet_addr(&curproxy->conn_src.source_addr)) {
- Alert("parsing [%s:%d] : '%s' requires an explicit 'source' address.\n",
- file, linenum, "usesrc");
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-#endif
+#if defined(CONFIG_HAP_TRANSPARENT)
if (!*args[cur_arg + 1]) {
Alert("parsing [%s:%d] : '%s' expects <addr>[:<port>], 'client', or 'clientip' as argument.\n",
file, linenum, "usesrc");
@@ -5988,9 +5980,6 @@
curproxy->conn_src.opts |= CO_SRC_TPROXY_ADDR;
}
global.last_checks |= LSTCHK_NETADM;
-#if !defined(CONFIG_HAP_TRANSPARENT)
- global.last_checks |= LSTCHK_CTTPROXY;
-#endif
#else /* no TPROXY support */
Alert("parsing [%s:%d] : '%s' not allowed here because support for TPROXY was not compiled in.\n",
file, linenum, "usesrc");
@@ -8176,7 +8165,7 @@
}
}
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
+#if defined(CONFIG_HAP_TRANSPARENT)
if (curproxy->conn_src.bind_hdr_occ) {
curproxy->conn_src.bind_hdr_occ = 0;
Warning("config : %s '%s' : ignoring use of header %s as source IP in non-HTTP mode.\n",
@@ -8209,7 +8198,7 @@
err_code |= ERR_WARN;
}
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
+#if defined(CONFIG_HAP_TRANSPARENT)
if (curproxy->mode != PR_MODE_HTTP && newsrv->conn_src.bind_hdr_occ) {
newsrv->conn_src.bind_hdr_occ = 0;
Warning("config : %s '%s' : server %s cannot use header %s as source IP in non-HTTP mode.\n",
diff --git a/src/cttproxy.c b/src/cttproxy.c
deleted file mode 100644
index eaa4734..0000000
--- a/src/cttproxy.c
+++ /dev/null
@@ -1,65 +0,0 @@
-/*
- * Functions for managing transparent proxying with CTTPROXY.
- * This file should be compiled only if CTTPROXY is enabled.
- *
- * Copyright 2000-2008 Willy Tarreau <w@1wt.eu>
- *
- * This program is free software; you can redistribute it and/or
- * modify it under the terms of the GNU General Public License
- * as published by the Free Software Foundation; either version
- * 2 of the License, or (at your option) any later version.
- *
- */
-
-#include <errno.h>
-#include <fcntl.h>
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <unistd.h>
-
-#include <sys/socket.h>
-#include <sys/stat.h>
-#include <sys/types.h>
-
-#include <common/compat.h>
-#include <common/config.h>
-#include <common/time.h>
-
-#include <import/ip_tproxy.h>
-
-/*
- * Checks that CTTPROXY is available and in the right version.
- * Returns 0 if OK, -1 if wrong version, -2 if not available or other error.
- */
-int check_cttproxy_version() {
- struct in_tproxy itp1;
- int fd, ret;
-
- memset(&itp1, 0, sizeof(itp1));
-
- fd = socket(AF_INET, SOCK_STREAM, 0);
- if (fd == -1)
- return -2;
-
- itp1.op = TPROXY_VERSION;
- itp1.v.version = 0x02000000; /* CTTPROXY version 2.0 expected */
-
- ret = 0;
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) == -1) {
- if (errno == -EINVAL)
- ret = -1; /* wrong version */
- else
- ret = -2; /* not supported or other error */
- }
- close(fd);
- return ret;
-}
-
-
-/*
- * Local variables:
- * c-indent-level: 8
- * c-basic-offset: 8
- * End:
- */
diff --git a/src/haproxy.c b/src/haproxy.c
index 4ff05ab..ae790c4 100644
--- a/src/haproxy.c
+++ b/src/haproxy.c
@@ -102,10 +102,6 @@
#include <proto/task.h>
#include <proto/dns.h>
-#ifdef CONFIG_HAP_CTTPROXY
-#include <proto/cttproxy.h>
-#endif
-
#ifdef USE_OPENSSL
#include <proto/ssl_sock.h>
#endif
@@ -368,11 +364,8 @@
printf("Built without Lua support\n");
#endif
-#if defined(CONFIG_HAP_TRANSPARENT) || defined(CONFIG_HAP_CTTPROXY)
+#if defined(CONFIG_HAP_TRANSPARENT)
printf("Built with transparent proxy support using:"
-#if defined(CONFIG_HAP_CTTPROXY)
- " CTTPROXY"
-#endif
#if defined(IP_TRANSPARENT)
" IP_TRANSPARENT"
#endif
@@ -1697,22 +1690,6 @@
}
}
-#ifdef CONFIG_HAP_CTTPROXY
- if (global.last_checks & LSTCHK_CTTPROXY) {
- int ret;
-
- ret = check_cttproxy_version();
- if (ret < 0) {
- Alert("[%s.main()] Cannot enable cttproxy.\n%s",
- argv[0],
- (ret == -1) ? " Incorrect module version.\n"
- : " Make sure you have enough permissions and that the module is loaded.\n");
- protocol_unbind_all();
- exit(1);
- }
- }
-#endif
-
if ((global.last_checks & LSTCHK_NETADM) && global.uid) {
Alert("[%s.main()] Some configuration options require full privileges, so global.uid cannot be changed.\n"
"", argv[0]);
diff --git a/src/proto_tcp.c b/src/proto_tcp.c
index 2588ac9..c89360c 100644
--- a/src/proto_tcp.c
+++ b/src/proto_tcp.c
@@ -57,10 +57,6 @@
#include <proto/stream_interface.h>
#include <proto/task.h>
-#ifdef CONFIG_HAP_CTTPROXY
-#include <import/ip_tproxy.h>
-#endif
-
static int tcp_bind_listeners(struct protocol *proto, char *errmsg, int errlen);
static int tcp_bind_listener(struct listener *listener, char *errmsg, int errlen);
@@ -160,7 +156,6 @@
*
* The function supports multiple foreign binding methods :
* - linux_tproxy: we directly bind to the foreign address
- * - cttproxy: we bind to a local address then nat.
* The second one can be used as a fallback for the first one.
* This function returns 0 when everything's OK, 1 if it could not bind, to the
* local address, 2 if it could not bind to the foreign address.
@@ -263,25 +258,6 @@
if (!flags)
return 0;
-#ifdef CONFIG_HAP_CTTPROXY
- if (!foreign_ok && remote->ss_family == AF_INET) {
- struct in_tproxy itp1, itp2;
- memset(&itp1, 0, sizeof(itp1));
-
- itp1.op = TPROXY_ASSIGN;
- itp1.v.addr.faddr = ((struct sockaddr_in *)&bind_addr)->sin_addr;
- itp1.v.addr.fport = ((struct sockaddr_in *)&bind_addr)->sin_port;
-
- /* set connect flag on socket */
- itp2.op = TPROXY_FLAGS;
- itp2.v.flags = ITP_CONNECT | ITP_ONCE;
-
- if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) != -1 &&
- setsockopt(fd, SOL_IP, IP_TPROXY, &itp2, sizeof(itp2)) != -1) {
- foreign_ok = 1;
- }
- }
-#endif
if (!foreign_ok)
/* we could not bind to a foreign address */
return 2;
diff --git a/src/server.c b/src/server.c
index 1e24551..e88302b 100644
--- a/src/server.c
+++ b/src/server.c
@@ -1441,15 +1441,7 @@
cur_arg += 2;
while (*(args[cur_arg])) {
if (!strcmp(args[cur_arg], "usesrc")) { /* address to use outside */
-#if defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT)
-#if !defined(CONFIG_HAP_TRANSPARENT)
- if (!is_inet_addr(&newsrv->conn_src.source_addr)) {
- Alert("parsing [%s:%d] : '%s' requires an explicit '%s' address.\n",
- file, linenum, "usesrc", "source");
- err_code |= ERR_ALERT | ERR_FATAL;
- goto out;
- }
-#endif
+#if defined(CONFIG_HAP_TRANSPARENT)
if (!*args[cur_arg + 1]) {
Alert("parsing [%s:%d] : '%s' expects <addr>[:<port>], 'client', 'clientip', or 'hdr_ip(name,#)' as argument.\n",
file, linenum, "usesrc");
@@ -1531,9 +1523,6 @@
newsrv->conn_src.opts |= CO_SRC_TPROXY_ADDR;
}
global.last_checks |= LSTCHK_NETADM;
-#if !defined(CONFIG_HAP_TRANSPARENT)
- global.last_checks |= LSTCHK_CTTPROXY;
-#endif
cur_arg += 2;
continue;
#else /* no TPROXY support */
@@ -1541,7 +1530,7 @@
file, linenum, "usesrc");
err_code |= ERR_ALERT | ERR_FATAL;
goto out;
-#endif /* defined(CONFIG_HAP_CTTPROXY) || defined(CONFIG_HAP_TRANSPARENT) */
+#endif /* defined(CONFIG_HAP_TRANSPARENT) */
} /* "usesrc" */
if (!strcmp(args[cur_arg], "interface")) { /* specifically bind to this interface */