[MEDIUM] check for cttproxy support when required

Previously, use of the "usesrc" keyword could silently fail if either the module was not loaded, or the user did not have enough permissions. Now the errors are better diagnosed and more appropriate advices are given.
2025-02-17 02:56:51 +00:00 · 2007-03-24 17:24:39 +01:00 · 2007-03-24 17:24:39 +01:00 · b38651a435
commit b38651a435
parent 8d9246d282
4 changed files with 140 additions and 2 deletions
--- a/6
+++ b/6
@ -94,7 +94,6 @@ ADDLIB =
 # set some defines when needed.
 # Known ones are -DENABLE_POLL, -DENABLE_EPOLL, and -DUSE_MY_EPOLL
 # - use -DTPROXY to compile with transparent proxy support.
-# - use -DCONFIG_HAP_CTTPROXY to enable full transparent proxy support
 DEFINE = -DTPROXY

 # Now let's determine the version, sub-version and release date.
@ -119,13 +118,16 @@ endif

 # do not change this one, enable USE_* variables instead.
 OPTIONS =
+OPT_OBJS =

 ifneq ($(USE_TCPSPLICE),)
 OPTIONS += -DCONFIG_HAP_TCPSPLICE
 endif

+# - set USE_CTTPROXY to enable full transparent proxy support
 ifneq ($(USE_CTTPROXY),)
 OPTIONS += -DCONFIG_HAP_CTTPROXY
+OPT_OBJS += src/cttproxy.o
 endif

 ifneq ($(USE_TPROXY),)
@ -199,7 +201,7 @@ OBJS = src/haproxy.o src/list.o src/chtbl.o src/hashpjw.o src/base64.o \
       src/proto_http.o src/stream_sock.o src/appsession.o src/backend.o \
       src/session.o src/hdr_idx.o src/rbtree.o

-haproxy: $(OBJS)
+haproxy: $(OBJS) $(OPT_OBJS)
 	$(LD) $(LDFLAGS) -o $@ $^ $(LIBS)

 objsize: haproxy
--- a/include/proto/cttproxy.h
+++ b/include/proto/cttproxy.h
@ -0,0 +1,47 @@
+/*
+  include/proto/cttproxy.h
+  This file contains prototypes for Linux's cttproxy interface.
+  This file should be included only if CTTPROXY is enabled.
+
+  Copyright (C) 2000-2007 Willy Tarreau - w@1wt.eu
+  
+  This library is free software; you can redistribute it and/or
+  modify it under the terms of the GNU Lesser General Public
+  License as published by the Free Software Foundation, version 2.1
+  exclusively.
+
+  This library is distributed in the hope that it will be useful,
+  but WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public
+  License along with this library; if not, write to the Free Software
+  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301  USA
+*/
+
+#ifndef _PROTO_CTTPROXY_H
+#define _PROTO_CTTPROXY_H
+
+#include <stdlib.h>
+#include <sys/socket.h>
+#include <sys/types.h>
+
+#include <common/config.h>
+#include <import/ip_tproxy.h>
+
+/*
+ * Checks that CTTPROXY is available and in the right version.
+ * Returns 0 if OK, -1 if wrong version, -2 if not available or other error.
+ */
+int check_cttproxy_version();
+
+
+#endif /* _PROTO_CTTPROXY_H */
+
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ * End:
+ */
--- a/src/cttproxy.c
+++ b/src/cttproxy.c
@ -0,0 +1,64 @@
+/*
+ * Functions for managing transparent proxying with CTTPROXY.
+ * This file should be compiled only if CTTPROXY is enabled.
+ *
+ * Copyright 2000-2007 Willy Tarreau <w@1wt.eu>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ *
+ */
+
+#include <errno.h>
+#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include <common/compat.h>
+#include <common/config.h>
+#include <common/time.h>
+
+#include <types/global.h>
+
+#include <import/ip_tproxy.h>
+
+/*
+ * Checks that CTTPROXY is available and in the right version.
+ * Returns 0 if OK, -1 if wrong version, -2 if not available or other error.
+ */
+int check_cttproxy_version() {
+	struct in_tproxy itp1;
+	int fd;
+
+	memset(&itp1, 0, sizeof(itp1));
+		
+	fd = socket(AF_INET, SOCK_STREAM, 0);
+	if (fd == -1)
+		return -2;
+
+	itp1.op = TPROXY_VERSION;
+	itp1.v.version = 0x02000000; /* CTTPROXY version 2.0 expected */
+	
+	if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp1, sizeof(itp1)) == -1) {
+		if (errno == -EINVAL)
+			return -1; /* wrong version */
+		else
+			return -2; /* not supported or other error */
+	}
+	return 0;
+}
+
+
+/*
+ * Local variables:
+ *  c-indent-level: 8
+ *  c-basic-offset: 8
+ * End:
+ */
--- a/src/haproxy.c
+++ b/src/haproxy.c
@ -94,6 +94,10 @@
 #include <libtcpsplice.h>
 #endif

+#ifdef CONFIG_HAP_CTTPROXY
+#include <proto/cttproxy.h>
+#endif
+
 /*********************************************************************/

 /*********************************************************************/
@ -768,6 +772,27 @@ int main(int argc, char **argv)
 	}
 #endif

+#ifdef CONFIG_HAP_CTTPROXY
+	if (global.last_checks & LSTCHK_CTTPROXY) {
+		int ret;
+
+		ret = check_cttproxy_version();
+		if (ret < 0) {
+			Alert("[%s.main()] Cannot enable cttproxy.\n%s",
+			      argv[0],
+			      (ret == -1) ? "  Incorrect module version.\n"
+			      : "  Make sure you have enough permissions and that the module is loaded.\n");
+			exit(1);
+		}
+	}
+#endif
+
+	if ((global.last_checks & LSTCHK_NETADM) && global.uid) {
+		Alert("[%s.main()] Some configuration options require full privileges, so global.uid cannot be changed.\n"
+		      "", argv[0], global.gid);
+		exit(1);
+	}
+
 	if (nb_oldpids)
 		tell_old_pids(oldpids_sig);