* [PATCH] Squid: Exclude remote OpenVPN-N2N subnet from transparent proxy
@ 2018-06-18 18:32 Erik Kapfer
2018-06-19 10:39 ` Michael Tremer
2018-06-19 13:53 ` [PATCH] " Erik Kapfer
0 siblings, 2 replies; 5+ messages in thread
From: Erik Kapfer @ 2018-06-18 18:32 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1078 bytes --]
Patch is from bug #11614
With the please to deliver it for further review to the dev mailinglist.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
src/initscripts/system/squid | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..267a416 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -37,6 +37,17 @@ transparent() {
iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
done < $FILE
+ FILE=/var/ipfire/ovpn/ovpnconfig
+
+ while read LINE; do
+ let COUNT=$COUNT+1
+ CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
+ if [ "$CONN_TYPE" != "net" ]; then
+ continue
+ fi
+ iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
+ done < $FILE
+
if [ "$RED_TYPE" == "STATIC" ]; then
iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
fi
--
2.7.4
^ permalink raw reply [flat|nested] 5+ messages in thread* Re: [PATCH] Squid: Exclude remote OpenVPN-N2N subnet from transparent proxy
2018-06-18 18:32 [PATCH] Squid: Exclude remote OpenVPN-N2N subnet from transparent proxy Erik Kapfer
@ 2018-06-19 10:39 ` Michael Tremer
2018-06-19 14:41 ` [PATCH v2] squid: Exclude OpenVPN remote subnets " Erik Kapfer
2018-06-19 13:53 ` [PATCH] " Erik Kapfer
1 sibling, 1 reply; 5+ messages in thread
From: Michael Tremer @ 2018-06-19 10:39 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1680 bytes --]
Hi,
I think we have to rework that code a litte. It is hard to understand.
On Mon, 2018-06-18 at 20:32 +0200, Erik Kapfer wrote:
> Patch is from bug #11614
> With the please to deliver it for further review to the dev mailinglist.
>
> Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> ---
> src/initscripts/system/squid | 11 +++++++++++
> 1 file changed, 11 insertions(+)
>
> diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
> index 7255c0a..267a416 100644
> --- a/src/initscripts/system/squid
> +++ b/src/initscripts/system/squid
> @@ -37,6 +37,17 @@ transparent() {
> iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk
> -F, '{ print $13 }'` --dport 80 -j RETURN
> done < $FILE
>
> + FILE=/var/ipfire/ovpn/ovpnconfig
Not sure why this is variable since it is only used once.
> +
> + while read LINE; do
> + let COUNT=$COUNT+1
COUNT is never initialized and never used either.
> + CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
> + if [ "$CONN_TYPE" != "net" ]; then
> + continue
> + fi
The following iptables line is missing a tab.
> + iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk
> -F, '{ print $13 }'` --dport 80 -j RETURN
It is not clear what the command should be like.
I think it is best to use while read ...; do ... done to walk through the file
line by line and put the values into a variable with a good name. That will
avoid confusion later.
> + done < $FILE
> +
> if [ "$RED_TYPE" == "STATIC" ]; then
> iptables -t nat -A SQUID -i $1 -p tcp -d
> $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
> fi
Erik, would you please rework this patch?
Best,
-Michael
^ permalink raw reply [flat|nested] 5+ messages in thread* [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy
2018-06-19 10:39 ` Michael Tremer
@ 2018-06-19 14:41 ` Erik Kapfer
0 siblings, 0 replies; 5+ messages in thread
From: Erik Kapfer @ 2018-06-19 14:41 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2043 bytes --]
Fix for bug #11614
Set other variable name for better understanding.
Set another variable for remote subnet searcher to make the IPTables command better understandable.
Deleted COUNTER lines since they are never used.
Deleted variable to VPN configuration files since both are used only once.
All changes has also been applied to IPSec section.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
src/initscripts/system/squid | 22 +++++++++++++++-------
1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..81a132b 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -25,17 +25,25 @@ transparent() {
exit 1
fi
- COUNT=1
- FILE=/var/ipfire/vpn/config
+ # Exclude IPSec N2N remote subnets from transparent proxy
+ while read IPSECREMOTENET; do
+ CONN_TYPE=$(echo "$IPSECREMOTENET" | awk -F, '{ print $5 }')
+ IPSEC_REMOTE_SUBNET=$(echo "$IPSECREMOTENET" | awk -F, '{ print $13 }')
+ if [ "$CONN_TYPE" != "net" ]; then
+ continue
+ fi
+ iptables -t nat -A SQUID -i $1 -p tcp -d ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN
+ done < /var/ipfire/vpn/config
- while read LINE; do
- let COUNT=$COUNT+1
- CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
+ # Exclude OpenVPN N2N remote subnets from transparent proxy
+ while read OVPNREMOTENET; do
+ CONN_TYPE=$(echo "$OVPNREMOTENET" | awk -F, '{ print $5 }')
+ OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET" | awk -F, '{ print $13 }')
if [ "$CONN_TYPE" != "net" ]; then
continue
fi
- iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
- done < $FILE
+ iptables -t nat -A SQUID -i $1 -p tcp -d ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN
+ done < /var/ipfire/ovpn/ovpnconfig
if [ "$RED_TYPE" == "STATIC" ]; then
iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
--
2.7.4
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] squid: Exclude OpenVPN remote subnets from transparent proxy
2018-06-18 18:32 [PATCH] Squid: Exclude remote OpenVPN-N2N subnet from transparent proxy Erik Kapfer
2018-06-19 10:39 ` Michael Tremer
@ 2018-06-19 13:53 ` Erik Kapfer
1 sibling, 0 replies; 5+ messages in thread
From: Erik Kapfer @ 2018-06-19 13:53 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 1708 bytes --]
Fix for bug #11614
Some cosmetics has also been done in the IPSec subnet exclusion section.
Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
---
src/initscripts/system/squid | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid
index 7255c0a..9c11255 100644
--- a/src/initscripts/system/squid
+++ b/src/initscripts/system/squid
@@ -25,17 +25,23 @@ transparent() {
exit 1
fi
- COUNT=1
- FILE=/var/ipfire/vpn/config
+ # Exclude IPSec N2N remote subnets from transparent proxy
+ while read IPSECREMOTESUBNET; do
+ CONN_TYPE=$(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $5 }')
+ if [ "$CONN_TYPE" != "net" ]; then
+ continue
+ fi
+ iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN
+ done < /var/ipfire/vpn/config
- while read LINE; do
- let COUNT=$COUNT+1
- CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`
+ # Exclude OpenVPN N2N remote subnets from transparent proxy
+ while read OVPNREMOTESUBNET; do
+ CONN_TYPE=$(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $5 }')
if [ "$CONN_TYPE" != "net" ]; then
continue
fi
- iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
- done < $FILE
+ iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN
+ done < /var/ipfire/ovpn/ovpnconfig
if [ "$RED_TYPE" == "STATIC" ]; then
iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
--
2.7.4
^ permalink raw reply [flat|nested] 5+ messages in thread
[parent not found: <d892a3e1-ad77-91f7-fd47-a41e6ac463d1@rymes.com>]
* Re: [PATCH v2] squid: Exclude OpenVPN remote subnets from transparent proxy
[not found] <d892a3e1-ad77-91f7-fd47-a41e6ac463d1@rymes.com>
@ 2018-06-19 18:23 ` ummeegge
0 siblings, 0 replies; 5+ messages in thread
From: ummeegge @ 2018-06-19 18:23 UTC (permalink / raw)
To: development
[-- Attachment #1: Type: text/plain, Size: 2643 bytes --]
Hi Tom,
i don´t think so since the internal vpn configs do their config field
separation via comma. In this case only the 13th field will be read
out.
Erik
Am Dienstag, den 19.06.2018, 11:04 -0400 schrieb Tom Rymes:
> Does this properly handle IPSec tunnels with multiple, comma
> separated,
> subnets defined?
>
>
> On 06/19/2018 10:41 AM, Erik Kapfer wrote:
> >
> > Fix for bug #11614
> > Set other variable name for better understanding.
> > Set another variable for remote subnet searcher to make the
> > IPTables command better understandable.
> > Deleted COUNTER lines since they are never used.
> > Deleted variable to VPN configuration files since both are used
> > only once.
> > All changes has also been applied to IPSec section.
> >
> > Signed-off-by: Erik Kapfer <erik.kapfer(a)ipfire.org>
> > ---
> > src/initscripts/system/squid | 22 +++++++++++++++-------
> > 1 file changed, 15 insertions(+), 7 deletions(-)
> >
> > diff --git a/src/initscripts/system/squid
> > b/src/initscripts/system/squid
> > index 7255c0a..81a132b 100644
> > --- a/src/initscripts/system/squid
> > +++ b/src/initscripts/system/squid
> > @@ -25,17 +25,25 @@ transparent() {
> > exit 1
> > fi
> >
> > - COUNT=1
> > - FILE=/var/ipfire/vpn/config
> > + # Exclude IPSec N2N remote subnets from
> > transparent proxy
> > + while read IPSECREMOTENET; do
> > + CONN_TYPE=$(echo "$IPSECREMOTENET" | awk
> > -F, '{ print $5 }')
> > + IPSEC_REMOTE_SUBNET=$(echo
> > "$IPSECREMOTENET" | awk -F, '{ print $13 }')
> > + if [ "$CONN_TYPE" != "net" ]; then
> > + continue
> > + fi
> > + iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN
> > + done < /var/ipfire/vpn/config
> >
> > - while read LINE; do
> > - let COUNT=$COUNT+1
> > - CONN_TYPE=`echo "$LINE" | awk -F, '{ print
> > $5 }'`
> > + # Exclude OpenVPN N2N remote subnets from
> > transparent proxy
> > + while read OVPNREMOTENET; do
> > + CONN_TYPE=$(echo "$OVPNREMOTENET" | awk
> > -F, '{ print $5 }')
> > + OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET"
> > | awk -F, '{ print $13 }')
> > if [ "$CONN_TYPE" != "net" ]; then
> > continue
> > fi
> > - iptables -t nat -A SQUID -i $1 -p tcp -d `echo
> > "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN
> > - done < $FILE
> > + iptables -t nat -A SQUID -i $1 -p tcp -d
> > ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN
> > + done < /var/ipfire/ovpn/ovpnconfig
> >
> > if [ "$RED_TYPE" == "STATIC" ]; then
> > iptables -t nat -A SQUID -i $1 -p tcp -d
> > $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
> >
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2018-06-19 18:23 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-06-18 18:32 [PATCH] Squid: Exclude remote OpenVPN-N2N subnet from transparent proxy Erik Kapfer
2018-06-19 10:39 ` Michael Tremer
2018-06-19 14:41 ` [PATCH v2] squid: Exclude OpenVPN remote subnets " Erik Kapfer
2018-06-19 13:53 ` [PATCH] " Erik Kapfer
[not found] <d892a3e1-ad77-91f7-fd47-a41e6ac463d1@rymes.com>
2018-06-19 18:23 ` [PATCH v2] " ummeegge
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox