Patch is from bug #11614 With the please to deliver it for further review to the dev mailinglist.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- src/initscripts/system/squid | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..267a416 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -37,6 +37,17 @@ transparent() { iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN done < $FILE
+ FILE=/var/ipfire/ovpn/ovpnconfig + + while read LINE; do + let COUNT=$COUNT+1 + CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` + if [ "$CONN_TYPE" != "net" ]; then + continue + fi + iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN + done < $FILE + if [ "$RED_TYPE" == "STATIC" ]; then iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN fi
Hi,
I think we have to rework that code a litte. It is hard to understand.
On Mon, 2018-06-18 at 20:32 +0200, Erik Kapfer wrote:
Patch is from bug #11614 With the please to deliver it for further review to the dev mailinglist.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org
src/initscripts/system/squid | 11 +++++++++++ 1 file changed, 11 insertions(+)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..267a416 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -37,6 +37,17 @@ transparent() { iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN done < $FILE
FILE=/var/ipfire/ovpn/ovpnconfig
Not sure why this is variable since it is only used once.
while read LINE; dolet COUNT=$COUNT+1
COUNT is never initialized and never used either.
CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'`if [ "$CONN_TYPE" != "net" ]; thencontinuefi
The following iptables line is missing a tab.
iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk-F, '{ print $13 }'` --dport 80 -j RETURN
It is not clear what the command should be like.
I think it is best to use while read ...; do ... done to walk through the file line by line and put the values into a variable with a good name. That will avoid confusion later.
done < $FILE- if [ "$RED_TYPE" == "STATIC" ]; then iptables -t nat -A SQUID -i $1 -p tcp -d
$RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN fi
Erik, would you please rework this patch?
Best, -Michael
Fix for bug #11614 Set other variable name for better understanding. Set another variable for remote subnet searcher to make the IPTables command better understandable. Deleted COUNTER lines since they are never used. Deleted variable to VPN configuration files since both are used only once. All changes has also been applied to IPSec section.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- src/initscripts/system/squid | 22 +++++++++++++++------- 1 file changed, 15 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..81a132b 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -25,17 +25,25 @@ transparent() { exit 1 fi
- COUNT=1 - FILE=/var/ipfire/vpn/config + # Exclude IPSec N2N remote subnets from transparent proxy + while read IPSECREMOTENET; do + CONN_TYPE=$(echo "$IPSECREMOTENET" | awk -F, '{ print $5 }') + IPSEC_REMOTE_SUBNET=$(echo "$IPSECREMOTENET" | awk -F, '{ print $13 }') + if [ "$CONN_TYPE" != "net" ]; then + continue + fi + iptables -t nat -A SQUID -i $1 -p tcp -d ${IPSEC_REMOTE_SUBNET} --dport 80 -j RETURN + done < /var/ipfire/vpn/config
- while read LINE; do - let COUNT=$COUNT+1 - CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` + # Exclude OpenVPN N2N remote subnets from transparent proxy + while read OVPNREMOTENET; do + CONN_TYPE=$(echo "$OVPNREMOTENET" | awk -F, '{ print $5 }') + OVPN_REMOTE_SUBNET=$(echo "$OVPNREMOTENET" | awk -F, '{ print $13 }') if [ "$CONN_TYPE" != "net" ]; then continue fi - iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN - done < $FILE + iptables -t nat -A SQUID -i $1 -p tcp -d ${OVPN_REMOTE_SUBNET} --dport 80 -j RETURN + done < /var/ipfire/ovpn/ovpnconfig
if [ "$RED_TYPE" == "STATIC" ]; then iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
Fix for bug #11614 Some cosmetics has also been done in the IPSec subnet exclusion section.
Signed-off-by: Erik Kapfer erik.kapfer@ipfire.org --- src/initscripts/system/squid | 20 +++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/src/initscripts/system/squid b/src/initscripts/system/squid index 7255c0a..9c11255 100644 --- a/src/initscripts/system/squid +++ b/src/initscripts/system/squid @@ -25,17 +25,23 @@ transparent() { exit 1 fi
- COUNT=1 - FILE=/var/ipfire/vpn/config + # Exclude IPSec N2N remote subnets from transparent proxy + while read IPSECREMOTESUBNET; do + CONN_TYPE=$(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $5 }') + if [ "$CONN_TYPE" != "net" ]; then + continue + fi + iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$IPSECREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN + done < /var/ipfire/vpn/config
- while read LINE; do - let COUNT=$COUNT+1 - CONN_TYPE=`echo "$LINE" | awk -F, '{ print $5 }'` + # Exclude OpenVPN N2N remote subnets from transparent proxy + while read OVPNREMOTESUBNET; do + CONN_TYPE=$(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $5 }') if [ "$CONN_TYPE" != "net" ]; then continue fi - iptables -t nat -A SQUID -i $1 -p tcp -d `echo "$LINE" | awk -F, '{ print $13 }'` --dport 80 -j RETURN - done < $FILE + iptables -t nat -A SQUID -i $1 -p tcp -d $(echo "$OVPNREMOTESUBNET" | awk -F, '{ print $13 }') --dport 80 -j RETURN + done < /var/ipfire/ovpn/ovpnconfig
if [ "$RED_TYPE" == "STATIC" ]; then iptables -t nat -A SQUID -i $1 -p tcp -d $RED_NETADDRESS/$RED_NETMASK --dport 80 -j RETURN
-
Erik Kapfer -
Michael Tremer