diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc index f98fe428a39..1a7bc80d482 100644 --- a/src/ip/Intercept.cc +++ b/src/ip/Intercept.cc @@ -182,18 +182,32 @@ bool Ip::Intercept::IpfwInterception(const Comm::ConnectionPointer &newConn) { #if IPFW_TRANSPARENT - /* The getsockname() call performed already provided the TCP packet details. - * There is no way to identify whether they came from NAT or not. - * Trust the user configured properly. - */ - debugs(89, 5, "address NAT: " << newConn); - return true; + return UseInterceptionAddressesLookedUpEarlier(__FUNCTION__, newConn); #else (void)newConn; return false; #endif } +/// Assume that getsockname() has been called already and provided the necessary +/// TCP packet details. There is no way to identify whether they came from NAT. +/// Trust the user configured properly. +bool +Ip::Intercept::UseInterceptionAddressesLookedUpEarlier(const char * const caller, const Comm::ConnectionPointer &newConn) +{ + // paranoid: ./configure should prohibit these combinations +#if LINUX_NETFILTER && PF_TRANSPARENT && !USE_NAT_DEVPF + static_assert(!"--enable-linux-netfilter is incompatible with --enable-pf-transparent --without-nat-devpf"); +#endif +#if LINUX_NETFILTER && IPFW_TRANSPARENT + static_assert(!"--enable-linux-netfilter is incompatible with --enable-ipfw-transparent"); +#endif + // --enable-linux-netfilter is compatible with --enable-ipf-transparent + + debugs(89, 5, caller << " uses " << newConn); + return true; +} + bool Ip::Intercept::IpfInterception(const Comm::ConnectionPointer &newConn) { @@ -313,14 +327,7 @@ Ip::Intercept::PfInterception(const Comm::ConnectionPointer &newConn) #if PF_TRANSPARENT /* --enable-pf-transparent */ #if !USE_NAT_DEVPF - /* On recent PF versions the getsockname() call performed already provided - * the required TCP packet details. - * There is no way to identify whether they came from NAT or not. - * - * Trust the user configured properly. - */ - debugs(89, 5, "address NAT divert-to: " << newConn); - return true; + return UseInterceptionAddressesLookedUpEarlier("recent PF version", newConn); #else /* USE_NAT_DEVPF / --with-nat-devpf */ diff --git a/src/ip/Intercept.h b/src/ip/Intercept.h index f47b810d56b..0913f18161a 100644 --- a/src/ip/Intercept.h +++ b/src/ip/Intercept.h @@ -117,6 +117,8 @@ class Intercept */ bool PfInterception(const Comm::ConnectionPointer &newConn); + bool UseInterceptionAddressesLookedUpEarlier(const char *, const Comm::ConnectionPointer &); + int transparentActive_; int interceptActive_; }; diff --git a/test-suite/buildtests/layer-02-maximus.opts b/test-suite/buildtests/layer-02-maximus.opts index 56e75bdf686..ce03ab5350b 100644 --- a/test-suite/buildtests/layer-02-maximus.opts +++ b/test-suite/buildtests/layer-02-maximus.opts @@ -79,7 +79,6 @@ DISTCHECK_CONFIGURE_FLAGS=" \ --enable-poll \ --enable-select \ --enable-http-violations \ - --enable-ipfw-transparent \ --enable-follow-x-forwarded-for \ --enable-default-hostsfile=/etc/hosts \ --enable-auth \ diff --git a/test-suite/buildtests/layer-04-noauth-everything.opts b/test-suite/buildtests/layer-04-noauth-everything.opts index b5ffd8a0fc2..f89911b3862 100644 --- a/test-suite/buildtests/layer-04-noauth-everything.opts +++ b/test-suite/buildtests/layer-04-noauth-everything.opts @@ -80,7 +80,6 @@ DISTCHECK_CONFIGURE_FLAGS=" \ --enable-poll \ --enable-select \ --enable-http-violations \ - --enable-ipfw-transparent \ --enable-follow-x-forwarded-for \ --enable-internal-dns \ --enable-default-hostsfile \