diff options
| author | Martin Fuchs <mfuchs@pfsense.org> | 2008-09-18 21:55:47 +0000 |
|---|---|---|
| committer | Martin Fuchs <mfuchs@pfsense.org> | 2008-09-18 21:55:47 +0000 |
| commit | 6b553ad36fbfafe9b4f1ea3b42f3798ccc406187 (patch) | |
| tree | 151b33210e3090dd07ee39374be538def5f7f591 | |
| parent | c1eb00a0c8aa3cb457bf982ded5aebffb47976c9 (diff) | |
| download | pfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.tar.gz pfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.tar.bz2 pfsense-packages-6b553ad36fbfafe9b4f1ea3b42f3798ccc406187.zip | |
squid: add possibility to exempt IPs from transparent squid
| -rw-r--r-- | packages/squid/squid.inc | 28 | ||||
| -rw-r--r-- | packages/squid/squid.xml | 7 | ||||
| -rw-r--r-- | packages/squid3/squid.inc | 28 | ||||
| -rw-r--r-- | packages/squid3/squid.xml | 7 | ||||
| -rw-r--r-- | pkg_config.7.xml | 4 | ||||
| -rw-r--r-- | pkg_config.xml | 2 |
6 files changed, 73 insertions, 3 deletions
diff --git a/packages/squid/squid.inc b/packages/squid/squid.inc index b641dbd5..3a4369ba 100644 --- a/packages/squid/squid.inc +++ b/packages/squid/squid.inc @@ -316,6 +316,18 @@ function squid_validate_general($post, $input_errors) { if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) { $input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy."; } + + if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { + $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The entry '$host' is not a valid IP address"; + } + } if(!empty($post['dns_nameservers'])) { $altdns = explode(";", ($post['dns_nameservers'])); @@ -1213,6 +1225,22 @@ function squid_generate_rules($type) { $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; } } + + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $config['installedpackages']['squid']['config'][0]['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface){ + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + } + foreach ($ifaces as $iface){ $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; }; diff --git a/packages/squid/squid.xml b/packages/squid/squid.xml index fe57bebb..4c8bc4ab 100644 --- a/packages/squid/squid.xml +++ b/packages/squid/squid.xml @@ -175,6 +175,13 @@ <type>checkbox</type> </field> <field> + <fielddescr>Do NOT proxy these IPs</fielddescr> + <fieldname>defined_ip_proxy_off</fieldname> + <description>Do not forward traffic from these <b>source</b> IPs through the proxy server. Separate by semi-colons (;).</description> + <type>input</type> + <size>80</size> + </field> + <field> <fielddescr>Enabled logging</fielddescr> <fieldname>log_enabled</fieldname> <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> diff --git a/packages/squid3/squid.inc b/packages/squid3/squid.inc index 3c42f92e..1f3b5f7e 100644 --- a/packages/squid3/squid.inc +++ b/packages/squid3/squid.inc @@ -317,6 +317,18 @@ function squid_validate_general($post, $input_errors) { if (($post['transparent_proxy'] != 'on') && ($post['private_subnet_proxy_off'] == 'on')) { $input_errors[] = "You can not bypass traffic to private subnets without using the transparent proxy."; } + + if (($post['transparent_proxy'] != 'on') && !empty($post['defined_ip_proxy_off'])) { + $input_errors[] = "You can not bypass traffic from specific IPs without using the transparent proxy."; + } + + foreach (array('defined_ip_proxy_off') as $hosts) { + foreach (explode(";", $post[$hosts]) as $host) { + $host = trim($host); + if (!empty($host) && !is_ipaddr($host)) + $input_errors[] = "The entry '$host' is not a valid IP address"; + } + } if(!empty($post['dns_nameservers'])) { $altdns = explode(";", ($post['dns_nameservers'])); @@ -1214,6 +1226,22 @@ function squid_generate_rules($type) { $rules .= "no rdr on $iface proto tcp from any to { 192.168.0.0/16, 172.16.0.0/12, 10.0.0.0/8 } port 80\n"; } } + + if (!empty($squid_conf['defined_ip_proxy_off'])) { + $defined_ip_proxy_off = explode(";", $config['installedpackages']['squid']['config'][0]['defined_ip_proxy_off']); + $exempt_ip = ""; + foreach ($defined_ip_proxy_off as $ip_proxy_off) { + if(!empty($ip_proxy_off)) { + $ip_proxy_off = trim($ip_proxy_off); + $exempt_ip .= ", $ip_proxy_off"; + } + } + $exempt_ip = substr($exempt_ip,2); + foreach ($ifaces as $iface){ + $rules .= "no rdr on $iface proto tcp from { $exempt_ip } to any port 80\n"; + } + } + foreach ($ifaces as $iface){ $rules .= "rdr on $iface proto tcp from any to !($iface) port 80 -> 127.0.0.1 port 80\n"; }; diff --git a/packages/squid3/squid.xml b/packages/squid3/squid.xml index 5e0acf9b..8529526e 100644 --- a/packages/squid3/squid.xml +++ b/packages/squid3/squid.xml @@ -175,6 +175,13 @@ <type>checkbox</type> </field> <field> + <fielddescr>Do NOT proxy these IPs</fielddescr> + <fieldname>defined_ip_proxy_off</fieldname> + <description>Do not forward traffic from these <b>source</b> IPs through the proxy server. Separate by semi-colons (;).</description> + <type>input</type> + <size>80</size> + </field> + <field> <fielddescr>Enabled logging</fielddescr> <fieldname>log_enabled</fieldname> <description>This will enable the access log. Don't switch this on if you don't have much disk space left.</description> diff --git a/pkg_config.7.xml b/pkg_config.7.xml index 3c0909bf..73078e00 100644 --- a/pkg_config.7.xml +++ b/pkg_config.7.xml @@ -292,7 +292,7 @@ <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.6.21_05</version> + <version>2.6.21_06</version> <status>Stable</status> <required_version>1.2.1</required_version> <maintainer>fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com</maintainer> @@ -308,7 +308,7 @@ <descr>EXPERIMANTAL! Not all directives are ported yet! High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>3.0.8_04</version> + <version>3.0.8_05</version> <status>ALPHA</status> <required_version>1.2.1</required_version> <maintainer>fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com</maintainer> diff --git a/pkg_config.xml b/pkg_config.xml index 8335edbc..5d140b7d 100644 --- a/pkg_config.xml +++ b/pkg_config.xml @@ -506,7 +506,7 @@ <descr>High performance web proxy cache.</descr> <website>http://www.squid-cache.org/</website> <category>Network</category> - <version>2.6.18.1_05</version> + <version>2.6.18.1_06</version> <status>Stable</status> <required_version>1.0</required_version> <maintainer>fernando@netfilter.com.br seth.mos@xs4all.nl mfuchs77@googlemail.com</maintainer> |