Set IP_TRANSPARENT when binding a non-local address

Author: quentinmit

server/common/oursrc/scripts-proxy/main.go

@@ -64,12 +64,13 @@ func (l *ldapTarget) HandleConn(netConn net.Conn) {
 	}
 	raddr := netConn.RemoteAddr().(*net.TCPAddr)
 	if l.localPoolRange.Contains(destAddr.IP) {
-		sourceAddr := &net.TCPAddr{
-			IP: raddr.IP,
-		}
-		dp.DialContext = func(ctx context.Context, network, address string) (net.Conn, error) {
-			return net.DialTCP(network, sourceAddr, destAddr)
+		td := &TransparentDialer{
+			SourceAddr: &net.TCPAddr{
+				IP: raddr.IP,
+			},
+			DestAddr: destAddr,
 		}
+		dp.DialContext = td.DialContext
 	}
 	dp.HandleConn(netConn)
 }

server/common/oursrc/scripts-proxy/tproxy.go

@@ -0,0 +1,35 @@
+package main
+
+import (
+	"context"
+	"log"
+	"net"
+	"syscall"
+)
+
+// TransparentDialer makes a connection to DestAddr using SourceAddr as the non-local source address.
+type TransparentDialer struct {
+	SourceAddr net.Addr
+	DestAddr   net.Addr
+}
+
+func (t *TransparentDialer) DialContext(ctx context.Context, network, address string) (net.Conn, error) {
+	d := &net.Dialer{
+		LocalAddr: t.SourceAddr,
+		Control: func(network, address string, c syscall.RawConn) error {
+			return c.Control(func(fd uintptr) {
+				for _, opt := range []int{
+					syscall.IP_TRANSPARENT,
+					syscall.IP_FREEBIND,
+				} {
+					err := syscall.SetsockoptInt(int(fd), syscall.SOL_IP, opt, 1)
+					if err != nil {
+						log.Printf("control: %s", err)
+						return
+					}
+				}
+			})
+		},
+	}
+	return d.DialContext(ctx, network, t.DestAddr.String())
+}