<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content=text/html;charset=utf-8>
<META content="MSHTML 6.00.6000.16608" name=GENERATOR></HEAD>
<BODY id=MailContainerBody
style="PADDING-RIGHT: 10px; PADDING-LEFT: 10px; PADDING-TOP: 15px"
bgColor=#ffffff leftMargin=0 topMargin=0 CanvasTabStop="true"
name="Compose message area">
<DIV style="FONT: 10pt Tahoma">
<DIV><FONT face=Calibri size=3>Hello nantenaina Tianarivo !!!</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Calibri size=3>Thanks for the link.</FONT></DIV>
<DIV><FONT face=Calibri size=3>But, I'm having some troubles to apply it, as you
can see below.</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Calibri size=3>In your link is another link, to get the the
patch as an attachment.</FONT></DIV>
<DIV><FONT face=Calibri size=3><A
title="http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm CTRL + Clique para seguir o link"
href="http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm">http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm</A> </FONT></DIV>
<DIV><FONT face=Calibri size=3>I've tried it (without the html tags, of course),
and did'nt work.</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Courier># cat squid-tproxy.patch | patch -p1<BR>patching file
src/comm.c<BR>patch: **** malformed patch at line 7: {</FONT><BR></DIV>
<DIV><FONT face=Calibri size=3>Any ideas?</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Calibri size=3>Thanks!</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Calibri size=3>Best Regards,</FONT></DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV><FONT face=Calibri size=3>Eduardo Schoedler.</FONT></DIV>
<DIV> </DIV>
<DIV><FONT face=Calibri size=3></FONT> </DIV>
<DIV style="BACKGROUND: #f5f5f5">
<DIV style="font-color: black"><B>From:</B> <A
title="mailto:rivo@gulfsat.mg CTRL + Clique para seguir o link"
href="mailto:rivo@gulfsat.mg">nantenaina Tianarivo</A> </DIV>
<DIV><B>Subject:</B> Re: [tproxy] Squid with tproxy extra brief FAQ - take
2</DIV></DIV></DIV>
<DIV><FONT face=Calibri></FONT><BR></DIV>I have tried the patch for IP_freebind
proposed here <A
title="https://lists.balabit.hu/pipermail/tproxy/2007-December/000638.html CTRL + Clique para seguir o link"
href="https://lists.balabit.hu/pipermail/tproxy/2007-December/000638.html">https://lists.balabit.hu/pipermail/tproxy/2007-December/000638.html</A>
and my squid could work with the tproxy4.<BR>Before that it loaded the tproxy2
when compiled with <FONT color=#000000>--enable-linux-tproxy</FONT><BR><BR>I
hope it can help you.<BR>Rivo<BR>On mer, 2008-02-27 at 14:33 -0300, Eduardo
Schoedler wrote:
<BLOCKQUOTE TYPE="CITE"><PRE><FONT color=#000000>Thanks for the FAQ.</FONT>
<FONT color=#000000>I'm using the (B) Version Tproxy 4.0.x.</FONT>
<FONT color=#000000>However, I haven't found the patch for squid in the site</FONT>
<FONT color=#000000><A href="http://www.balabit.hu/downloads/files/tproxy/">http://www.balabit.hu/downloads/files/tproxy/</A>.</FONT>
<FONT color=#000000>I'm using SQUID-2.6.17 with "--enable-linux-tproxy".</FONT>
<FONT color=#000000>But this compile options activates suppor for tproxy2 instead tproxy4.0.x,</FONT>
<FONT color=#000000>right ?</FONT>
<FONT color=#000000>How can I found the patch ?</FONT>
<FONT color=#000000>Thanks in advance!</FONT>
<FONT color=#000000>Best Regads,</FONT>
<FONT color=#000000>Eduardo Schoedler.</FONT>
<FONT color=#000000>--------------------------------------------------</FONT>
<FONT color=#000000>From: "Ming-Ching Tiew" <<A title="mailto:mingching.tiew@redtone.com CTRL + Clique para seguir o link" href="mailto:mingching.tiew@redtone.com">mingching.tiew@redtone.com</A>></FONT>
<FONT color=#000000>Subject: [tproxy] Squid with tproxy extra brief FAQ - take 2</FONT>
<FONT color=#000000>1. There are at least 3 different versions of tproxy kernel patches.</FONT>
<FONT color=#000000> Each tproxy kernel patch is quite strongly tied to a kernel version,</FONT>
<FONT color=#000000> (A) Version Tproxy2</FONT>
<FONT color=#000000> =============</FONT>
<FONT color=#000000> For kernel 2.6.18</FONT>
<FONT color=#000000> URL: <A href="http://www.balabit.hu/downloads/files/tproxy/obsolete/">http://www.balabit.hu/downloads/files/tproxy/obsolete/</A></FONT>
<FONT color=#000000> (B) Version Tproxy 4.0.x</FONT>
<FONT color=#000000> ================</FONT>
<FONT color=#000000> For kernel 2.6.22</FONT>
<FONT color=#000000> URL: <A title="http://www.balabit.hu/downloads/files/tproxy/ CTRL + Clique para seguir o link" href="http://www.balabit.hu/downloads/files/tproxy/">http://www.balabit.hu/downloads/files/tproxy/</A></FONT>
<FONT color=#000000> (C) Version Tproxy-4.1.0</FONT>
<FONT color=#000000> =================</FONT>
<FONT color=#000000> For kernel 2.6.25</FONT>
<FONT color=#000000> URL: The "official website" is for kernel <=2.6.24</FONT>
<FONT color=#000000> <A href="http://people.netfilter.org/hidden/tproxy">http://people.netfilter.org/hidden/tproxy</A></FONT>
<FONT color=#000000> but the actual version of tproxy 4.1 for 2.6.25 is here:</FONT>
<FONT color=#000000> <A href="http://people.balabit.hu/panther/tproxy">http://people.balabit.hu/panther/tproxy</A></FONT>
<FONT color=#000000> The kernel patch might work with nearby kernel versions, for example,</FONT>
<FONT color=#000000> tproxy2 might work with kernel 2.6.19; however it will not work</FONT>
<FONT color=#000000> will kernel 2.6.22 ( unless you port it ).</FONT>
<FONT color=#000000>2. Do not confuse tproxy kernel patch mentioned above with</FONT>
<FONT color=#000000> squid user-space patches.</FONT>
<FONT color=#000000> So far the Squid ( 3.0 and 2.6 ) is only supporting on tproxy2 - the</FONT>
<FONT color=#000000> userspace code is integrated.</FONT>
<FONT color=#000000> If you managed to compile Squid without changing the source,</FONT>
<FONT color=#000000> perhaps with only minor changes in header files, meaning you are</FONT>
<FONT color=#000000> likely either did not successfully link in tproxy support or at best it</FONT>
<FONT color=#000000> is using tproxy2, and it will not work with tproxy-4.0.x and</FONT>
<FONT color=#000000> tproxy-4.1.0 kernel counterpart.</FONT>
<FONT color=#000000> However, if you patch the squid source, you should be able</FONT>
<FONT color=#000000> to get squid to work with tproxy-4.0.x and tproxy-4.1.0.</FONT>
<FONT color=#000000> You can look through the archive of this maillist to look at how</FONT>
<FONT color=#000000> to port squid versions to support tproxy-4.0.x and tproxy-4.1.0.</FONT>
<FONT color=#000000> Most of the patches floating around are not fully satisfactory,</FONT>
<FONT color=#000000> but it could work, at least; but perhaps it will require you to have</FONT>
<FONT color=#000000> some programming knowledge.</FONT>
<FONT color=#000000> Here maybe a good start :-</FONT>
<FONT color=#000000>3. All the tproxy kernel patches are not compatible with one another.</FONT>
<FONT color=#000000> Each requires it's own way of setup and usage. So before doing</FONT>
<FONT color=#000000> anything, check if you have gotten the correct info/tproxy</FONT>
<FONT color=#000000>version/patches.</FONT>
<FONT color=#000000> These are some of the info :-</FONT>
<FONT color=#000000> (A) Version Tproxy2</FONT>
<FONT color=#000000> ============</FONT>
<FONT color=#000000> The Squid documentation recommends this :-</FONT>
<FONT color=#000000> ebtables -t broute -A BROUTING -p ipv4 --ip-protocol tcp \</FONT>
<FONT color=#000000> --ip-destination-port 80 -j redirect --redirect-target</FONT>
<FONT color=#000000>ACCEPT</FONT>
<FONT color=#000000> This rule will "broute" bridge traffic from br0 to netfilter.</FONT>
<FONT color=#000000> The iptables rule will bring http traffic into local process :-</FONT>
<FONT color=#000000> iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \</FONT>
<FONT color=#000000> -j TPROXY --on-port 3128</FONT>
<FONT color=#000000> To get SNAT working for tproxy2, there is a need for double NAT,</FONT>
<FONT color=#000000> and here was the discussion and patch :-</FONT>
<FONT color=#000000> <A href="https://lists.balabit.hu/pipermail/tproxy/2007-October/000537.html">https://lists.balabit.hu/pipermail/tproxy/2007-October/000537.html</A></FONT>
<FONT color=#000000> (B) Version tproxy-4.0.x</FONT>
<FONT color=#000000> ================</FONT>
<FONT color=#000000> Requires additional patches for SNAT and FWMARK.</FONT>
<FONT color=#000000> Some hurdles with bridge.</FONT>
<FONT color=#000000> Bridge problem is to do with packets must be marked PACKET_HOST when</FONT>
<FONT color=#000000> heading for br0 as discussed in this tproxy maillist. There have been</FONT>
<FONT color=#000000> people saying they will post the patch for it but yet to date, there</FONT>
<FONT color=#000000>is none.</FONT>
<FONT color=#000000> This problem can be worked around by brouting the traffic into</FONT>
<FONT color=#000000> the real devices instead of br0 :-</FONT>
<FONT color=#000000> INSIDE_DEV=eth0</FONT>
<FONT color=#000000> OUTSIDE_DEV=eth1</FONT>
<FONT color=#000000> ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \</FONT>
<FONT color=#000000> --ip-protocol tcp --ip-destination-port 80 \</FONT>
<FONT color=#000000> -j redirect --redirect-target DROP</FONT>
<FONT color=#000000> ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \</FONT>
<FONT color=#000000> --ip-protocol tcp --ip-source-port 80 \</FONT>
<FONT color=#000000> -j redirect --redirect-target DROP</FONT>
<FONT color=#000000> Please note for real interfaces, it's redirect-target DROP and</FONT>
<FONT color=#000000> not redirect-target ACCEPT, while doing it on br0, it's</FONT>
<FONT color=#000000> redirect-target ACCEPT !</FONT>
<FONT color=#000000> Remember to adjust your iptables rule accordingly since now</FONT>
<FONT color=#000000> packets entering and leaving real interfaces instead of br0.</FONT>
<FONT color=#000000> Example :-</FONT>
<FONT color=#000000> iptables -t tproxy -A PREROUTING -i $INSIDE_DEV \</FONT>
<FONT color=#000000> -p tcp --dport 80 -j TPROXY --on-port 3128</FONT>
<FONT color=#000000> For tproxy-4.0.3 remember to apply the additional kernel patches</FONT>
<FONT color=#000000> mentioned in this maillist or else the kernel will panic accessing</FONT>
<FONT color=#000000> null pointer.</FONT>
<FONT color=#000000> (C) Version tproxy-4.1.0</FONT>
<FONT color=#000000> ================</FONT>
<FONT color=#000000> The ebtables/bridge notes above is equally applicable. However</FONT>
<FONT color=#000000> the iptables rules are totally different.</FONT>
<FONT color=#000000> Something like this will be required :-</FONT>
<FONT color=#000000> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \</FONT>
<FONT color=#000000> --tproxy-mark 0x1/0x1 -on-port 3128</FONT>
<FONT color=#000000> iptables -t mangle -N DIVERT</FONT>
<FONT color=#000000> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT</FONT>
<FONT color=#000000> iptables -t mangle -A DIVERT -j MARK --set-mark 1</FONT>
<FONT color=#000000> iptables -t mangle -A DIVERT -j ACCEPT</FONT>
<FONT color=#000000> ip rule add fwmark 1 lookup 100</FONT>
<FONT color=#000000> ip route add local 0.0.0.0/0 dev lo table 100</FONT>
</PRE></BLOCKQUOTE></BODY></HTML>