<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 TRANSITIONAL//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; CHARSET=UTF-8">
<META NAME="GENERATOR" CONTENT="GtkHTML/3.16.1">
</HEAD>
<BODY BGCOLOR="#ffffff" LEFTMARGIN="0" TOPMARGIN="0">
I had this problem also when I patched my squid package. I didn't find any link where you can get this patch as. For me, I have done manually all changes described in this patch and it worked. <BR>
<BR>
<BR>
<TABLE CELLSPACING="0" CELLPADDING="0" WIDTH="100%">
<TR>
<TD>
<BR>
</TD>
</TR>
</TABLE>
<BR>
On jeu, 2008-02-28 at 08:58 -0300, Eduardo Schoedler wrote:
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Hello nantenaina Tianarivo !!!</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Thanks for the link.</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">But, I'm having some troubles to apply it, as you can see below.</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">In your link is another link, to get the the patch as an attachment.</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"><A HREF="http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm">http://lists.balabit.hu/pipermail/tproxy/attachments/20071220/c6c74b7c/attachment-0001.htm</A> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">I've tried it (without the html tags, of course), and did'nt work.</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"># cat squid-tproxy.patch | patch -p1</FONT><BR>
<FONT COLOR="#000000">patching file src/comm.c</FONT><BR>
<FONT COLOR="#000000">patch: **** malformed patch at line 7: {</FONT><BR>
<BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Any ideas?</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Thanks!</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Best Regards,</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">Eduardo Schoedler.</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000"> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<B><FONT COLOR="#000000">From:</FONT></B><FONT COLOR="#000000"> <A HREF="mailto:rivo@gulfsat.mg">nantenaina Tianarivo</A> </FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<B><FONT COLOR="#000000">Subject:</FONT></B><FONT COLOR="#000000"> Re: [tproxy] Squid with tproxy extra brief FAQ - take 2</FONT>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<BR>
<BR>
</BLOCKQUOTE>
<BLOCKQUOTE TYPE=CITE>
<FONT COLOR="#000000">I have tried the patch for IP_freebind proposed here <A HREF="https://lists.balabit.hu/pipermail/tproxy/2007-December/000638.html">https://lists.balabit.hu/pipermail/tproxy/2007-December/000638.html</A> and my squid could work with the tproxy4.</FONT><BR>
<FONT COLOR="#000000">Before that it loaded the tproxy2 when compiled with --enable-linux-tproxy</FONT><BR>
<BR>
<FONT COLOR="#000000">I hope it can help you.</FONT><BR>
<FONT COLOR="#000000">Rivo</FONT><BR>
<FONT COLOR="#000000">On mer, 2008-02-27 at 14:33 -0300, Eduardo Schoedler wrote: </FONT>
<BLOCKQUOTE TYPE=CITE>
<PRE>
<FONT COLOR="#000000">Thanks for the FAQ.</FONT>
<FONT COLOR="#000000">I'm using the (B) Version Tproxy 4.0.x.</FONT>
<FONT COLOR="#000000">However, I haven't found the patch for squid in the site</FONT>
<FONT COLOR="#000000"><A HREF="http://www.balabit.hu/downloads/files/tproxy/">http://www.balabit.hu/downloads/files/tproxy/</A>.</FONT>
<FONT COLOR="#000000">I'm using SQUID-2.6.17 with "--enable-linux-tproxy".</FONT>
<FONT COLOR="#000000">But this compile options activates suppor for tproxy2 instead tproxy4.0.x,</FONT>
<FONT COLOR="#000000">right ?</FONT>
<FONT COLOR="#000000">How can I found the patch ?</FONT>
<FONT COLOR="#000000">Thanks in advance!</FONT>
<FONT COLOR="#000000">Best Regads,</FONT>
<FONT COLOR="#000000">Eduardo Schoedler.</FONT>
<FONT COLOR="#000000">--------------------------------------------------</FONT>
<FONT COLOR="#000000">From: "Ming-Ching Tiew" <<A HREF="mailto:mingching.tiew@redtone.com">mingching.tiew@redtone.com</A>></FONT>
<FONT COLOR="#000000">Subject: [tproxy] Squid with tproxy extra brief FAQ - take 2</FONT>
<FONT COLOR="#000000">1. There are at least 3 different versions of tproxy kernel patches.</FONT>
<FONT COLOR="#000000"> Each tproxy kernel patch is quite strongly tied to a kernel version,</FONT>
<FONT COLOR="#000000"> (A) Version Tproxy2</FONT>
<FONT COLOR="#000000"> =============</FONT>
<FONT COLOR="#000000"> For kernel 2.6.18</FONT>
<FONT COLOR="#000000"> URL: <A HREF="http://www.balabit.hu/downloads/files/tproxy/obsolete/">http://www.balabit.hu/downloads/files/tproxy/obsolete/</A></FONT>
<FONT COLOR="#000000"> (B) Version Tproxy 4.0.x</FONT>
<FONT COLOR="#000000"> ================</FONT>
<FONT COLOR="#000000"> For kernel 2.6.22</FONT>
<FONT COLOR="#000000"> URL: <A HREF="http://www.balabit.hu/downloads/files/tproxy/">http://www.balabit.hu/downloads/files/tproxy/</A></FONT>
<FONT COLOR="#000000"> (C) Version Tproxy-4.1.0</FONT>
<FONT COLOR="#000000"> =================</FONT>
<FONT COLOR="#000000"> For kernel 2.6.25</FONT>
<FONT COLOR="#000000"> URL: The "official website" is for kernel <=2.6.24</FONT>
<FONT COLOR="#000000"> <A HREF="http://people.netfilter.org/hidden/tproxy">http://people.netfilter.org/hidden/tproxy</A></FONT>
<FONT COLOR="#000000"> but the actual version of tproxy 4.1 for 2.6.25 is here:</FONT>
<FONT COLOR="#000000"> <A HREF="http://people.balabit.hu/panther/tproxy">http://people.balabit.hu/panther/tproxy</A></FONT>
<FONT COLOR="#000000"> The kernel patch might work with nearby kernel versions, for example,</FONT>
<FONT COLOR="#000000"> tproxy2 might work with kernel 2.6.19; however it will not work</FONT>
<FONT COLOR="#000000"> will kernel 2.6.22 ( unless you port it ).</FONT>
<FONT COLOR="#000000">2. Do not confuse tproxy kernel patch mentioned above with</FONT>
<FONT COLOR="#000000"> squid user-space patches.</FONT>
<FONT COLOR="#000000"> So far the Squid ( 3.0 and 2.6 ) is only supporting on tproxy2 - the</FONT>
<FONT COLOR="#000000"> userspace code is integrated.</FONT>
<FONT COLOR="#000000"> If you managed to compile Squid without changing the source,</FONT>
<FONT COLOR="#000000"> perhaps with only minor changes in header files, meaning you are</FONT>
<FONT COLOR="#000000"> likely either did not successfully link in tproxy support or at best it</FONT>
<FONT COLOR="#000000"> is using tproxy2, and it will not work with tproxy-4.0.x and</FONT>
<FONT COLOR="#000000"> tproxy-4.1.0 kernel counterpart.</FONT>
<FONT COLOR="#000000"> However, if you patch the squid source, you should be able</FONT>
<FONT COLOR="#000000"> to get squid to work with tproxy-4.0.x and tproxy-4.1.0.</FONT>
<FONT COLOR="#000000"> You can look through the archive of this maillist to look at how</FONT>
<FONT COLOR="#000000"> to port squid versions to support tproxy-4.0.x and tproxy-4.1.0.</FONT>
<FONT COLOR="#000000"> Most of the patches floating around are not fully satisfactory,</FONT>
<FONT COLOR="#000000"> but it could work, at least; but perhaps it will require you to have</FONT>
<FONT COLOR="#000000"> some programming knowledge.</FONT>
<FONT COLOR="#000000"> Here maybe a good start :-</FONT>
<FONT COLOR="#000000">3. All the tproxy kernel patches are not compatible with one another.</FONT>
<FONT COLOR="#000000"> Each requires it's own way of setup and usage. So before doing</FONT>
<FONT COLOR="#000000"> anything, check if you have gotten the correct info/tproxy</FONT>
<FONT COLOR="#000000">version/patches.</FONT>
<FONT COLOR="#000000"> These are some of the info :-</FONT>
<FONT COLOR="#000000"> (A) Version Tproxy2</FONT>
<FONT COLOR="#000000"> ============</FONT>
<FONT COLOR="#000000"> The Squid documentation recommends this :-</FONT>
<FONT COLOR="#000000"> ebtables -t broute -A BROUTING -p ipv4 --ip-protocol tcp \</FONT>
<FONT COLOR="#000000"> --ip-destination-port 80 -j redirect --redirect-target</FONT>
<FONT COLOR="#000000">ACCEPT</FONT>
<FONT COLOR="#000000"> This rule will "broute" bridge traffic from br0 to netfilter.</FONT>
<FONT COLOR="#000000"> The iptables rule will bring http traffic into local process :-</FONT>
<FONT COLOR="#000000"> iptables -t tproxy -A PREROUTING -i br0 -p tcp --dport 80 \</FONT>
<FONT COLOR="#000000"> -j TPROXY --on-port 3128</FONT>
<FONT COLOR="#000000"> To get SNAT working for tproxy2, there is a need for double NAT,</FONT>
<FONT COLOR="#000000"> and here was the discussion and patch :-</FONT>
<FONT COLOR="#000000"> <A HREF="https://lists.balabit.hu/pipermail/tproxy/2007-October/000537.html">https://lists.balabit.hu/pipermail/tproxy/2007-October/000537.html</A></FONT>
<FONT COLOR="#000000"> (B) Version tproxy-4.0.x</FONT>
<FONT COLOR="#000000"> ================</FONT>
<FONT COLOR="#000000"> Requires additional patches for SNAT and FWMARK.</FONT>
<FONT COLOR="#000000"> Some hurdles with bridge.</FONT>
<FONT COLOR="#000000"> Bridge problem is to do with packets must be marked PACKET_HOST when</FONT>
<FONT COLOR="#000000"> heading for br0 as discussed in this tproxy maillist. There have been</FONT>
<FONT COLOR="#000000"> people saying they will post the patch for it but yet to date, there</FONT>
<FONT COLOR="#000000">is none.</FONT>
<FONT COLOR="#000000"> This problem can be worked around by brouting the traffic into</FONT>
<FONT COLOR="#000000"> the real devices instead of br0 :-</FONT>
<FONT COLOR="#000000"> INSIDE_DEV=eth0</FONT>
<FONT COLOR="#000000"> OUTSIDE_DEV=eth1</FONT>
<FONT COLOR="#000000"> ebtables -t broute -A BROUTING -i $INSIDE_DEV -p ipv4 \</FONT>
<FONT COLOR="#000000"> --ip-protocol tcp --ip-destination-port 80 \</FONT>
<FONT COLOR="#000000"> -j redirect --redirect-target DROP</FONT>
<FONT COLOR="#000000"> ebtables -t broute -A BROUTING -i $OUTSIDE_DEV -p ipv4 \</FONT>
<FONT COLOR="#000000"> --ip-protocol tcp --ip-source-port 80 \</FONT>
<FONT COLOR="#000000"> -j redirect --redirect-target DROP</FONT>
<FONT COLOR="#000000"> Please note for real interfaces, it's redirect-target DROP and</FONT>
<FONT COLOR="#000000"> not redirect-target ACCEPT, while doing it on br0, it's</FONT>
<FONT COLOR="#000000"> redirect-target ACCEPT !</FONT>
<FONT COLOR="#000000"> Remember to adjust your iptables rule accordingly since now</FONT>
<FONT COLOR="#000000"> packets entering and leaving real interfaces instead of br0.</FONT>
<FONT COLOR="#000000"> Example :-</FONT>
<FONT COLOR="#000000"> iptables -t tproxy -A PREROUTING -i $INSIDE_DEV \</FONT>
<FONT COLOR="#000000"> -p tcp --dport 80 -j TPROXY --on-port 3128</FONT>
<FONT COLOR="#000000"> For tproxy-4.0.3 remember to apply the additional kernel patches</FONT>
<FONT COLOR="#000000"> mentioned in this maillist or else the kernel will panic accessing</FONT>
<FONT COLOR="#000000"> null pointer.</FONT>
<FONT COLOR="#000000"> (C) Version tproxy-4.1.0</FONT>
<FONT COLOR="#000000"> ================</FONT>
<FONT COLOR="#000000"> The ebtables/bridge notes above is equally applicable. However</FONT>
<FONT COLOR="#000000"> the iptables rules are totally different.</FONT>
<FONT COLOR="#000000"> Something like this will be required :-</FONT>
<FONT COLOR="#000000"> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY \</FONT>
<FONT COLOR="#000000"> --tproxy-mark 0x1/0x1 -on-port 3128</FONT>
<FONT COLOR="#000000"> iptables -t mangle -N DIVERT</FONT>
<FONT COLOR="#000000"> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT</FONT>
<FONT COLOR="#000000"> iptables -t mangle -A DIVERT -j MARK --set-mark 1</FONT>
<FONT COLOR="#000000"> iptables -t mangle -A DIVERT -j ACCEPT</FONT>
<FONT COLOR="#000000"> ip rule add fwmark 1 lookup 100</FONT>
<FONT COLOR="#000000"> ip route add local 0.0.0.0/0 dev lo table 100</FONT>
</PRE>
</BLOCKQUOTE>
<PRE>
<FONT COLOR="#000000">_______________________________________________</FONT>
<FONT COLOR="#000000">tproxy mailing list</FONT>
<FONT COLOR="#000000"><A HREF="mailto:tproxy@lists.balabit.hu">tproxy@lists.balabit.hu</A></FONT>
<FONT COLOR="#000000"><A HREF="https://lists.balabit.hu/mailman/listinfo/tproxy">https://lists.balabit.hu/mailman/listinfo/tproxy</A></FONT>
</PRE>
</BLOCKQUOTE>
</BODY>
</HTML>