Dear Modestas,<br><br>Thanks for your response. My problem was exactly the libcap-devel ( CentOS package name ) missing in compile time. unfortunately there was no error or warning message in configure time in compile and if you rely in the messages in configure or compile time it should work. I was following up this howto : <a href="http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS">http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS</a> and there was no hint about this package. Anyway the problem was solved compeletely and I think it is better to mention this in <a href="http://squid-cache.org">squid-cache.org</a> HOWTO. <br>
<br>_Hamid <br><br><div class="gmail_quote">On Sat, Mar 14, 2009 at 6:04 PM, Modestas Vainius <span dir="ltr"><modestas@vainius.eu></span> wrote:<br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
Hello,<br>
<br>
I faced similar problem to yours yesterday.<br>
<br>
Linux 2.6.28 on Debian GNU/Linux amd64 (TPROXY v4.1)<br>
iptables 1.4.3 snapshot (20090312)<br>
squid 3.1.0.6 (beta)<br>
<br>
I had no problems building iptables 1.4.3 snapshot, TPROXY target was built<br>
properly without a hassle and worked perfectly out-of-the-box.<br>
<br>
Squid seemed to build fine from the first sight however it simply didn't do<br>
any tproxy'ing (tproxy port worked but packets came out with the IP of the<br>
squid server). After long hours of debugging and tracing, I localized the<br>
problem to this squid code at src/tools.cc [1].<br>
<br>
And guess what:<br>
<br>
# squid -X 2>&1 | grep 'Stopping full transparency'<br>
Stopping full transparency: Missing needed capability support.<br>
<br>
So I needed to install libcap-dev package (on Debian) and to get development<br>
headers (sys/capability.h) for the Linux capabilities library and rebuild<br>
squid. And squid has started working fine then. I guess you have the same<br>
issue, just package name is different.<br>
<br>
Basically, I recommend running the command above to check your squid config<br>
with regard to tproxy support. Obviously, it should return nothing if<br>
transparency support has been successfully enabled. squid should be more<br>
verbose about such errors...<br>
<br>
What is more, TPROXY+squid works fine on my router/server which does<br>
NETMAP/SNAT too (I was concerned that there would be problems with nat'ing).<br>
Great job and thanks to everybody involved.<br>
<br>
1.<br>
-------------------<br>
static void<br>
restoreCapabilities(int keep)<br>
{<br>
/* NP: keep these two if-endif separate. Non-Linux work perfectly well<br>
without Linux syscap support. */<br>
#if defined(_SQUID_LINUX_)<br>
<br>
#if HAVE_SYS_CAPABILITY_H<br>
#ifndef _LINUX_CAPABILITY_VERSION_1<br>
#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION<br>
#endif<br>
cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));<br>
cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));<br>
<br>
head->version = _LINUX_CAPABILITY_VERSION_1;<br>
<br>
if (capget(head, cap) != 0) {<br>
debugs(50, DBG_IMPORTANT, "Can't get current capabilities");<br>
} else if (head->version != _LINUX_CAPABILITY_VERSION_1) {<br>
debugs(50, DBG_IMPORTANT, "Invalid capability version " << head-<br>
>version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");<br>
} else {<br>
<br>
head->pid = 0;<br>
<br>
cap->inheritable = 0;<br>
cap->effective = (1 << CAP_NET_BIND_SERVICE);<br>
<br>
if (IpInterceptor.TransparentActive()) {<br>
cap->effective |= (1 << CAP_NET_ADMIN);<br>
#if LINUX_TPROXY2<br>
cap->effective |= (1 << CAP_NET_BROADCAST);<br>
#endif<br>
}<br>
<br>
if (!keep)<br>
cap->permitted &= cap->effective;<br>
<br>
if (capset(head, cap) != 0) {<br>
IpInterceptor.StopTransparency("Error enabling needed<br>
capabilities.");<br>
}<br>
}<br>
<br>
xfree(head);<br>
xfree(cap);<br>
<br>
#else<br>
IpInterceptor.StopTransparency("Missing needed capability support.");<br>
#endif /* HAVE_SYS_CAPABILITY_H */<br>
<br>
#endif /* !defined(_SQUID_LINUX_) */<br>
}<br>
---------------<br>
<font color="#888888"><br>
--<br>
Modestas Vainius <modestas@vainius.eu><br>
<br>
</font></blockquote></div><br><br clear="all"><br>-- <br>Regards<br>Hamid Hashemi<br>