Dear Modestas, Thanks for your response. My problem was exactly the libcap-devel ( CentOS package name ) missing in compile time. unfortunately there was no error or warning message in configure time in compile and if you rely in the messages in configure or compile time it should work. I was following up this howto : http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS and there was no hint about this package. Anyway the problem was solved compeletely and I think it is better to mention this in squid-cache.org HOWTO. _Hamid On Sat, Mar 14, 2009 at 6:04 PM, Modestas Vainius <modestas@vainius.eu>wrote:
Hello,
I faced similar problem to yours yesterday.
Linux 2.6.28 on Debian GNU/Linux amd64 (TPROXY v4.1) iptables 1.4.3 snapshot (20090312) squid 3.1.0.6 (beta)
I had no problems building iptables 1.4.3 snapshot, TPROXY target was built properly without a hassle and worked perfectly out-of-the-box.
Squid seemed to build fine from the first sight however it simply didn't do any tproxy'ing (tproxy port worked but packets came out with the IP of the squid server). After long hours of debugging and tracing, I localized the problem to this squid code at src/tools.cc [1].
And guess what:
# squid -X 2>&1 | grep 'Stopping full transparency' Stopping full transparency: Missing needed capability support.
So I needed to install libcap-dev package (on Debian) and to get development headers (sys/capability.h) for the Linux capabilities library and rebuild squid. And squid has started working fine then. I guess you have the same issue, just package name is different.
Basically, I recommend running the command above to check your squid config with regard to tproxy support. Obviously, it should return nothing if transparency support has been successfully enabled. squid should be more verbose about such errors...
What is more, TPROXY+squid works fine on my router/server which does NETMAP/SNAT too (I was concerned that there would be problems with nat'ing). Great job and thanks to everybody involved.
1. ------------------- static void restoreCapabilities(int keep) { /* NP: keep these two if-endif separate. Non-Linux work perfectly well without Linux syscap support. */ #if defined(_SQUID_LINUX_)
#if HAVE_SYS_CAPABILITY_H #ifndef _LINUX_CAPABILITY_VERSION_1 #define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION #endif cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head)); cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));
head->version = _LINUX_CAPABILITY_VERSION_1;
if (capget(head, cap) != 0) { debugs(50, DBG_IMPORTANT, "Can't get current capabilities"); } else if (head->version != _LINUX_CAPABILITY_VERSION_1) { debugs(50, DBG_IMPORTANT, "Invalid capability version " << head-
version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")"); } else {
head->pid = 0;
cap->inheritable = 0; cap->effective = (1 << CAP_NET_BIND_SERVICE);
if (IpInterceptor.TransparentActive()) { cap->effective |= (1 << CAP_NET_ADMIN); #if LINUX_TPROXY2 cap->effective |= (1 << CAP_NET_BROADCAST); #endif }
if (!keep) cap->permitted &= cap->effective;
if (capset(head, cap) != 0) { IpInterceptor.StopTransparency("Error enabling needed capabilities."); } }
xfree(head); xfree(cap);
#else IpInterceptor.StopTransparency("Missing needed capability support."); #endif /* HAVE_SYS_CAPABILITY_H */
#endif /* !defined(_SQUID_LINUX_) */ } ---------------
-- Modestas Vainius <modestas@vainius.eu>
-- Regards Hamid Hashemi