Dear Modestas,

Thanks for your response. My problem was exactly the libcap-devel ( CentOS package name ) missing in compile time. unfortunately there was no error or warning message in configure time in compile and if you rely in the messages in configure or compile time it should work. I was following up this howto : http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS and there was no hint about this package. Anyway the problem was solved compeletely and I think it is better to mention this in squid-cache.org HOWTO.

_Hamid

On Sat, Mar 14, 2009 at 6:04 PM, Modestas Vainius <modestas@vainius.eu> wrote:
Hello,

I faced similar problem to yours yesterday.

Linux 2.6.28 on Debian GNU/Linux amd64 (TPROXY v4.1)
iptables 1.4.3 snapshot (20090312)
squid 3.1.0.6 (beta)

I had no problems building iptables 1.4.3 snapshot, TPROXY target was built
properly without a hassle and worked perfectly out-of-the-box.

Squid seemed to build fine from the first sight however it simply didn't do
any tproxy'ing (tproxy port worked but packets came out with the IP of the
squid server). After long hours of debugging and tracing, I localized the
problem to this squid code at src/tools.cc [1].

And guess what:

# squid -X 2>&1 | grep 'Stopping full transparency'
Stopping full transparency: Missing needed capability support.

So I needed to install libcap-dev package (on Debian) and to get development
headers (sys/capability.h) for the Linux capabilities library and rebuild
squid. And squid has started working fine then. I guess you have the same
issue, just package name is different.

Basically, I recommend running the command above to check your squid config
with regard to tproxy support. Obviously, it should return nothing if
transparency support has been successfully enabled. squid should be more
verbose about such errors...

What is more, TPROXY+squid works fine on my router/server which does
NETMAP/SNAT too (I was concerned that there would be problems with nat'ing).
Great job and thanks to everybody involved.

1.
-------------------
static void
restoreCapabilities(int keep)
{
   /* NP: keep these two if-endif separate. Non-Linux work perfectly well
without Linux syscap support. */
#if defined(_SQUID_LINUX_)

#if HAVE_SYS_CAPABILITY_H
#ifndef _LINUX_CAPABILITY_VERSION_1
#define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
#endif
   cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));
   cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));

   head->version = _LINUX_CAPABILITY_VERSION_1;

   if (capget(head, cap) != 0) {
       debugs(50, DBG_IMPORTANT, "Can't get current capabilities");
   } else if (head->version != _LINUX_CAPABILITY_VERSION_1) {
       debugs(50, DBG_IMPORTANT, "Invalid capability version " << head-
>version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
   } else {

       head->pid = 0;

       cap->inheritable = 0;
       cap->effective = (1 << CAP_NET_BIND_SERVICE);

       if (IpInterceptor.TransparentActive()) {
           cap->effective |= (1 << CAP_NET_ADMIN);
#if LINUX_TPROXY2
           cap->effective |= (1 << CAP_NET_BROADCAST);
#endif
       }

       if (!keep)
           cap->permitted &= cap->effective;

       if (capset(head, cap) != 0) {
           IpInterceptor.StopTransparency("Error enabling needed
capabilities.");
       }
   }

   xfree(head);
   xfree(cap);

#else
   IpInterceptor.StopTransparency("Missing needed capability support.");
#endif /* HAVE_SYS_CAPABILITY_H */

#endif /* !defined(_SQUID_LINUX_) */
}
---------------

--
Modestas Vainius <modestas@vainius.eu>




--
Regards
Hamid Hashemi