Ming-Ching Tiew írta:
After checking the mail archive and did some testings, I noticed there are quite many different versions of the stuff floating around.
Those in the netfilter web site has given me lots of headaches ( kernel version, iptable version and so on ), so I figured that I would dig more deeply into the version on balabit website, ie tproxy-4.0.3-2.6.22.tgz since they seems to only has minor incompatibility with squid.
After installing the patch to a 2.6.22 kernel and compiling iptables 1.3.8, everything went on smoothly. And I testing a version of squid-2.6.stable13 with has been previously working with tproxy2 ( and I did modprobe iptable_tproxy tproxy_any=1 ), I noticed that squid is able to receive the redirected traffic.
It's positive so far !
However upon checking the traffic, I noticed that the spoofing is not working, even though the http has been cached by squid.
The squid cache.log says :-
tproxy ip=192.168.1.5,0x576e4c0,port=0 ERROR ASSIGN
That would be quite understandable, because the binary for squid has been compiled with ( ~/src/forward.c ) :-
itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr; itp.v.addr.fport = 0; itp.op = TPROXY_ASSIGN; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", inet_ntoa(itp.v.addr.faddr), itp.v.addr.faddr.s_addr, itp.v.addr.fport); } else { itp.op = TPROXY_FLAGS; itp.v.flags = ITP_CONNECT; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n", itp.v.addr.faddr.s_addr, itp.v.addr.fport); }
The tproxy-4.0.3-2.6.22.tgz did not mention how a source should be changed to use the new tproxy, I did try using IP_FREEBIND ( using #define IP_FREEBIND 15 ) and the error goes away, but the spoofing has not been done.
Hello, basically you don't need that whole code, only the IP_FREEBIND as you did, plus a bind() call with the address itp.v.addr.faddr.s_addr, port itp.v.addr.fport.
Any suggestion where else should I check to convince squid to using the new spoofing mechanism ?
-- Panther