Re: [tproxy] Tproxy + Squid 2.6

15 Sep 2006


      Correction, tproxy seems to return -EINVAL because rcv_saddr is 0, not 
sk->sport
 

- Enrico

Enrico Demarin (home) wrote:
...
I was looking at the squid error log and at tproxy source :
in iptable_tproxy_c:
static int
ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct 
in_tproxy *itp)
{
...
       if (!sk->rcv_saddr || !sk->sport)
               return -EINVAL;
In the squid log :
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
and in squid's src/forward.c
static void
fwdConnectStart(void *data)
{
...
           itp.op = TPROXY_ASSIGN;
           if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == 
-1) {
               debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
                   inet_ntoa(itp.v.addr.faddr),
                   itp.v.addr.faddr.s_addr,
                   itp.v.addr.fport);
It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will 
look more into it tomorrow but in the mean time, does anyone have an 
idea why ?
-  Enrico
Enrico Demarin (home) wrote:
...
...
/ However Squid doesnt seem to able to spoof the original IP:
/
tproxy needs CAP_NET_ADMIN. Which you do not have when running in 
unprivileged mode. And running in privileged mode (root) is 
inhibited by squid.
...
/ Did any one get squid+cttproxy to work on a bridge ? What am I 
missing
/>/ ?
/
Something that gives your squid user the CAP_NET_ADMIN capability.
Doesnt this do it ( squid 2.6,  tools.c ) ? I added a debug message 
and it's printed during init however i still get the ERROR ASSIGN 
messages.
#if LINUX_TPROXY
   if (need_linux_tproxy) {
       cap_user_header_t head = (cap_user_header_t) xcalloc(1, 
sizeof(cap_user_header_t));
       cap_user_data_t cap = (cap_user_data_t) xcalloc(1, 
sizeof(cap_user_data_t));
head->version = _LINUX_CAPABILITY_VERSION;
       head->pid = 0;
       cap->inheritable = cap->permitted = cap->effective = (1 << 
CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
if (capset(head, cap) != 0) {
           xfree(head);
           xfree(cap);
           fatal("Error giving up capabilities");
       }
       debug(50,0) ("Caps set to %x",cap->effective);
       xfree(head);
       xfree(cap);
   }
#endif
_______________________________________________
tproxy mailing list
tproxy@lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy