Ming-Ching Tiew wrote:
Laszlo Attila Toth wrote:
Gonzalo Arana wrote:
Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129 Please, note that this is still unofficial path. Any feedback about it is much appreciated.
Does the foreign bind work with this patch? I rewrote the patch for 2.6-STABLE18 and perhaps I missed something. What I see on the webserver is that the squid connects with its own IP address instead of the client's address. Config: http_port 3128 tproxy
When the new patch will work, I publish it. The changes: the --enable-tproxy option is dropped, --enable-linux-netfilter is used only. Also both REDIRECT and TPROXY target can be used in this case. If the tproxy patch isn't in the kernel, it is ignored in squid.
Not answering to this post specifically however I have two comments on squid tproxy patch :-
1. To have two different version of patches and binaries for squid with tproxy 4.0.x and tproxy 4.1.0 is a nuisance and administratively unfortunate. It will be great if the patch can be one, and if there is a way to determine at runtime, whether to pass IP_FREEBIND or IP_TRANSPARENT to setsockopt that will be great.
As I wrote, it is only for tproxy 4.1. This is because it is pointless to maintain multiple versions. We hope that tproxy 4.1 will be a part of the mainline kernel which is the cleanest version and easiest to use.
The other way is to adjust the kernel patch for tproxy 4.1.0 to use IP_FREEBIND. But it seems this option has been explored and the kernel folks disagreed with it though !
2. Removing NET_ADMIN capability for IP_FREEBIND isn't quite necessary for :-
The new patch is based on the other but I keep this part, for instance. IP_TRANSPARENT socket option requires CAP_NET_ADMIN capability also it cannot be removed. -- Panther