Hi, On Mon, Mar 3, 2008 at 12:33 PM, Laszlo Attila Toth <panther@balabit.hu> wrote:
Hi,
Gonzalo Arana wrote:
Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129 Please, note that this is still unofficial path. Any feedback about it is much appreciated.
Does the foreign bind work with this patch? I rewrote the patch for
Indeed. I believe it is called freebind.
2.6-STABLE18 and perhaps I missed something. What I see on the webserver is that the squid connects with its own IP address instead of the client's address. Config: http_port 3128 tproxy
Odd. My patch requires that comm_fdopenex be called with COMM_FREEBIND, so that setsockopt(fd, SOL_IP, IP_FREEBIND, &on, ...) is called before bind(2) is. In my patch: 1) "http_port XXX tproxy" implies that http_port_list->tproxy is set (in clientHttpConnectionsOpen), and that COMM_FREEBIND is passed to comm_fdopenex. 2) fwdConnectStart calls comm_openex(...) with COMM_FREEBIND set if the request is received through a 'tproxy' squid socket. 3) (not patched by me) clientTryParseRequest copies tproxy flag from passive socket to the request. Perhaps strace may shed some light to this (ioctl should be called before bind).
When the new patch will work, I publish it. The changes: the --enable-tproxy option is dropped, --enable-linux-netfilter is used only. Also both REDIRECT and TPROXY target can be used in this case. If the tproxy patch isn't in the kernel, it is ignored in squid.
HTH, -- Gonzalo A. Arana