Re: Re: [tproxy] Tproxy + Squid 2.6
/ However Squid doesnt seem to able to spoof the original IP: / tproxy needs CAP_NET_ADMIN. Which you do not have when running in unprivileged mode. And running in privileged mode (root) is inhibited by squid.
/ Did any one get squid+cttproxy to work on a bridge ? What am I missing />/ ? / Something that gives your squid user the CAP_NET_ADMIN capability.
Doesnt this do it ( squid 2.6, tools.c ) ? I added a debug message and it's printed during init however i still get the ERROR ASSIGN messages. #if LINUX_TPROXY if (need_linux_tproxy) { cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t)); cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t)); head->version = _LINUX_CAPABILITY_VERSION; head->pid = 0; cap->inheritable = cap->permitted = cap->effective = (1 << CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST); if (capset(head, cap) != 0) { xfree(head); xfree(cap); fatal("Error giving up capabilities"); } debug(50,0) ("Caps set to %x",cap->effective); xfree(head); xfree(cap); } #endif
I was looking at the squid error log and at tproxy source : in iptable_tproxy_c: static int ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct in_tproxy *itp) { ... if (!sk->rcv_saddr || !sk->sport) return -EINVAL; In the squid log : 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN and in squid's src/forward.c static void fwdConnectStart(void *data) { ... itp.op = TPROXY_ASSIGN; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", inet_ntoa(itp.v.addr.faddr), itp.v.addr.faddr.s_addr, itp.v.addr.fport); It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will look more into it tomorrow but in the mean time, does anyone have an idea why ? - Enrico Enrico Demarin (home) wrote:
/ However Squid doesnt seem to able to spoof the original IP: / tproxy needs CAP_NET_ADMIN. Which you do not have when running in unprivileged mode. And running in privileged mode (root) is inhibited by squid.
/ Did any one get squid+cttproxy to work on a bridge ? What am I missing />/ ? / Something that gives your squid user the CAP_NET_ADMIN capability.
Doesnt this do it ( squid 2.6, tools.c ) ? I added a debug message and it's printed during init however i still get the ERROR ASSIGN messages.
#if LINUX_TPROXY if (need_linux_tproxy) { cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t)); cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
head->version = _LINUX_CAPABILITY_VERSION; head->pid = 0; cap->inheritable = cap->permitted = cap->effective = (1 << CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
if (capset(head, cap) != 0) { xfree(head); xfree(cap); fatal("Error giving up capabilities"); } debug(50,0) ("Caps set to %x",cap->effective); xfree(head); xfree(cap); } #endif
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
Correction, tproxy seems to return -EINVAL because rcv_saddr is 0, not sk->sport - Enrico Enrico Demarin (home) wrote:
I was looking at the squid error log and at tproxy source :
in iptable_tproxy_c:
static int ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct in_tproxy *itp) { ... if (!sk->rcv_saddr || !sk->sport) return -EINVAL;
In the squid log :
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
and in squid's src/forward.c
static void fwdConnectStart(void *data) { ... itp.op = TPROXY_ASSIGN; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", inet_ntoa(itp.v.addr.faddr), itp.v.addr.faddr.s_addr, itp.v.addr.fport);
It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will look more into it tomorrow but in the mean time, does anyone have an idea why ?
- Enrico
Enrico Demarin (home) wrote:
/ However Squid doesnt seem to able to spoof the original IP: / tproxy needs CAP_NET_ADMIN. Which you do not have when running in unprivileged mode. And running in privileged mode (root) is inhibited by squid.
/ Did any one get squid+cttproxy to work on a bridge ? What am I missing />/ ? / Something that gives your squid user the CAP_NET_ADMIN capability.
Doesnt this do it ( squid 2.6, tools.c ) ? I added a debug message and it's printed during init however i still get the ERROR ASSIGN messages.
#if LINUX_TPROXY if (need_linux_tproxy) { cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t)); cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
head->version = _LINUX_CAPABILITY_VERSION; head->pid = 0; cap->inheritable = cap->permitted = cap->effective = (1 << CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
if (capset(head, cap) != 0) { xfree(head); xfree(cap); fatal("Error giving up capabilities"); } debug(50,0) ("Caps set to %x",cap->effective); xfree(head); xfree(cap); } #endif
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
Hi Everyone, still not working for some reason but the squid messages are gone : the rcv_saddr seems to be only set to something else than 0.0.0.0 if an explicit acl is set in squid.conf, in my case acl enri src 10.0.0.0/255.0.0.0 tcp_outgoing_address 10.0.0.1 enri this will force the clients from 10.0.0.0/16 to go out as 10.0.0.1, and the TPROXY_ASSIGN will succeed I see the answer coming back from the gateway but it's still not loading the page however. - Enrico Enrico Demarin (home) wrote:
Correction, tproxy seems to return -EINVAL because rcv_saddr is 0, not sk->sport
- Enrico
Enrico Demarin (home) wrote:
I was looking at the squid error log and at tproxy source :
in iptable_tproxy_c:
static int ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct in_tproxy *itp) { ... if (!sk->rcv_saddr || !sk->sport) return -EINVAL;
In the squid log :
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
and in squid's src/forward.c
static void fwdConnectStart(void *data) { ... itp.op = TPROXY_ASSIGN; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", inet_ntoa(itp.v.addr.faddr), itp.v.addr.faddr.s_addr, itp.v.addr.fport);
It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will look more into it tomorrow but in the mean time, does anyone have an idea why ?
- Enrico
Enrico Demarin (home) wrote:
/ However Squid doesnt seem to able to spoof the original IP: / tproxy needs CAP_NET_ADMIN. Which you do not have when running in unprivileged mode. And running in privileged mode (root) is inhibited by squid.
/ Did any one get squid+cttproxy to work on a bridge ? What am I missing />/ ? / Something that gives your squid user the CAP_NET_ADMIN capability.
Doesnt this do it ( squid 2.6, tools.c ) ? I added a debug message and it's printed during init however i still get the ERROR ASSIGN messages.
#if LINUX_TPROXY if (need_linux_tproxy) { cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(cap_user_header_t)); cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(cap_user_data_t));
head->version = _LINUX_CAPABILITY_VERSION; head->pid = 0; cap->inheritable = cap->permitted = cap->effective = (1 << CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
if (capset(head, cap) != 0) { xfree(head); xfree(cap); fatal("Error giving up capabilities"); } debug(50,0) ("Caps set to %x",cap->effective); xfree(head); xfree(cap); } #endif
_______________________________________________ tproxy mailing list tproxy@lists.balabit.hu https://lists.balabit.hu/mailman/listinfo/tproxy
In the squid log :
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
and in squid's src/forward.c
static void fwdConnectStart(void *data) { ... itp.op = TPROXY_ASSIGN; if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1) { debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n", inet_ntoa(itp.v.addr.faddr), itp.v.addr.faddr.s_addr, itp.v.addr.fport);
Let it print errno, so we can find out what causes this.
It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will look more into it tomorrow but in the mean time, does anyone have an idea why ?
Supposedly the tproxy init routine is not complete? On Sep 14 2006 22:27, Enrico Demarin (home) wrote:
still not working for some reason but the squid messages are gone :
the rcv_saddr seems to be only set to something else than 0.0.0.0 if an explicit acl is set in squid.conf, in my case
acl enri src 10.0.0.0/255.0.0.0 tcp_outgoing_address 10.0.0.1 enri
You always need tcp_outgoing_address when using tproxy. I would suggest dropping the 'enri' parts entirely (do it unconditionally): tcp_outgoing_address <ip_of_proxy> Jan Engelhardt --
participants (2)
-
Enrico Demarin (home)
-
Jan Engelhardt