Dear Laszlo, Just a little confulsed with your statement (below) on the squid 3.1 wiki - does that mean that TPROXY in 3.1 is non usable yet? --- from squid wiki - Feature: TPROXY Update "It is not yet finished, the squid proxy doesn't bind to the client's address. Furthermore I think it would be better to have a different option for this, and "tproxy" wouldn't imply this." Regards, Anton.
Hello, Anton wrote:
Dear Laszlo,
Just a little confulsed with your statement (below) on the squid 3.1 wiki - does that mean that TPROXY in 3.1 is non usable yet?
--- from squid wiki - Feature: TPROXY Update
"It is not yet finished, the squid proxy doesn't bind to the client's address. Furthermore I think it would be better to have a different option for this, and "tproxy" wouldn't imply this."
When I wrote this email, I tried to create a patch for squid-2.6-STABLE18 with the mentioned results, also it is still not (fully) working. But Squid-3.1 is works well with TProxy 4.1 and this code is part of the official squid-3.1 code. Laszlo
Hi Laszlo! Just a little question, regarding the partly working TPROXY in SQUID 3.1 (Surely you have seen my post in squid-dev with my results), do you think that the following is solely SQUID problem, or it might be TPROXY problem? 2008/05/20 21:25:47| IPInterception.cc(169) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available 2008/05/20 21:25:53| commBind: Cannot bind socket FD 35 to 192.168.1.177:3976: (98) Address already in use 2008/05/20 21:25:53| comm.cc(994) commResetFD: bind: (98) Address already in use 2008/05/20 21:25:59| commBind: Cannot bind socket FD 31 to 192.168.1.177:3977: (98) Address already in use 2008/05/20 21:25:59| comm.cc(994) commResetFD: bind: (98) Address already in use On Friday 16 May 2008 14:07, Laszlo Attila Toth wrote:
Hello,
Anton wrote:
Dear Laszlo,
Just a little confulsed with your statement (below) on the squid 3.1 wiki - does that mean that TPROXY in 3.1 is non usable yet?
--- from squid wiki - Feature: TPROXY Update
"It is not yet finished, the squid proxy doesn't bind to the client's address. Furthermore I think it would be better to have a different option for this, and "tproxy" wouldn't imply this."
When I wrote this email, I tried to create a patch for squid-2.6-STABLE18 with the mentioned results, also it is still not (fully) working.
But Squid-3.1 is works well with TProxy 4.1 and this code is part of the official squid-3.1 code.
Laszlo
Hello, It seems that the kernel doesn't support IP_TRANSPARENT socket option. But if you use the tproxy 4.1 patch, it can't happen. ( ?? ) Anton wrote:
Hi Laszlo!
Just a little question, regarding the partly working TPROXY in SQUID 3.1 (Surely you have seen my post in squid-dev with my results), do you think that the following is solely SQUID problem, or it might be TPROXY problem?
2008/05/20 21:25:47| IPInterception.cc(169) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available 2008/05/20 21:25:53| commBind: Cannot bind socket FD 35 to 192.168.1.177:3976: (98) Address already in use 2008/05/20 21:25:53| comm.cc(994) commResetFD: bind: (98) Address already in use 2008/05/20 21:25:59| commBind: Cannot bind socket FD 31 to 192.168.1.177:3977: (98) Address already in use 2008/05/20 21:25:59| comm.cc(994) commResetFD: bind: (98) Address already in use
On Friday 16 May 2008 14:07, Laszlo Attila Toth wrote:
Hello,
Anton wrote:
Dear Laszlo,
Just a little confulsed with your statement (below) on the squid 3.1 wiki - does that mean that TPROXY in 3.1 is non usable yet?
--- from squid wiki - Feature: TPROXY Update
"It is not yet finished, the squid proxy doesn't bind to the client's address. Furthermore I think it would be better to have a different option for this, and "tproxy" wouldn't imply this." When I wrote this email, I tried to create a patch for squid-2.6-STABLE18 with the mentioned results, also it is still not (fully) working.
But Squid-3.1 is works well with TProxy 4.1 and this code is part of the official squid-3.1 code.
Laszlo
But it's a 4.1 patch for 2.6.24 kernel and the installation partially working and I'm getting this complain once in a dosen of requests. - maybe once in 20, sometimes 50 or 100 requests. - the rest are ok and transparently handled by TPROXY and SQUID. On Wednesday 21 May 2008 16:28, Laszlo Attila Toth wrote:
Hello,
It seems that the kernel doesn't support IP_TRANSPARENT socket option. But if you use the tproxy 4.1 patch, it can't happen. ( ?? )
Anton wrote:
Hi Laszlo!
Just a little question, regarding the partly working TPROXY in SQUID 3.1 (Surely you have seen my post in squid-dev with my results), do you think that the following is solely SQUID problem, or it might be TPROXY problem?
2008/05/20 21:25:47| IPInterception.cc(169) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available 2008/05/20 21:25:53| commBind: Cannot bind socket FD 35 to 192.168.1.177:3976: (98) Address already in use 2008/05/20 21:25:53| comm.cc(994) commResetFD: bind: (98) Address already in use 2008/05/20 21:25:59| commBind: Cannot bind socket FD 31 to 192.168.1.177:3977: (98) Address already in use 2008/05/20 21:25:59| comm.cc(994) commResetFD: bind: (98) Address already in use
On Friday 16 May 2008 14:07, Laszlo Attila Toth wrote:
Hello,
Anton wrote:
Dear Laszlo,
Just a little confulsed with your statement (below) on the squid 3.1 wiki - does that mean that TPROXY in 3.1 is non usable yet?
--- from squid wiki - Feature: TPROXY Update
"It is not yet finished, the squid proxy doesn't bind to the client's address. Furthermore I think it would be better to have a different option for this, and "tproxy" wouldn't imply this."
When I wrote this email, I tried to create a patch for squid-2.6-STABLE18 with the mentioned results, also it is still not (fully) working.
But Squid-3.1 is works well with TProxy 4.1 and this code is part of the official squid-3.1 code.
Laszlo
Any thoughts? 2008/5/21 Anton <anton.vazir@gmail.com>:
But it's a 4.1 patch for 2.6.24 kernel and the installation partially working and I'm getting this complain once in a dosen of requests. - maybe once in 20, sometimes 50 or 100 requests. - the rest are ok and transparently handled by TPROXY and SQUID.
Anton VG wrote:
Any thoughts?
I fixed it. The getsockopt() wasn't implemented for IP_TRANSPARENT socket option and you used more verbose debug messages in squid, this is why I didn't understand it. Sorry. You can download it: http://www.balabit.com/downloads/files/tproxy/tproxy-kernel-2.6.24-20080602-... The last, 17th patch is enough to be applied to your last kernel source.
2008/5/21 Anton <anton.vazir@gmail.com>:
But it's a 4.1 patch for 2.6.24 kernel and the installation partially working and I'm getting this complain once in a dosen of requests. - maybe once in 20, sometimes 50 or 100 requests. - the rest are ok and transparently handled by TPROXY and SQUID.
-- Panther
Great! Will do the tests again! Btw, while trying to use 2.6.25 kernel, TPROXY patched, I'm experiencing a _silent_ system hang (no any kernel msg, just hang) after a while of operation - 3~4 hours. I have no idea, if this HW dependant, since it's a regular good P4 PC, but which work reliably (last uptime until kernel change reboot was 180 days, with cttproxy2). It may behave the same even with unpatched 2.6.25 - but since it's a production PC - I can't just experiment on it. 2.6.24 - works with no such issues on the same PC On Tuesday 03 June 2008 11:14, Laszlo Attila Toth wrote:
Anton VG wrote:
Any thoughts?
I fixed it. The getsockopt() wasn't implemented for IP_TRANSPARENT socket option and you used more verbose debug messages in squid, this is why I didn't understand it. Sorry.
You can download it:
http://www.balabit.com/downloads/files/tproxy/tproxy-kern el-2.6.24-20080602-165651-1212418611.tar.bz2
The last, 17th patch is enough to be applied to your last kernel source.
2008/5/21 Anton <anton.vazir@gmail.com>:
But it's a 4.1 patch for 2.6.24 kernel and the installation partially working and I'm getting this complain once in a dosen of requests. - maybe once in 20, sometimes 50 or 100 requests. - the rest are ok and transparently handled by TPROXY and SQUID.
participants (3)
-
Anton
-
Anton VG
-
Laszlo Attila Toth