[tproxy] Tproxy + Squid 2.6

Enrico Demarin (home) enricod at videotron.ca
Fri Sep 15 02:18:53 CEST 2006 

I was looking at the squid error log and at tproxy source :

in iptable_tproxy_c:

static int
ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct in_tproxy 
*itp)
{
...
        if (!sk->rcv_saddr || !sk->sport)
                return -EINVAL;


In the squid log :

2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN

and in squid's src/forward.c

static void
fwdConnectStart(void *data)
{
...
            itp.op = TPROXY_ASSIGN;
            if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == 
-1) {
                debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
                    inet_ntoa(itp.v.addr.faddr),
                    itp.v.addr.faddr.s_addr,
                    itp.v.addr.fport);

It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will 
look more into it tomorrow but in the mean time, does anyone have an 
idea why ?

-  Enrico


Enrico Demarin (home) wrote:
>> / However Squid doesnt seem to able to spoof the original IP:
> /
>> tproxy needs CAP_NET_ADMIN. Which you do not have when running in 
>> unprivileged mode. And running in privileged mode (root) is inhibited 
>> by squid.
>
>> / Did any one get squid+cttproxy to work on a bridge ? What am I missing
> />/ ?
> /
>> Something that gives your squid user the CAP_NET_ADMIN capability.
>
> Doesnt this do it ( squid 2.6,  tools.c ) ? I added a debug message 
> and it's printed during init however i still get the ERROR ASSIGN 
> messages.
>
>
> #if LINUX_TPROXY
>    if (need_linux_tproxy) {
>        cap_user_header_t head = (cap_user_header_t) xcalloc(1, 
> sizeof(cap_user_header_t));
>        cap_user_data_t cap = (cap_user_data_t) xcalloc(1, 
> sizeof(cap_user_data_t));
>
>        head->version = _LINUX_CAPABILITY_VERSION;
>        head->pid = 0;
>        cap->inheritable = cap->permitted = cap->effective = (1 << 
> CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
>
>
>        if (capset(head, cap) != 0) {
>            xfree(head);
>            xfree(cap);
>            fatal("Error giving up capabilities");
>        }
>        debug(50,0) ("Caps set to %x",cap->effective);
>        xfree(head);
>        xfree(cap);
>    }
> #endif
>
>
> _______________________________________________
> tproxy mailing list
> tproxy at lists.balabit.hu
> https://lists.balabit.hu/mailman/listinfo/tproxy
>
>

More information about the tproxy mailing list