[tproxy] Tproxy + Squid 2.6

Enrico Demarin (home) enricod at videotron.ca
Fri Sep 15 03:34:40 CEST 2006 

Correction, tproxy seems to return -EINVAL because rcv_saddr is 0, not 
sk->sport
 

- Enrico

Enrico Demarin (home) wrote:
> I was looking at the squid error log and at tproxy source :
>
> in iptable_tproxy_c:
>
> static int
> ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct 
> in_tproxy *itp)
> {
> ...
>        if (!sk->rcv_saddr || !sk->sport)
>                return -EINVAL;
>
>
> In the squid log :
>
> 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
> 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
>
> and in squid's src/forward.c
>
> static void
> fwdConnectStart(void *data)
> {
> ...
>            itp.op = TPROXY_ASSIGN;
>            if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == 
> -1) {
>                debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
>                    inet_ntoa(itp.v.addr.faddr),
>                    itp.v.addr.faddr.s_addr,
>                    itp.v.addr.fport);
>
> It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will 
> look more into it tomorrow but in the mean time, does anyone have an 
> idea why ?
>
> -  Enrico
>
>
> Enrico Demarin (home) wrote:
>>> / However Squid doesnt seem to able to spoof the original IP:
>> /
>>> tproxy needs CAP_NET_ADMIN. Which you do not have when running in 
>>> unprivileged mode. And running in privileged mode (root) is 
>>> inhibited by squid.
>>
>>> / Did any one get squid+cttproxy to work on a bridge ? What am I 
>>> missing
>> />/ ?
>> /
>>> Something that gives your squid user the CAP_NET_ADMIN capability.
>>
>> Doesnt this do it ( squid 2.6,  tools.c ) ? I added a debug message 
>> and it's printed during init however i still get the ERROR ASSIGN 
>> messages.
>>
>>
>> #if LINUX_TPROXY
>>    if (need_linux_tproxy) {
>>        cap_user_header_t head = (cap_user_header_t) xcalloc(1, 
>> sizeof(cap_user_header_t));
>>        cap_user_data_t cap = (cap_user_data_t) xcalloc(1, 
>> sizeof(cap_user_data_t));
>>
>>        head->version = _LINUX_CAPABILITY_VERSION;
>>        head->pid = 0;
>>        cap->inheritable = cap->permitted = cap->effective = (1 << 
>> CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << CAP_NET_BROADCAST);
>>
>>
>>        if (capset(head, cap) != 0) {
>>            xfree(head);
>>            xfree(cap);
>>            fatal("Error giving up capabilities");
>>        }
>>        debug(50,0) ("Caps set to %x",cap->effective);
>>        xfree(head);
>>        xfree(cap);
>>    }
>> #endif
>>
>>
>> _______________________________________________
>> tproxy mailing list
>> tproxy at lists.balabit.hu
>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>
>>
>
>
>

More information about the tproxy mailing list