[tproxy] Tproxy + Squid 2.6

Enrico Demarin (home) enricod at videotron.ca
Fri Sep 15 04:27:03 CEST 2006 

Hi Everyone,

still not working for some reason but the squid messages are gone :

the rcv_saddr seems to be only set to something else than 0.0.0.0 if an 
explicit acl is set in squid.conf, in my case

acl enri src 10.0.0.0/255.0.0.0
tcp_outgoing_address 10.0.0.1 enri

this will force the clients from 10.0.0.0/16 to go out as 10.0.0.1, and 
the TPROXY_ASSIGN will succeed

I see the answer coming back from the gateway but it's still not loading 
the page however.

- Enrico



Enrico Demarin (home) wrote:
> Correction, tproxy seems to return -EINVAL because rcv_saddr is 0, not 
> sk->sport
>
>
> - Enrico
>
> Enrico Demarin (home) wrote:
>> I was looking at the squid error log and at tproxy source :
>>
>> in iptable_tproxy_c:
>>
>> static int
>> ip_tproxy_setsockopt_assign(struct sock *sk, int proto, struct 
>> in_tproxy *itp)
>> {
>> ...
>>        if (!sk->rcv_saddr || !sk->sport)
>>                return -EINVAL;
>>
>>
>> In the squid log :
>>
>> 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
>> 2006/09/15 00:09:14| tproxy ip=10.0.0.200,0xc800000a,port=0 ERROR ASSIGN
>>
>> and in squid's src/forward.c
>>
>> static void
>> fwdConnectStart(void *data)
>> {
>> ...
>>            itp.op = TPROXY_ASSIGN;
>>            if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) 
>> == -1) {
>>                debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
>>                    inet_ntoa(itp.v.addr.faddr),
>>                    itp.v.addr.faddr.s_addr,
>>                    itp.v.addr.fport);
>>
>> It seems squid sends a ftport == 0 and tproxy returns -EINVAL. I will 
>> look more into it tomorrow but in the mean time, does anyone have an 
>> idea why ?
>>
>> -  Enrico
>>
>>
>> Enrico Demarin (home) wrote:
>>>> / However Squid doesnt seem to able to spoof the original IP:
>>> /
>>>> tproxy needs CAP_NET_ADMIN. Which you do not have when running in 
>>>> unprivileged mode. And running in privileged mode (root) is 
>>>> inhibited by squid.
>>>
>>>> / Did any one get squid+cttproxy to work on a bridge ? What am I 
>>>> missing
>>> />/ ?
>>> /
>>>> Something that gives your squid user the CAP_NET_ADMIN capability.
>>>
>>> Doesnt this do it ( squid 2.6,  tools.c ) ? I added a debug message 
>>> and it's printed during init however i still get the ERROR ASSIGN 
>>> messages.
>>>
>>>
>>> #if LINUX_TPROXY
>>>    if (need_linux_tproxy) {
>>>        cap_user_header_t head = (cap_user_header_t) xcalloc(1, 
>>> sizeof(cap_user_header_t));
>>>        cap_user_data_t cap = (cap_user_data_t) xcalloc(1, 
>>> sizeof(cap_user_data_t));
>>>
>>>        head->version = _LINUX_CAPABILITY_VERSION;
>>>        head->pid = 0;
>>>        cap->inheritable = cap->permitted = cap->effective = (1 << 
>>> CAP_NET_ADMIN) + (1 << CAP_NET_BIND_SERVICE) + (1 << 
>>> CAP_NET_BROADCAST);
>>>
>>>
>>>        if (capset(head, cap) != 0) {
>>>            xfree(head);
>>>            xfree(cap);
>>>            fatal("Error giving up capabilities");
>>>        }
>>>        debug(50,0) ("Caps set to %x",cap->effective);
>>>        xfree(head);
>>>        xfree(cap);
>>>    }
>>> #endif
>>>
>>>
>>> _______________________________________________
>>> tproxy mailing list
>>> tproxy at lists.balabit.hu
>>> https://lists.balabit.hu/mailman/listinfo/tproxy
>>>
>>>
>>
>>
>>
>
>
>

More information about the tproxy mailing list