[tproxy] Tproxy + squid + Wccp verion 2 + FC5 Does it really work

Rajesh Yadav rajesh at icanconnect.com
Mon May 28 08:24:05 CEST 2007


Hello,

I had been struggling for almost a month trying to make tproxy + Squid +
Wccp work for me but all my effort gives me only "2007/05/28 11:50:30|
tproxy ip=xxx.xxx.xxx.xxx,0x2e11c87a,port=0 ERROR ASSIGN". And I can only
see my squid ip with www.dnsstuff.com & www.tracert.com.

Please can anyone help  me with the correct method & steps to make it work
for me  ?

Regards
Rajesh 

-----Original Message-----
From: tproxy-bounces at lists.balabit.hu
[mailto:tproxy-bounces at lists.balabit.hu] On Behalf Of
tproxy-request at lists.balabit.hu
Sent: Sunday, May 27, 2007 3:30 PM
To: tproxy at lists.balabit.hu
Subject: tproxy Digest, Vol 23, Issue 5

Send tproxy mailing list submissions to
	tproxy at lists.balabit.hu

To subscribe or unsubscribe via the World Wide Web, visit
	https://lists.balabit.hu/mailman/listinfo/tproxy
or, via email, send a message with subject or body 'help' to
	tproxy-request at lists.balabit.hu

You can reach the person managing the list at
	tproxy-owner at lists.balabit.hu

When replying, please edit your Subject line so it is more specific
than "Re: Contents of tproxy digest..."


Today's Topics:

   1. Re: The future of tproxy (Jan Engelhardt)
   2. Re: The future of tproxy (Igmar Palsenberg)
   3. Re: The future of tproxy (Jan Engelhardt)
   4. Re: The future of tproxy (Balazs Scheidler)


----------------------------------------------------------------------

Message: 1
Date: Sat, 26 May 2007 21:16:38 +0200 (MEST)
From: Jan Engelhardt <jengelh at linux01.gwdg.de>
Subject: Re: [tproxy] The future of tproxy
To: Balazs Scheidler <bazsi at balabit.hu>
Cc: Nicholas George <nick.george at gmail.com>, tproxy at lists.balabit.hu
Message-ID: <Pine.LNX.4.61.0705262114160.7344 at yvahk01.tjqt.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII


On May 26 2007 07:36, Balazs Scheidler wrote:
>> 
>> What are your future plans for TPROXY? I noticed that there's no plan
>> for NAT in ipv6tables, so are you looking to move away from a NAT
>> approach? Are you considering migrating towards Network Channels?
>
>We definitely want to move away from NAT, and we don't plan to migrate
>towards network channels. (at least for now).

But how is one supposed to fake addresses then?
  -- most prominent case: squid


	Jan
-- 


------------------------------

Message: 2
Date: Sat, 26 May 2007 22:32:06 +0200 (CEST)
From: Igmar Palsenberg <maillist at jdimedia.nl>
Subject: Re: [tproxy] The future of tproxy
To: Jan Engelhardt <jengelh at linux01.gwdg.de>
Cc: Balazs Scheidler <bazsi at balabit.hu>,	Nicholas George
	<nick.george at gmail.com>, tproxy at lists.balabit.hu
Message-ID: <Pine.LNX.4.64.0705262231210.30518 at jdi.jdi-ict.nl>
Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed


>> We definitely want to move away from NAT, and we don't plan to migrate
>> towards network channels. (at least for now).
>
> But how is one supposed to fake addresses then?

By bind()'ing to the remote address, like the way it was done in the 
Linux 2.2 days.



 	Igmar


------------------------------

Message: 3
Date: Sat, 26 May 2007 22:45:19 +0200 (MEST)
From: Jan Engelhardt <jengelh at linux01.gwdg.de>
Subject: Re: [tproxy] The future of tproxy
To: Igmar Palsenberg <maillist at jdimedia.nl>
Cc: Balazs Scheidler <bazsi at balabit.hu>,	Nicholas George
	<nick.george at gmail.com>, tproxy at lists.balabit.hu
Message-ID: <Pine.LNX.4.61.0705262244270.7344 at yvahk01.tjqt.qr>
Content-Type: TEXT/PLAIN; charset=US-ASCII


On May 26 2007 22:32, Igmar Palsenberg wrote:
>> > We definitely want to move away from NAT, and we don't plan to migrate
>> > towards network channels. (at least for now).
>> 
>> But how is one supposed to fake addresses then?
>
> By bind()'ing to the remote address, like the way it was done in the Linux
2.2
> days.

Yeah but you'd still need a local table that lists tproxied sockets, so
that for an arbitrary incoming packet it can be decided whether it is
to go through the INPUT or FORWARD chain (and subsequently, destination
program/host).


	Jan
-- 


------------------------------

Message: 4
Date: Sun, 27 May 2007 00:19:43 +0200
From: Balazs Scheidler <bazsi at balabit.hu>
Subject: Re: [tproxy] The future of tproxy
To: Jan Engelhardt <jengelh at linux01.gwdg.de>
Cc: Igmar Palsenberg <maillist at jdimedia.nl>,	Nicholas George
	<nick.george at gmail.com>, tproxy at lists.balabit.hu
Message-ID: <1180217983.19697.33.camel at bzorp.balabit>
Content-Type: text/plain

On Sat, 2007-05-26 at 22:45 +0200, Jan Engelhardt wrote:
> On May 26 2007 22:32, Igmar Palsenberg wrote:
> >> > We definitely want to move away from NAT, and we don't plan to
migrate
> >> > towards network channels. (at least for now).
> >> 
> >> But how is one supposed to fake addresses then?
> >
> > By bind()'ing to the remote address, like the way it was done in the
Linux 2.2
> > days.
> 
> Yeah but you'd still need a local table that lists tproxied sockets, so
> that for an arbitrary incoming packet it can be decided whether it is
> to go through the INPUT or FORWARD chain (and subsequently, destination
> program/host).

The local table is the "socket hash". We do a socket lookup early in the
input path and divert the packet to the local IP stack by changing its
dst_entry.

-- 
Bazsi



------------------------------

_______________________________________________
tproxy mailing list
tproxy at lists.balabit.hu
https://lists.balabit.hu/mailman/listinfo/tproxy


End of tproxy Digest, Vol 23, Issue 5
*************************************



More information about the tproxy mailing list