[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Ming-Ching Tiew mingching.tiew at redtone.com
Wed Nov 21 04:05:18 CET 2007


After checking the mail archive and did some testings, I noticed
there are quite many different versions of the stuff floating around.

Those in the netfilter web site has given me lots of  headaches
( kernel version, iptable version and so on ), so I figured that I
would dig more deeply into the version on balabit website, ie
tproxy-4.0.3-2.6.22.tgz since they seems to only has minor
incompatibility with squid.

After installing the patch to a 2.6.22 kernel and compiling
iptables 1.3.8, everything went on smoothly. And I testing a
version of squid-2.6.stable13 with has been previously working
with tproxy2 ( and I did modprobe iptable_tproxy tproxy_any=1 ),
I noticed that squid is able to receive the redirected traffic.

It's positive so far !

However upon checking the traffic, I noticed that the spoofing is not
working, even though the http has been cached by squid.

The squid cache.log says :-

tproxy ip=192.168.1.5,0x576e4c0,port=0 ERROR ASSIGN

That would be quite understandable, because the binary for
squid has been compiled with ( ~/src/forward.c ) :-

            itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
            itp.v.addr.fport = 0;
            itp.op = TPROXY_ASSIGN;
            if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1)
{
                debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
                    inet_ntoa(itp.v.addr.faddr),
                    itp.v.addr.faddr.s_addr,
                    itp.v.addr.fport);
            } else {
                itp.op = TPROXY_FLAGS;
                itp.v.flags = ITP_CONNECT;
              if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp))
== -1)
                    debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n",
                        itp.v.addr.faddr.s_addr,
                        itp.v.addr.fport);
                }

The tproxy-4.0.3-2.6.22.tgz did not mention how a source should be changed
to use the new tproxy, I did try using IP_FREEBIND ( using
#define IP_FREEBIND 15 ) and the error goes away, but the spoofing has
not been done.

Any suggestion where else should I check to convince squid to using the
new spoofing mechanism ?

Best regards.





--------------------------------------------
Important Warning! 

*************************** 

This electronic communication (including any attached files) may contain confidential and/or legally privileged information and is only intended for the use of the person to whom it is addressed. If you are not the intended recipient, you do not have permission to read, use, disseminate, distribute, copy or retain any part of this communication or its attachments in any form. If this e-mail was sent to you by mistake, please take the time to notify the sender so that they can identify the problem and avoid any more mistakes in sending e-mail to you. The unauthorised use of information contained in this communication or its attachments may result in legal action against any person who uses it.



More information about the tproxy mailing list