[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Laszlo Attila Toth panther at balabit.hu
Thu Nov 22 10:22:14 CET 2007 

Ming-Ching Tiew írta:
> After checking the mail archive and did some testings, I noticed
> there are quite many different versions of the stuff floating around.
> 
> Those in the netfilter web site has given me lots of  headaches
> ( kernel version, iptable version and so on ), so I figured that I
> would dig more deeply into the version on balabit website, ie
> tproxy-4.0.3-2.6.22.tgz since they seems to only has minor
> incompatibility with squid.
> 
> After installing the patch to a 2.6.22 kernel and compiling
> iptables 1.3.8, everything went on smoothly. And I testing a
> version of squid-2.6.stable13 with has been previously working
> with tproxy2 ( and I did modprobe iptable_tproxy tproxy_any=1 ),
> I noticed that squid is able to receive the redirected traffic.
> 
> It's positive so far !
> 
> However upon checking the traffic, I noticed that the spoofing is not
> working, even though the http has been cached by squid.
> 
> The squid cache.log says :-
> 
> tproxy ip=192.168.1.5,0x576e4c0,port=0 ERROR ASSIGN
> 
> That would be quite understandable, because the binary for
> squid has been compiled with ( ~/src/forward.c ) :-
> 
>             itp.v.addr.faddr.s_addr = fwdState->src.sin_addr.s_addr;
>             itp.v.addr.fport = 0;
>             itp.op = TPROXY_ASSIGN;
>             if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp)) == -1)
> {
>                 debug(20, 1) ("tproxy ip=%s,0x%x,port=%d ERROR ASSIGN\n",
>                     inet_ntoa(itp.v.addr.faddr),
>                     itp.v.addr.faddr.s_addr,
>                     itp.v.addr.fport);
>             } else {
>                 itp.op = TPROXY_FLAGS;
>                 itp.v.flags = ITP_CONNECT;
>               if (setsockopt(fd, SOL_IP, IP_TPROXY, &itp, sizeof(itp))
> == -1)
>                     debug(20, 1) ("tproxy ip=%x,port=%d ERROR CONNECT\n",
>                         itp.v.addr.faddr.s_addr,
>                         itp.v.addr.fport);
>                 }
> 
> The tproxy-4.0.3-2.6.22.tgz did not mention how a source should be changed
> to use the new tproxy, I did try using IP_FREEBIND ( using
> #define IP_FREEBIND 15 ) and the error goes away, but the spoofing has
> not been done.


Hello,

basically you don't need that whole code, only the IP_FREEBIND as you 
did, plus a bind() call with the address itp.v.addr.faddr.s_addr, port 
itp.v.addr.fport.



> 
> Any suggestion where else should I check to convince squid to using the
> new spoofing mechanism ?
> 




-- 
Panther

More information about the tproxy mailing list