[tproxy] Protocol not available

Balazs Scheidler bazsi at balabit.hu
Mon Aug 18 09:15:11 CEST 2008 

On Sun, 2008-08-17 at 18:28 +0200, Aleksandar Nasuovski wrote:
>  
> 
>  
> 
> I used manual 
> 
> http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS?highlight=%28centos%29%7C%285%5C.2%29
> 
>  
> 
> Centos 5.2
> 
> kernel 2.6.25.11
> 
> tproxy-kernel-2.6.25-20080519-165031-1211208631.patch
> 
> tproxy-iptables-1.4.0
> 
> tproxy-iptables-1.4.0-20080521-113954-1211362794.patch
> 
> Squid3-HEAD
> 
>  
> 
> iptables -t mangle -N DIVERT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>  
> iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT
>  
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0xffffffff
>  
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128
> 
>  
> 
> I didn’t got problem with installation or compiling.
> 
>  
> 
>  
> 
> I didn’t used the wccp 
> 
> I manual set proxy ip in browser 
> 
> And got the address
> 
>  
> 
>  
> 
>  
> 
> ERROR:
> 
> IPInterception.cc(171) NetfilterTransparent:  NF
> getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available
> 

ENOPROTOOPT is returned in case tproxy wasn't compiled into the kernel.
Are you sure you have properly patched and booted the patched kernel?

It is not even conditionally compiled in. This is the hunk that
implements ENOPROTOOPT:

diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index d6e76f5..871334d 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -420,7 +420,7 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                             (1<<IP_TTL) | (1<<IP_HDRINCL) |
                             (1<<IP_MTU_DISCOVER) | (1<<IP_RECVERR) |
                             (1<<IP_ROUTER_ALERT) | (1<<IP_FREEBIND) |
-                            (1<<IP_PASSSEC))) ||
+                            (1<<IP_PASSSEC) | (1<<IP_TRANSPARENT))) ||
            optname == IP_MULTICAST_TTL ||
            optname == IP_MULTICAST_LOOP) {
                if (optlen >= sizeof(int)) {
@@ -879,6 +879,16 @@ static int do_ip_setsockopt(struct sock *sk, int level,
                err = xfrm_user_policy(sk, optname, optval, optlen);
                break;
 
+       case IP_TRANSPARENT:
+               if (!capable(CAP_NET_ADMIN)) {
+                       err = -EPERM;
+                       break;
+               }
+               if (optlen < 1)
+                       goto e_inval;
+               inet->transparent = !!val;
+               break;
+
        default:
                err = -ENOPROTOOPT;
                break;


Please double check that you have this code in your kernel.

-- 
Bazsi

More information about the tproxy mailing list