[tproxy] Latest tproxy patch for kernel, iptables and squid

Eduardo Schoedler eschoedler at viavale.com.br
Thu Dec 4 03:16:43 CET 2008 

Hello Balazs!

I've compiled kernel-2.6.26-7 and applied the patch in the site.

# dmesg | grep TPROXY
NF_TPROXY: Transparent proxy support initialized, version 4.1.0
NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.

For iptables, I've used the 1.4.0 sources... it's working ok, I guess. =)

But the Squid is a little bit strange.
I've compiled 3.HEAD (20081121), with that have support for tproxy.

# ./configure  --prefix=/opt/squid \
 --sysconfdir=/etc/squid \
 --with-default-user=squid \
 --enable-icmp \
 --disable-auth \
 --enable-removal-policies="lru,heap" \
 --disable-digest-auth-helpers \
 --disable-basic-auth-helpers \
 --disable-external-acl-helpers \
 --disable-ntlm-auth-helpers \
 --disable-negotiate-auth-helpers \
 --enable-useragent-log \
 --enable-cache-digests \
 --enable-delay-pools \
 --enable-referer-log \
 --enable-arp-acl \
 --with-large-files \
 --with-filedescriptors=16384 \
 --enable-storeio=ufs,diskd,aufs \
 --enable-linux-netfilter

My squid.conf (like the tproxy readme):
   http_port 50080 tproxy transparent

The strange thing is when I'm trying to create swap directories. See:

# ./squid -z
2008/12/03 23:07:10| http(s)_port: TPROXY option requires its own 
interception port. It cannot be shared.
FATAL: Bungled squid.conf line 992: http_port 50080 tproxy transparent
Squid Cache (Version 3.HEAD-20081121): Terminated abnormally.
CPU Usage: 0.004 seconds = 0.000 user + 0.004 sys
Maximum Resident Size: 0 KB
Page faults with physical i/o: 0

I don't understand why of this problem.
No one process is using that port.

What can I do ?

Thanks!

Regards,
Eduardo.

--------------------------------------------------
From: "Balazs Scheidler" <bazsi at balabit.hu>
Sent: Wednesday, December 03, 2008 2:49 PM
To: "Eduardo Schoedler" <eschoedler at viavale.com.br>
Cc: <tproxy at lists.balabit.hu>
Subject: Re: [tproxy] Latest tproxy patch for kernel, iptables and squid

> On Thu, 2008-11-27 at 14:24 -0300, Eduardo Schoedler wrote:
>> Hi list.
>>
>> I'm installing a box with linux with squid and I'm a little bit confuse.
>> First of all, sorry my bad english... I'm brazilian. =)
>
> You don't need to excuse yourself, I'm Hungarian, so I'm not a native
> English speaker either. My Portugese is way worse than my English (read:
> I couldn't speak a word).
>
>>
>> I need to now where I can found the latest version for:
>> - kernel 2.6.27 (or can I use kernel 2.8.x ?);
>> - iptables 1.4.2;
>> - squid.
>
> The first submission of tproxy is going into 2.6.28, which is at rc7
> right now, so is not released yet.
>
> There were some fixes, related to UDP proxying, but I guess you don't
> need those if you only want to use squid. Those fixes are queued for
> 2.6.29.
>
> The tproxy bits were integrated in iptables after 1.4.2, so you'll need
> iptables 1.4.3-rc1.
>
> Last I've heard, tproxy support was added to Squid3, checking out the
> changelog shows that squid 3.1.0.1 already has support for it
> (http://squid.cvs.sourceforge.net/viewvc/squid/squid3/ChangeLog?revision=1.16&view=markup)
>
>
>>
>> I have some questions:
>>
>> - Which kernel is better to use in a production box? 2.6.27 or 2.6.28 ?
>
> Well, 2.6.28 is not yet released, although it is at rc7, so it should be
> released in a week or two. Distributions probably will not pick that
> till next year, so you need to compile your kernel manually.
>
> If you want to stick to the earlier kernel, you'd have to backport
> tproxy yourself, as the last out-of-tree release of tproxy was against
> 2.6.26. (http://people.netfilter.org/hidden)
>
>> - Which squid is better to use in a production box? 2.7 or 3.0 ?
>
> I don't know, since I don't use squid.
>
>> - Where I can found a documentation to install and configure tproxy 
>> patches
>> ?
>
> There's a documentation file on tproxy in the Documentation subdirectory
> of the kernel.
>
> -- 
> Bazsi
>
>

More information about the tproxy mailing list