[tproxy] Squid-2.6 patch

[Ming-Ching Tiew]

Laszlo Attila Toth wrote:
> Hi,
>
> Gonzalo Arana wrote:
>   
>> Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129
>> Please, note that this is still unofficial path.  Any feedback about
>> it is much appreciated.
>>
>>     
>
> Does the foreign bind work with this patch? I rewrote the patch for 
> 2.6-STABLE18 and perhaps I missed something. What I see on the webserver 
> is that the squid connects with its own IP address instead of the 
> client's address. Config:
> http_port 3128 tproxy
>
> When the new patch will work, I publish it. The changes:
> the --enable-tproxy option is dropped, --enable-linux-netfilter is used 
> only. Also both REDIRECT and TPROXY target can be used in this case. If 
> the tproxy patch isn't in the kernel, it is ignored in squid.
>
>   

Not answering to this post specifically however I have two
comments on squid tproxy patch :-

1. To have two different version of patches and binaries for
    squid with tproxy 4.0.x and tproxy 4.1.0 is a nuisance and
    administratively unfortunate. It will be great if the patch
    can be one, and if there is a way to determine at runtime,
    whether to pass IP_FREEBIND or IP_TRANSPARENT to
    setsockopt that will be great.

    The other way is to adjust the kernel patch for tproxy 4.1.0
    to use IP_FREEBIND. But it seems this option has been
    explored and the kernel folks disagreed with it though !

2. Removing NET_ADMIN capability for IP_FREEBIND isn't quite
    necessary for :-

     (A) the kernel did not enforce NET_ADMIN for IP_FREEBIND
          is probably by "accident" only.

     (B) it will have to be re-stored when doing IP_TRANSPARENT.

   So this going back and forth is just, again administratively
   unfortunate.

Regards.