[tproxy] Squid-2.6 patch (was: Re: Squid with tproxy extra brief FAQ - take 2)

Gonzalo Arana gonzalo.arana at gmail.com
Mon Mar 3 16:49:33 CET 2008


On Mon, Mar 3, 2008 at 12:33 PM, Laszlo Attila Toth <panther at balabit.hu> wrote:
> Hi,
>  Gonzalo Arana wrote:
>  >
>  > Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129
>  > Please, note that this is still unofficial path.  Any feedback about
>  > it is much appreciated.
>  >
>  Does the foreign bind work with this patch? I rewrote the patch for

Indeed.  I believe it is called freebind.

>  2.6-STABLE18 and perhaps I missed something. What I see on the webserver
>  is that the squid connects with its own IP address instead of the
>  client's address. Config:
>  http_port 3128 tproxy

Odd.  My patch requires that comm_fdopenex be called with
COMM_FREEBIND, so that setsockopt(fd, SOL_IP, IP_FREEBIND, &on, ...)
is called before bind(2) is.

In my patch:
1) "http_port XXX tproxy" implies that http_port_list->tproxy is set
(in clientHttpConnectionsOpen), and that COMM_FREEBIND is passed to
2) fwdConnectStart calls comm_openex(...) with COMM_FREEBIND set if
the request is received through a 'tproxy' squid socket.
3) (not patched by me) clientTryParseRequest copies tproxy flag from
passive socket to the request.

Perhaps strace may shed some light to this (ioctl should be called before bind).

>  When the new patch will work, I publish it. The changes:
>  the --enable-tproxy option is dropped, --enable-linux-netfilter is used
>  only. Also both REDIRECT and TPROXY target can be used in this case. If
>  the tproxy patch isn't in the kernel, it is ignored in squid.


Gonzalo A. Arana

More information about the tproxy mailing list