[tproxy] Squid-2.6 patch
Laszlo Attila Toth
panther at balabit.hu
Tue Mar 4 10:02:12 CET 2008
Ming-Ching Tiew wrote:
> Laszlo Attila Toth wrote:
>> Gonzalo Arana wrote:
>>> Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129
>>> Please, note that this is still unofficial path. Any feedback about
>>> it is much appreciated.
>> Does the foreign bind work with this patch? I rewrote the patch for
>> 2.6-STABLE18 and perhaps I missed something. What I see on the webserver
>> is that the squid connects with its own IP address instead of the
>> client's address. Config:
>> http_port 3128 tproxy
>> When the new patch will work, I publish it. The changes:
>> the --enable-tproxy option is dropped, --enable-linux-netfilter is used
>> only. Also both REDIRECT and TPROXY target can be used in this case. If
>> the tproxy patch isn't in the kernel, it is ignored in squid.
> Not answering to this post specifically however I have two
> comments on squid tproxy patch :-
> 1. To have two different version of patches and binaries for
> squid with tproxy 4.0.x and tproxy 4.1.0 is a nuisance and
> administratively unfortunate. It will be great if the patch
> can be one, and if there is a way to determine at runtime,
> whether to pass IP_FREEBIND or IP_TRANSPARENT to
> setsockopt that will be great.
As I wrote, it is only for tproxy 4.1. This is because it is pointless
to maintain multiple versions. We hope that tproxy 4.1 will be a part of
the mainline kernel which is the cleanest version and easiest to use.
> The other way is to adjust the kernel patch for tproxy 4.1.0
> to use IP_FREEBIND. But it seems this option has been
> explored and the kernel folks disagreed with it though !
> 2. Removing NET_ADMIN capability for IP_FREEBIND isn't quite
> necessary for :-
The new patch is based on the other but I keep this part, for instance.
IP_TRANSPARENT socket option requires CAP_NET_ADMIN capability also it
cannot be removed.
More information about the tproxy