[tproxy] Squid-2.6 patch

[Laszlo Attila Toth]

Ming-Ching Tiew wrote:
> Laszlo Attila Toth wrote:
>> Gonzalo Arana wrote:
>>   
>>> Try the patch located in http://www.squid-cache.org/bugs/show_bug.cgi?id=2129
>>> Please, note that this is still unofficial path.  Any feedback about
>>> it is much appreciated.
>>>
>>>     
>> Does the foreign bind work with this patch? I rewrote the patch for 
>> 2.6-STABLE18 and perhaps I missed something. What I see on the webserver 
>> is that the squid connects with its own IP address instead of the 
>> client's address. Config:
>> http_port 3128 tproxy
>>
>> When the new patch will work, I publish it. The changes:
>> the --enable-tproxy option is dropped, --enable-linux-netfilter is used 
>> only. Also both REDIRECT and TPROXY target can be used in this case. If 
>> the tproxy patch isn't in the kernel, it is ignored in squid.
>>
>>   
> 
> Not answering to this post specifically however I have two
> comments on squid tproxy patch :-
> 
> 1. To have two different version of patches and binaries for
>     squid with tproxy 4.0.x and tproxy 4.1.0 is a nuisance and
>     administratively unfortunate. It will be great if the patch
>     can be one, and if there is a way to determine at runtime,
>     whether to pass IP_FREEBIND or IP_TRANSPARENT to
>     setsockopt that will be great.

As I wrote, it is only for tproxy 4.1. This is because it is pointless 
to maintain multiple versions. We hope that tproxy 4.1 will be a part of 
the mainline kernel which is the cleanest version and easiest to use.

> 
>     The other way is to adjust the kernel patch for tproxy 4.1.0
>     to use IP_FREEBIND. But it seems this option has been
>     explored and the kernel folks disagreed with it though !
> 
> 2. Removing NET_ADMIN capability for IP_FREEBIND isn't quite
>     necessary for :-
> 

The new patch is based on the other but I keep this part, for instance. 
IP_TRANSPARENT socket option requires CAP_NET_ADMIN capability also it 
cannot be removed.


-- 
Panther