[tproxy] TProxy4 and Squid 3.1.0.5 client address spoofing problem !

Hamid Hashemi hashemi at gmail.com
Sun Mar 22 22:04:05 CET 2009


Dear Modestas,

Thanks for your response. My problem was exactly the libcap-devel ( CentOS
package name ) missing in compile time. unfortunately there was no error or
warning message in configure time in compile and if you rely in the messages
in configure or compile time it should work. I was following up this howto :
http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS and there
was no hint about this package. Anyway the problem was solved compeletely
and I think it is better to mention this in squid-cache.org HOWTO.

_Hamid

On Sat, Mar 14, 2009 at 6:04 PM, Modestas Vainius <modestas at vainius.eu>wrote:

> Hello,
>
> I faced similar problem to yours yesterday.
>
> Linux 2.6.28 on Debian GNU/Linux amd64 (TPROXY v4.1)
> iptables 1.4.3 snapshot (20090312)
> squid 3.1.0.6 (beta)
>
> I had no problems building iptables 1.4.3 snapshot, TPROXY target was built
> properly without a hassle and worked perfectly out-of-the-box.
>
> Squid seemed to build fine from the first sight however it simply didn't do
> any tproxy'ing (tproxy port worked but packets came out with the IP of the
> squid server). After long hours of debugging and tracing, I localized the
> problem to this squid code at src/tools.cc [1].
>
> And guess what:
>
> # squid -X 2>&1 | grep 'Stopping full transparency'
> Stopping full transparency: Missing needed capability support.
>
> So I needed to install libcap-dev package (on Debian) and to get
> development
> headers (sys/capability.h) for the Linux capabilities library and rebuild
> squid. And squid has started working fine then. I guess you have the same
> issue, just package name is different.
>
> Basically, I recommend running the command above to check your squid config
> with regard to tproxy support. Obviously, it should return nothing if
> transparency support has been successfully enabled. squid should be more
> verbose about such errors...
>
> What is more, TPROXY+squid works fine on my router/server which does
> NETMAP/SNAT too (I was concerned that there would be problems with
> nat'ing).
> Great job and thanks to everybody involved.
>
> 1.
> -------------------
> static void
> restoreCapabilities(int keep)
> {
>    /* NP: keep these two if-endif separate. Non-Linux work perfectly well
> without Linux syscap support. */
> #if defined(_SQUID_LINUX_)
>
> #if HAVE_SYS_CAPABILITY_H
> #ifndef _LINUX_CAPABILITY_VERSION_1
> #define _LINUX_CAPABILITY_VERSION_1 _LINUX_CAPABILITY_VERSION
> #endif
>    cap_user_header_t head = (cap_user_header_t) xcalloc(1, sizeof(*head));
>    cap_user_data_t cap = (cap_user_data_t) xcalloc(1, sizeof(*cap));
>
>    head->version = _LINUX_CAPABILITY_VERSION_1;
>
>    if (capget(head, cap) != 0) {
>        debugs(50, DBG_IMPORTANT, "Can't get current capabilities");
>    } else if (head->version != _LINUX_CAPABILITY_VERSION_1) {
>        debugs(50, DBG_IMPORTANT, "Invalid capability version " << head-
> >version << " (expected " << _LINUX_CAPABILITY_VERSION_1 << ")");
>    } else {
>
>        head->pid = 0;
>
>        cap->inheritable = 0;
>        cap->effective = (1 << CAP_NET_BIND_SERVICE);
>
>        if (IpInterceptor.TransparentActive()) {
>            cap->effective |= (1 << CAP_NET_ADMIN);
> #if LINUX_TPROXY2
>            cap->effective |= (1 << CAP_NET_BROADCAST);
> #endif
>        }
>
>        if (!keep)
>            cap->permitted &= cap->effective;
>
>        if (capset(head, cap) != 0) {
>            IpInterceptor.StopTransparency("Error enabling needed
> capabilities.");
>        }
>    }
>
>    xfree(head);
>    xfree(cap);
>
> #else
>    IpInterceptor.StopTransparency("Missing needed capability support.");
> #endif /* HAVE_SYS_CAPABILITY_H */
>
> #endif /* !defined(_SQUID_LINUX_) */
> }
> ---------------
>
> --
> Modestas Vainius <modestas at vainius.eu>
>
>


-- 
Regards
Hamid Hashemi
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/tproxy/attachments/20090323/6f5c7c0f/attachment.htm 


More information about the tproxy mailing list