James Brotchie wrote:
> G'day,
>
> I'm curious about a change to the transparent/interception behaviour
> between Squid versions 2.7 and 3.1.
>
> I'm using a iptables NAT redirect to send all tcp traffic with dst
> port 80 on the FORWARD chain to port 60080 and in my squid.conf I have
>
> "http_port 60080 transparent" for Squid 2.7
> "http_port 60080 intercept" for Squid 3.1
>
> I also have the following ACL
> "acl intercepted myport 60080"
>
> Squid is running on 192.168.0.112 and a box with 192.168.0.112 as its
> gateway is trying to access 64.191.203.30:80.
>
> On Squid 2.7 the "intercepted" acl matches whilst in 3.1 it doesn't.
>
> Digging deeper into the Squid 3.1 source it seems that if a http_port
> is set to intercept then the "me" member of ConnStateData, which is
> normally the proxy's ip and listening port, is replaced by the pre-NAT
> destination ip and port.
>
> client_side.cc: 2959
> if (port->intercepted || port->spoof_client_ip) {
> IpAddress client, dst;
>
> if (IpInterceptor.NatLookup(fd, me, peer, client, dst) == 0) {
> result->me = client;
> result->peer = dst;
> result->transparent(true);
> }
> }
>
> Thus it seems, for the scenario above, in the Squid 2.7 case
> myport = 60080, myip = 192.168.0.112
>
> yet in the 3.1 case
> myport = 80, myip = 64.191.203.30
>
> Is this the desired behaviour, and if so, why did this change
> somewhere between 2.7 and 3.1?
>
> Cheers,
> James Brotchie
Hmm. Some of the lookups require it and some break if it is. There is a
bit of cleanup here that will need consideration:
The "me" field has very ambiguous meaning and inconsistent use
between all modes of Squid. myport and myip tests thus only work
reliably in normal forward and reverse modes.
Meanwhile the http_port now has a name= option for testing with
myportname ACL.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE19 Current Beta Squid 3.1.0.13Received on Fri Sep 18 2009 - 06:43:02 MDT
This archive was generated by hypermail 2.2.0 : Sat Sep 19 2009 - 12:00:05 MDT