Re: autoconf-refactor and netfilter-based transparent proxy

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 10 May 2010 23:37:34 +0000

On Mon, 10 May 2010 22:49:03 +0200, Henrik Nordström
<henrik_at_henriknordstrom.net> wrote:
> mån 2010-05-10 klockan 18:13 +0200 skrev Kinkie:
>> >> revno: 10425
>> >> committer: Francesco Chemolli <kinkie_at_squid-cache.org>
>> >> branch nick: trunk
>> >> timestamp: Sun 2010-04-25 23:40:51 +0200
>> >> message:
>> >> Interim merge from autoconf-refactor feature-branch.
>> >
>> > Kinkie, could you please check that netfilter-based interception
>> > proxies
>> > are still supported?
>>
>> Will do ASAP (probably tomorrow).
>
> I have added back the missing define for LINUX_NETFILTER, but this is
> the second odd thing in the autoconf refactor merge. Can you please do a
> full review of your merge to see if there is anything else that's odd?
>
>> > It would also be nice to get rid of libcap and TPROXY warnings when
the
>> > user wants just netfilter-based interception proxy support and is
>> > willing to --disable the rest. In Squid v3.1, we now get these
>> > irrelevant (for the said configuration) warnings:
>>
>> I'll check.
>
> trunk does not even have a configure option for controlling TPROXY. It's
> assumed to always be available by configure.in, and disabled in compiled
> code based on system header defines.

Huh? TPROXYv2 was. v4 is different.

trunk TPROXYv4 is build controlled by the LINUX_NETFILTER present/absent
options. Since it's in the netfilter software.
At run-time it's tested by a startup probe of the kernel via libsock
(always present) and libcap (optional, thus the libcap mention).
 * libsock to test whether a v6 socket can handle the IP_TRANSPARENT flag
and enable/disable the v6 support.
 * libcap to see if the spoofing privileges are available to
enable/disable tproxy entirely.

Amos
Received on Mon May 10 2010 - 23:37:37 MDT

This archive was generated by hypermail 2.2.0 : Tue May 11 2010 - 12:00:08 MDT