Re: [squid-users] WARNING: comm_open: setsockopt(IP_TRANSPARENT) not supported on this platform from Amos Jeffries on 2008-08-15 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Sat, 16 Aug 2008 15:26:17 +1200

Ted Kaczmarek wrote:
>
> On Aug 15, 2008, at 9:34 AM, Amos Jeffries wrote:
>
>> Ted Kaczmarek wrote:
>>> With squid-3.HEAD-20080814 I am seeing this message.
>>> WARNING: comm_open: setsockopt(IP_TRANSPARENT) not supported on this
>>> platform
>>> It does not matter if I configure wit or without
>>> --enable-tproxy
>>> and or
>>> --enable-linux-netfilter.
>>> What is the correct option for Tproxy4 support?
>>
>> --enable-netfilter
>>
>> NOTE: your kernel needs to be correctly patched for TPROXY options to
>> work.
>>
>>> Going through all these related Tproxy posts ona various can really
>>> send one for ride :-)
>>> Regards,
>>> Ted
>>
>> A how-to has recently been added to the wiki. It's not quite 100%
>> complete but should give you a good basis to start from.
>>
>> http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS
>>
>>
>> Amos
>> --
>> Please use Squid 2.7.STABLE3 or 3.0.STABLE8
>
> Amos,
>
> thanks, that and few hunder other posts are how I have gotten me this
> far :-)
>
>
> [root_at_labdev ~]# dmesg | grep -i tproxy
> NF_TPROXY: Transparent proxy support initialized, version 4.1.0
> NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
> ip_tables: TPROXY target: only valid in mangle table, not nat
>
>
> [root_at_labdev ~]# squid -v
> Squid Cache: Version 3.HEAD-20080814
> configure options: '--prefix=/usr' '--includedir=/usr/include'
> '--datadir=/usr/share' '--bindir=/usr/sbin'
> '--libexecdir=/usr/lib/squid' '--localstatedir=/var/squid'
> '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-delay-pools'
> '-enable-cachemgr-hostname=localhost' '--enable-linux-netfilter'
> '--enable-auto-locale' --enable-ltdl-convenience
>
> [root_at_labdev ~]# lsmod | grep -i tprox
> xt_TPROXY 6144 0
> nf_defrag_ipv4 5888 2 nf_conntrack_ipv4,xt_TPROXY
> nf_tproxy_core 6400 1 xt_TPROXY,[permanent]
> x_tables 15364 4 xt_tcpudp,iptable_nat,xt_TPROXY,ip_tables
>
> 2.6.25.11 kernel and iptables 1.4.
>
> Am I missing something?
>

Yes: "TPROXY target: only valid in mangle table, not nat"

Looks like you are confusing the iptables uses:
nat (sees FIRST packet of a stream only)
mangle (sees ALL packets to perform low-level alterations)

TPROXY needs to be applied to all packets, so your rules need to specify
mangle table where you currently have nat table.

Amos

-- 
Please use Squid 2.7.STABLE3 or 3.0.STABLE8

Received on Sat Aug 16 2008 - 03:26:12 MDT

This archive was generated by hypermail 2.2.0 : Sat Aug 16 2008 - 12:00:03 MDT