Re: [squid-users] Please give a solution - Tproxy from Amos Jeffries on 2009-05-05 (squid-users)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 06 May 2009 01:31:22 +1200

adnan wrote:
>
> ----- Original Message ----- From: "Amos Jeffries" <squid3_at_treenet.co.nz>
> To: "Monzur Md.. Alam" <monzur_at_citechco.net>
> Cc: <squid-users_at_squid-cache.org>
> Sent: Monday, May 04, 2009 7:19 PM
> Subject: Re: [squid-users] Please give a solution - Tproxy
>
>
>> Monzur Md.. Alam wrote:
>>> Dear all,
>>>
>>> I have gone the the procedure as described at the following URL
>>> URL:
>>> http://wiki.squid-cache.org/Features/Tproxy4#head-f17bb712222beeb0aa083f02237aad6fdfaa1be2
>>>
>>>
>>> I have successfully complied kernel:2.6.28.1 and iptables:1.4.3 with
>>> tproxy:2.6.25-20080519-165031-1211208631.tar.bz2
>>>
>>
>> What is "tproxy:2.6.25-20080519-165031-1211208631.tar.bz2" ??
>> It's not part of the Squid TPROXY v4 tools that I know of.
>
> He (Monzur) means,
> tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2, for the support of
> NF_CONNTRACK
> NETFILTER_TPROXY
> NETFILTER_XT_MATCH_SOCKET
> NETFILTER_XT_TARGET_TPROXYabove feature in the kernel we patched above
> "tproxy-kernelxxx" patch to the kernel.Do you think we should avoid
> tproxy-kernel patch for TPROXY v4?

Ah you said you had kernel 2.6.28.
That is a patch for 2.6.25 kernel _only_.

There is no patching needed for kernel 2.6.28, which is why its
listed on the wiki page as recommended minimum version.

If so, how can we will
> getNF_CONNTRACK, NETFILTER_TPROXY, NETFILTER_XT_MATCH_SOCKET,
> NETFILTER_XT_TARGET_TPROXY in thekernel?

During normal confugure + build sequence of the kernel they should
appear somewhere in the netfilter or iptabels sections of the configure.

If you have that patch in your 2.6.28, you will need to rebuild without
any breakage it may have caused. Thats a good time to do a reconfigure
from clean kernel source.

> > >> Now when I run following
> ipables commands, all the commands>> running without any problem
> except....>> >> iptables 1.4.3 Configuration>> iptables -t mangle -A
> PREROUTING -p tcp -m socket -j DIVERT>> >> and error messege shown:>> >>
> [root_at_hpproxy ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j
> DIVERT>> iptables: No chain/target/match by that name. Run `dmesg' for
> more information.
>>> [root_at_hpproxy ~]#
>>
>> Something is missing from your iptables. Possibly the kernel is not
>> built with all the new TPROXY options or has not loaded the right
>> modules. Follow its advice and run dmesg to find out more details.
>>
>
> When we run the command without "-m socket" it's run without error. Can
> you please write which
> thing are missing in the kernel or iptables software?

The versions listed on the Squid wiki page are missing nothing
important. Should work with vanilla code no patches. Only a kernel and
Squid configuration settings needed during build.

> Is this command or option "-m socket" is mandotary to run Squid with
> Tproxy support?

Yes it is. Using the correct versions of software and not patching will
fix this issue for you.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
   Current Beta Squid 3.1.0.7

Received on Tue May 05 2009 - 13:31:30 MDT

This archive was generated by hypermail 2.2.0 : Wed May 13 2009 - 12:00:02 MDT