Re: [squid-users] Working transparent bridge config with recent kerenl?

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 25 Jan 2010 17:30:38 +1300

John Lauro wrote:
> Hello,
>
> Can someone post a working configuration (full iptables and ebtables) of
> squid in transparent bridge mode along with the kernel version that is known
> to work. Someone working on the kernel seem to be changing things (to add
> security?) and it broke transparency with 2.6.32.*.
>
> I was able to get it configured with squid being a router in kernel
> 2.6.31.12. However, kernel 2.6.32.5 is broke with identical configuration.
>
> Just plain bridging works without squid, but once I try to intercept a
> connection over two shared bridge ports, I can't get the connect to
> establish from client to squid box. I don't know if my problem is with my
> setup, or my kernel is too new for the examples I found.
>
> Thank you.
>

The one that _should_ be working is this:

  ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto tcp
--ip-dport 80 -j redirect --redirect-target DROP

  ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

  cd /proc/sys/net/bridge/
  for i in *
  do
    echo 0 > $i
  done
  unset i

NP: DROP because its processing level is being 'dropped' out of ebtables
into the iptables routing levels.

That config came from the netfilter kernel experts themselves. If it is
not working it's a kernel bug, please mention it to the netfilter people
in charge of that piece of the kernel.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
   Current Beta Squid 3.1.0.15
Received on Mon Jan 25 2010 - 04:30:47 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 25 2010 - 12:00:04 MST