RE: [squid-users] Working transparent bridge config with recent kerenl?

From: John Lauro <john.lauro_at_covenanteyes.com>
Date: Sun, 24 Jan 2010 23:44:09 -0500

That is basically what I tried. Is there a kernel version it's known to
work with? It's easy enough to test with a new version (besides for time of
compiling). I would like to have a working configuration so I can report
what kernel version broke it if it is indeed a bug. I think they are
already aware that 2.6.32 broke basic tproxy, but maybe bridging with tproxy
broke sooner.

> -----Original Message-----
> From: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Sent: Sunday, January 24, 2010 11:31 PM
> To: squid-users_at_squid-cache.org
> Subject: Re: [squid-users] Working transparent bridge config with
> recent kerenl?
>
> John Lauro wrote:
> > Hello,
> >
> > Can someone post a working configuration (full iptables and ebtables)
> of
> > squid in transparent bridge mode along with the kernel version that
> is known
> > to work. Someone working on the kernel seem to be changing things
> (to add
> > security?) and it broke transparency with 2.6.32.*.
> >
> > I was able to get it configured with squid being a router in kernel
> > 2.6.31.12. However, kernel 2.6.32.5 is broke with identical
> configuration.
> >
> > Just plain bridging works without squid, but once I try to intercept
> a
> > connection over two shared bridge ports, I can't get the connect to
> > establish from client to squid box. I don't know if my problem is
> with my
> > setup, or my kernel is too new for the examples I found.
> >
> > Thank you.
> >
>
> The one that _should_ be working is this:
>
> ebtables -t broute -A BROUTING -i $CLIENT_IFACE -p ipv4 --ip-proto
> tcp
> --ip-dport 80 -j redirect --redirect-target DROP
>
> ebtables -t broute -A BROUTING -i $INET_IFACE -p ipv4 --ip-proto tcp
> --ip-sport 80 -j redirect --redirect-target DROP
>
> cd /proc/sys/net/bridge/
> for i in *
> do
> echo 0 > $i
> done
> unset i
>
> NP: DROP because its processing level is being 'dropped' out of
> ebtables
> into the iptables routing levels.
>
> That config came from the netfilter kernel experts themselves. If it is
> not working it's a kernel bug, please mention it to the netfilter
> people
> in charge of that piece of the kernel.
>
> Amos
> --
> Please be using
> Current Stable Squid 2.7.STABLE7 or 3.0.STABLE21
> Current Beta Squid 3.1.0.15
>
> No virus found in this incoming message.
> Checked by AVG - www.avg.com
> Version: 8.5.432 / Virus Database: 271.1.1/2639 - Release Date:
> 01/24/10 19:33:00
Received on Mon Jan 25 2010 - 04:47:05 MST

This archive was generated by hypermail 2.2.0 : Mon Jan 25 2010 - 12:00:04 MST