Re: TProxy support

From: Amos Jeffries <squid3@dont-contact.us>
Date: Wed, 05 Mar 2008 23:15:58 +1300

Laszlo Attila Toth wrote:
> Hello,
>
> We only supports TProxy version 4.1 but in the squid "--enable-tproxy"
> requires version 2 which is obsolete for a while.
>
> Current implementation doesn't require kernel support, only a new socket
> option, IP_TRANSPARENT, also I made a patch which drops
> "--enable-tproxy" because TProxy 4.1 uses netfilter/iptables (TPROXY
> target and socket match). If "--enable-linux-netfilter" is used, the
> "tproxy" option is available for "http_proxy".
>
> It is not yet finished, the squid proxy doesn't bind to the client's
> address. Furthermore I think it would be better to have a diferent
> option for this, and "tproxy" wouldn't imply this.
>
> The patch is available here for 2.6-STABLE18:
>
> http://www.balabit.com/downloads/files/tproxy/
>
>
> Any suggestions?

Dropping support for tproxy <4 entirely out of squid-2 is not a good
choice. Squid-3 this may be possibly done.

A new configure option --enable-linux-transparent-intercept which
pre-empts --enable-linux-netfilter and --enable-tproxy would be a better
choice.

Users of tproxy4+ can then use that option and choose their target.

Which code alteration means:
  - migrate defined LINUX_TPROXY -> LINUX_TPROXY2
  - add defined LINUX_TPROXY4
  - make flags.tproxy:1 --> #if LINUX_NETFILTER || LINUX_TPROXY4
etc.

Amos

-- 
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.
Received on Wed Mar 05 2008 - 03:15:27 MST

This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:10 MDT