Re: WARNING: comm_open: setsockopt(IP_TRANSPARENT) not supported on this platform

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Ted Kaczmarek wrote:
> On Aug 15, 2008, at 9:34 AM, Amos Jeffries wrote:
>
> > Ted Kaczmarek wrote:
> > > With squid-3.HEAD-20080814 I am seeing this message.
> > > WARNING: comm_open: setsockopt(IP_TRANSPARENT) not supported on this 
> > > platform
> > > It does not matter if I configure  wit or without
> > > --enable-tproxy
> > > and or
> > > --enable-linux-netfilter.
> > > What is the correct option for Tproxy4 support?
> >
> > --enable-netfilter
> >
> > NOTE: your kernel needs to be correctly patched for TPROXY options to 
> > work.
> >
> > > Going through all these related Tproxy posts  ona various can really 
> > > send one for ride :-)
> > > Regards,
> > > Ted
> >
> > A how-to has recently been added to the wiki. It's not quite 100% 
> > complete but should give you a good basis to start from.
> >
> > http://wiki.squid-cache.org/ConfigExamples/TPROXYPatchingCentOS
> >
> >
> > Amos
> > --
> > Please use Squid 2.7.STABLE3 or 3.0.STABLE8
>
> Amos,
>
> thanks, that and few hunder other posts are how I have gotten me this 
> far :-)
>
>
> [root@labdev ~]# dmesg | grep -i tproxy
> NF_TPROXY: Transparent proxy support initialized, version 4.1.0
> NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd.
> ip_tables: TPROXY target: only valid in mangle table, not nat
>
>
> [root@labdev ~]# squid -v
> Squid Cache: Version 3.HEAD-20080814
> configure options:  '--prefix=/usr' '--includedir=/usr/include' 
> '--datadir=/usr/share' '--bindir=/usr/sbin' 
> '--libexecdir=/usr/lib/squid' '--localstatedir=/var/squid' 
> '--sysconfdir=/etc/squid' '--enable-epoll' '--enable-delay-pools' 
> '-enable-cachemgr-hostname=localhost' '--enable-linux-netfilter' 
> '--enable-auto-locale' --enable-ltdl-convenience
>
> [root@labdev ~]# lsmod | grep -i tprox
> xt_TPROXY               6144  0
> nf_defrag_ipv4          5888  2 nf_conntrack_ipv4,xt_TPROXY
> nf_tproxy_core          6400  1 xt_TPROXY,[permanent]
> x_tables               15364  4 xt_tcpudp,iptable_nat,xt_TPROXY,ip_tables
>
> 2.6.25.11 kernel and iptables 1.4.
>
> Am I missing something?

Yes:  "TPROXY target: only valid in mangle table, not nat"

Looks like you are confusing the iptables uses:
 nat (sees FIRST packet of a stream only)
 mangle (sees ALL packets to perform low-level alterations)

TPROXY needs to be applied to all packets, so your rules need to specify 
mangle table where you currently have nat table.

Amos
--
Please use Squid 2.7.STABLE3 or 3.0.STABLE8