adnan wrote:
----- Original Message ----- From: "Amos Jeffries" <squid3@xxxxxxxxxxxxx>
To: "Monzur Md.. Alam" <monzur@xxxxxxxxxxxx>
Cc: <squid-users@xxxxxxxxxxxxxxx>
Sent: Monday, May 04, 2009 7:19 PM
Subject: Re: Please give a solution - Tproxy
Monzur Md.. Alam wrote:
Dear all,
I have gone the the procedure as described at the following URL
URL:
http://wiki.squid-cache.org/Features/Tproxy4#head-f17bb712222beeb0aa083f02237aad6fdfaa1be2
I have successfully complied kernel:2.6.28.1 and iptables:1.4.3 with
tproxy:2.6.25-20080519-165031-1211208631.tar.bz2
What is "tproxy:2.6.25-20080519-165031-1211208631.tar.bz2" ??
It's not part of the Squid TPROXY v4 tools that I know of.
He (Monzur) means,
tproxy-kernel-2.6.25-20080519-165031-1211208631.tar.bz2, for the support of
NF_CONNTRACK
NETFILTER_TPROXY
NETFILTER_XT_MATCH_SOCKET
NETFILTER_XT_TARGET_TPROXYabove feature in the kernel we patched above
"tproxy-kernelxxx" patch to the kernel.Do you think we should avoid
tproxy-kernel patch for TPROXY v4?
Ah you said you had kernel 2.6.28.
That is a patch for 2.6.25 kernel _only_.
There is no patching needed for kernel 2.6.28, which is why its
listed on the wiki page as recommended minimum version.
If so, how can we will
getNF_CONNTRACK, NETFILTER_TPROXY, NETFILTER_XT_MATCH_SOCKET,
NETFILTER_XT_TARGET_TPROXY in thekernel?
During normal confugure + build sequence of the kernel they should
appear somewhere in the netfilter or iptabels sections of the configure.
If you have that patch in your 2.6.28, you will need to rebuild without
any breakage it may have caused. Thats a good time to do a reconfigure
from clean kernel source.
> >> Now when I run following
ipables commands, all the commands>> running without any problem
except....>> >> iptables 1.4.3 Configuration>> iptables -t mangle -A
PREROUTING -p tcp -m socket -j DIVERT>> >> and error messege shown:>> >>
[root@hpproxy ~]# iptables -t mangle -A PREROUTING -p tcp -m socket -j
DIVERT>> iptables: No chain/target/match by that name. Run `dmesg' for
more information.
[root@hpproxy ~]#
Something is missing from your iptables. Possibly the kernel is not
built with all the new TPROXY options or has not loaded the right
modules. Follow its advice and run dmesg to find out more details.
When we run the command without "-m socket" it's run without error. Can
you please write which
thing are missing in the kernel or iptables software?
The versions listed on the Squid wiki page are missing nothing
important. Should work with vanilla code no patches. Only a kernel and
Squid configuration settings needed during build.
Is this command or option "-m socket" is mandotary to run Squid with
Tproxy support?
Yes it is. Using the correct versions of software and not patching will
fix this issue for you.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE14
Current Beta Squid 3.1.0.7