Laszlo Attila Toth wrote:
Hello,
We only supports TProxy version 4.1 but in the squid "--enable-tproxy"
requires version 2 which is obsolete for a while.
Current implementation doesn't require kernel support, only a new socket
option, IP_TRANSPARENT, also I made a patch which drops
"--enable-tproxy" because TProxy 4.1 uses netfilter/iptables (TPROXY
target and socket match). If "--enable-linux-netfilter" is used, the
"tproxy" option is available for "http_proxy".
It is not yet finished, the squid proxy doesn't bind to the client's
address. Furthermore I think it would be better to have a diferent
option for this, and "tproxy" wouldn't imply this.
The patch is available here for 2.6-STABLE18:
http://www.balabit.com/downloads/files/tproxy/
Any suggestions?
Dropping support for tproxy <4 entirely out of squid-2 is not a good
choice. Squid-3 this may be possibly done.
A new configure option --enable-linux-transparent-intercept which
pre-empts --enable-linux-netfilter and --enable-tproxy would be a better
choice.
Users of tproxy4+ can then use that option and choose their target.
Which code alteration means:
- migrate defined LINUX_TPROXY -> LINUX_TPROXY2
- add defined LINUX_TPROXY4
- make flags.tproxy:1 --> #if LINUX_NETFILTER || LINUX_TPROXY4
etc.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.