Red Hat Bugzilla – Bug 100779
RFE: transparent caching support with Squid
Last modified: 2007-11-30 17:10:31 EST
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Description of problem:
To further simplify the use of squid with transparent proxying could there be
a flag added to /etc/sysconfig/squid:
Then when the squid init script starts up it checks this value and if
transparent proxy support is required it automatically runs this iptables
iptables -t nat -A PREROUTING -i $interface -p tcp --dport 80 -j REDIRECT --to-
Applies to all versions of squid (including the up and coming 3.0 release)
It seems that getsockopt(sock, SOL_IP, SO_ORIGINAL_DST, ...) do not return
original destination but redirected one. I use a small program to redirect
output and got this problem...
Sorry, I forgot, I'm using Fedora Core 4 with latest kernel (2.6.11-1.1369_FC4)
Same problem with kernel 2.6.12-1.1387_FC4.
Note the problem is a regression problem, not an RFE.
I updated to kernel 2.6.12-1.1398_FC4 with contain a fix for transparent proxy
and bridge however it do not fix this particular problem.
IMHO I think this would not be a good idea because in many times it will not be
added in the proper sequence in the PREROUTING chain, i.e. if the last rule of
the PREROUTING chain before squid is started is
itpables -t nat -A PREROUTING -j DROP
and using an -I rule to add the rule to the top of the chain could be equally
I think it can have more cons than pros so closing as WONTFIX.
Happily someone else fixed the problem in the kernel.