Bug 435499 - Squid prevents transparent proxy to work
Summary: Squid prevents transparent proxy to work
Alias: None
Product: Fedora
Classification: Fedora
Component: squid
Version: rawhide
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Martin Nagy
QA Contact: Fedora Extras Quality Assurance
Keywords: Reopened
Depends On:
TreeView+ depends on / blocked
Reported: 2008-02-29 18:24 UTC by antonio montagnani
Modified: 2016-07-26 23:46 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2008-05-13 15:25:47 UTC

Attachments (Terms of Use)
squid configuration file (153.58 KB, application/x-extension-conf)
2008-02-29 18:24 UTC, antonio montagnani
no flags Details
Patch that fixes the bug (3.66 KB, application/octet-stream)
2008-05-05 10:07 UTC, Alexandre Oliva
no flags Details

Description antonio montagnani 2008-02-29 18:24:45 UTC
Description of problem:

Squid doens't work as expected if transparent proxy is enabled
Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.to start iptables and squid
2.try to connect from a network computer
Actual results:
no connection allowed

Expected results:
connection allowed as usual (it was working with previous release of squid..)

Additional info:

Comment 1 antonio montagnani 2008-02-29 18:24:45 UTC
Created attachment 296398 [details]
squid configuration file

Comment 2 antonio montagnani 2008-02-29 18:26:13 UTC
iptables configuration file
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
# Completed on Sun Nov 11 10:15:45 2007
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
:INPUT ACCEPT [50:6740]
:OUTPUT ACCEPT [41:6038]
# Completed on Sun Nov 11 10:15:45 2007
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
#:INPUT ACCEPT [50:6740]
#:FORWARD ACCEPT [90:4518]
#:OUTPUT ACCEPT [41:6038]
#fine originale
#inizio prova
-A INPUT -i lo -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A INPUT -i eth0 -j ACCEPT

Comment 3 Martin Nagy 2008-03-13 10:42:41 UTC
I can't reproduce this. I tried almost exactly the same config as you, with the
exception of visible_hostname and that I used this line to define the acl:
acl localnet src
Other than that, our configurations are the same. The problem seems to lie in
iptables. Your :PREROUTING ACCEPT [0:0] suggests that there were actually no
packets that were accepted with that rule.
$ sudo iptables-save | /bin/grep REDIRECT 
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
$ sudo iptables -L -v -t nat | /bin/grep REDIRECT
   35  2100 REDIRECT   tcp  --  eth1   any     anywhere             anywhere   
        tcp dpt:http redir ports 3128 

Notice here that 35 packets were accepted by the redirect rule.
Since this is clearly not a squid bug, I'm closing this with the resolution of
NOTABUG. If you don't agree or still feel this is a squid bug, feel free to
reopen. Thanks.

Comment 4 antonio montagnani 2008-04-17 07:32:15 UTC
for me it is not closed:

I don' understand why with same configuration files for squid and iptables
squid-3.0.STABLE1-3.fc9 doesn't work and squid-3.0.STABLE1-2.fc9.i386 is o.k.

Comment 5 Martin Nagy 2008-04-17 22:11:44 UTC
Okay, let's reopen this, so it won't fall through the cracks.

Comment 6 Alexandre Oliva 2008-05-05 09:51:23 UTC
I've run into this myself.  I tried to find STABLE1-2.fc9 binaries to test but I
couldn't; so I built them myself, and they failed in just the same way.  This
points either at a compiler bug in building squid, or at some other change,
perhaps even in the kernel.

Comment 7 Alexandre Oliva 2008-05-05 10:07:58 UTC
Created attachment 304520 [details]
Patch that fixes the bug

The problem was that the kernel netfilter headers were detected as absent,
because they now use types that are not defined in userland headers included
before.  This patch is a bit of a hack, but it works for me, and it would be
quite desirable to have it in for Fedora 9.

Comment 8 Martin Nagy 2008-05-07 16:54:13 UTC
Antonio, can you test the proposed patch and tell me if it fixes your problem?
If you don't know how to apply the patch, let me know and I'll build you a test
rpm. If this'll fix the problem for you, I'll patch rawhide and request an
update for F9. Thanks.

Comment 9 antonio montagnani 2008-05-07 17:18:58 UTC
I think that it is safer for everybody to have a testing rpm from you :-) 
I can test immediately in the next five hours at home where F9 is running,
otherwise we must wait 24 hours as in my office the proxy is still running on F8


Comment 10 Martin Nagy 2008-05-07 18:20:58 UTC
Done. RPMS are here:
Please let me know about the results, thanks.

Comment 11 antonio montagnani 2008-05-07 20:37:18 UTC

It has been running fine for more than an hour.

Tnx for your RPM....

Comment 12 Alexandre Oliva 2008-05-08 02:26:00 UTC
Works for me as well.  Any chance this could make F9 gold?  Releasing it as an
update would cause a major headache for anyone who wants to install F9 on their
transparent proxies, for then the proxies themselves and any downstream machines
would be unable to get to the update in the first place.

Comment 13 Martin Nagy 2008-05-08 14:52:12 UTC
Fedora 9 should be out in 5 days, I don't think it is possible for this to make
it to F9.

Comment 14 antonio montagnani 2008-05-08 15:05:59 UTC
1) in my setup the transparent proxy should not have any problem, of course the
computer on the network will encounter problems, as they will not connetc to the

2) a note should be included otherwise the network administrator will post bugs

Comment 15 Fedora Update System 2008-05-09 10:58:41 UTC
squid-3.0.STABLE2-3.fc9 has been submitted as an update for Fedora 9

Comment 16 Martin Nagy 2008-05-09 11:05:36 UTC
The update request for Fedora 9 is here:
This is now also fixed in squid-3.0.STABLE5-2.fc10
Antonio, thank you for your report and testing, and sorry for my
unresponsiveness on email.
Alexandre, thanks for patch!

Moving this into MODIFIED state, Bodhi should close this bug report
automatically once the update is out.

Comment 17 antonio montagnani 2008-05-09 11:37:22 UTC
Is it possible to add a comment in the release note for F9 about this update
.i.e. that transparent proxy wouldn't work if you don't carry immediately an
update, that anyway should be automatically run at the next boot?

And also a warning that squid.conf of 2.6 has been to be updated manually when
you upgrade to 3.0??? This if you run an upgrade from F8 to F9.....

Comment 18 Martin Nagy 2008-05-09 14:38:13 UTC
(In reply to comment #17)
Let me know if you'd like me to add something else in there, thanks.

Comment 19 Alexandre Oliva 2008-05-09 16:49:26 UTC
Heh.  It's just occurred to me that, with web-only release notes, people behind
a broken transparent proxy won't be able to read this beat.  Oh, the irony! ;-)

Comment 20 antonio montagnani 2008-05-09 16:52:10 UTC
Alexandre, my proxy computer is not proxied, so at least one computer on your
network should grab the notes :-)

Comment 21 Martin Nagy 2008-05-09 16:57:58 UTC
Well, the beat will be probably useless for people behind the proxy and more
important for people that administer squid and it should be accessible for them.
It's not that much big a deal :-) And usually, people update all packages right
after install, so this should only affect users just shortly after the release.
Oh right, and no one really reads the release notes either way :-)

Comment 22 Alexandre Oliva 2008-05-10 16:32:17 UTC
> And usually, people update all packages right after install

*if* they can get to the updates.  Now guess when I first ran into the problem?
 :-)  Right!  Right after installing the pre-release on my
firewall/gateway/web-proxy, when trying to install the updates.  Updates that
were funneled through the web proxy, no less, in order to avoid downloading them
multiple times for the proxy and every other machine behind it.

Oh well...  It's a dead horse anyway.

Comment 23 Fedora Update System 2008-05-13 15:20:28 UTC
squid-3.0.STABLE2-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.