Bug 435499 - Squid prevents transparent proxy to work
Squid prevents transparent proxy to work
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: squid (Show other bugs)
rawhide
i386 Linux
low Severity low
: ---
: ---
Assigned To: Martin Nagy
Fedora Extras Quality Assurance
: Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-02-29 13:24 EST by antonio montagnani
Modified: 2016-07-26 19:46 EDT (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-13 11:25:47 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
squid configuration file (153.58 KB, application/x-extension-conf)
2008-02-29 13:24 EST, antonio montagnani
no flags Details
Patch that fixes the bug (3.66 KB, application/octet-stream)
2008-05-05 06:07 EDT, Alexandre Oliva
no flags Details

  None (edit)
Description antonio montagnani 2008-02-29 13:24:45 EST
Description of problem:

Squid doens't work as expected if transparent proxy is enabled
Version-Release number of selected component (if applicable):

squid-3.0.STABLE1-3.fc9
How reproducible:
always

Steps to Reproduce:
1.to start iptables and squid
2.try to connect from a network computer
3.
  
Actual results:
no connection allowed

Expected results:
connection allowed as usual (it was working with previous release of squid..)

Additional info:
Comment 1 antonio montagnani 2008-02-29 13:24:45 EST
Created attachment 296398 [details]
squid configuration file
Comment 2 antonio montagnani 2008-02-29 13:26:13 EST
iptables configuration file
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
*nat
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
-A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE
# Forward HTTP connections to Squid proxy
-A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128
COMMIT
# Completed on Sun Nov 11 10:15:45 2007
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
*mangle
:PREROUTING ACCEPT [138:11158]
:INPUT ACCEPT [50:6740]
:FORWARD ACCEPT [88:4418]
:OUTPUT ACCEPT [41:6038]
:POSTROUTING ACCEPT [129:10456]
COMMIT
# Completed on Sun Nov 11 10:15:45 2007
# Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007
*filter
#Originale
#:INPUT ACCEPT [50:6740]
#:FORWARD ACCEPT [90:4518]
#:OUTPUT ACCEPT [41:6038]
#COMMIT
#fine originale
#inizio prova
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT ACCEPT [0:0]
-A INPUT -i lo -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -j ACCEPT
-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
-A INPUT -i eth0 -j ACCEPT
COMMIT
Comment 3 Martin Nagy 2008-03-13 06:42:41 EDT
I can't reproduce this. I tried almost exactly the same config as you, with the
exception of visible_hostname and that I used this line to define the acl:
acl localnet src 192.168.23.0/24
Other than that, our configurations are the same. The problem seems to lie in
iptables. Your :PREROUTING ACCEPT [0:0] suggests that there were actually no
packets that were accepted with that rule.
$ sudo iptables-save | /bin/grep REDIRECT 
-A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 
$ sudo iptables -L -v -t nat | /bin/grep REDIRECT
   35  2100 REDIRECT   tcp  --  eth1   any     anywhere             anywhere   
        tcp dpt:http redir ports 3128 

Notice here that 35 packets were accepted by the redirect rule.
Since this is clearly not a squid bug, I'm closing this with the resolution of
NOTABUG. If you don't agree or still feel this is a squid bug, feel free to
reopen. Thanks.
Comment 4 antonio montagnani 2008-04-17 03:32:15 EDT
for me it is not closed:

I don' understand why with same configuration files for squid and iptables
squid-3.0.STABLE1-3.fc9 doesn't work and squid-3.0.STABLE1-2.fc9.i386 is o.k.
Comment 5 Martin Nagy 2008-04-17 18:11:44 EDT
Okay, let's reopen this, so it won't fall through the cracks.
Comment 6 Alexandre Oliva 2008-05-05 05:51:23 EDT
I've run into this myself.  I tried to find STABLE1-2.fc9 binaries to test but I
couldn't; so I built them myself, and they failed in just the same way.  This
points either at a compiler bug in building squid, or at some other change,
perhaps even in the kernel.
Comment 7 Alexandre Oliva 2008-05-05 06:07:58 EDT
Created attachment 304520 [details]
Patch that fixes the bug

The problem was that the kernel netfilter headers were detected as absent,
because they now use types that are not defined in userland headers included
before.  This patch is a bit of a hack, but it works for me, and it would be
quite desirable to have it in for Fedora 9.
Comment 8 Martin Nagy 2008-05-07 12:54:13 EDT
Antonio, can you test the proposed patch and tell me if it fixes your problem?
If you don't know how to apply the patch, let me know and I'll build you a test
rpm. If this'll fix the problem for you, I'll patch rawhide and request an
update for F9. Thanks.
Comment 9 antonio montagnani 2008-05-07 13:18:58 EDT
I think that it is safer for everybody to have a testing rpm from you :-) 
I can test immediately in the next five hours at home where F9 is running,
otherwise we must wait 24 hours as in my office the proxy is still running on F8

Tnx
Comment 10 Martin Nagy 2008-05-07 14:20:58 EDT
Done. RPMS are here:
http://mnagy.fedorapeople.org/squid_bug_435499/
Please let me know about the results, thanks.
Comment 11 antonio montagnani 2008-05-07 16:37:18 EDT
Martin

It has been running fine for more than an hour.

Tnx for your RPM....
Comment 12 Alexandre Oliva 2008-05-07 22:26:00 EDT
Works for me as well.  Any chance this could make F9 gold?  Releasing it as an
update would cause a major headache for anyone who wants to install F9 on their
transparent proxies, for then the proxies themselves and any downstream machines
would be unable to get to the update in the first place.
Comment 13 Martin Nagy 2008-05-08 10:52:12 EDT
Fedora 9 should be out in 5 days, I don't think it is possible for this to make
it to F9.
Comment 14 antonio montagnani 2008-05-08 11:05:59 EDT
1) in my setup the transparent proxy should not have any problem, of course the
computer on the network will encounter problems, as they will not connetc to the
Internet.

2) a note should be included otherwise the network administrator will post bugs
Comment 15 Fedora Update System 2008-05-09 06:58:41 EDT
squid-3.0.STABLE2-3.fc9 has been submitted as an update for Fedora 9
Comment 16 Martin Nagy 2008-05-09 07:05:36 EDT
The update request for Fedora 9 is here:
https://admin.fedoraproject.org/updates/F9/pending/squid-3.0.STABLE2-3.fc9
This is now also fixed in squid-3.0.STABLE5-2.fc10
Antonio, thank you for your report and testing, and sorry for my
unresponsiveness on email.
Alexandre, thanks for patch!

Moving this into MODIFIED state, Bodhi should close this bug report
automatically once the update is out.
Comment 17 antonio montagnani 2008-05-09 07:37:22 EDT
Is it possible to add a comment in the release note for F9 about this update
.i.e. that transparent proxy wouldn't work if you don't carry immediately an
update, that anyway should be automatically run at the next boot?

And also a warning that squid.conf of 2.6 has been to be updated manually when
you upgrade to 3.0??? This if you run an upgrade from F8 to F9.....
Comment 18 Martin Nagy 2008-05-09 10:38:13 EDT
(In reply to comment #17)
Done:
http://fedoraproject.org/wiki/Docs/Beats/WebServers
Let me know if you'd like me to add something else in there, thanks.
Comment 19 Alexandre Oliva 2008-05-09 12:49:26 EDT
Heh.  It's just occurred to me that, with web-only release notes, people behind
a broken transparent proxy won't be able to read this beat.  Oh, the irony! ;-)
Comment 20 antonio montagnani 2008-05-09 12:52:10 EDT
Alexandre, my proxy computer is not proxied, so at least one computer on your
network should grab the notes :-)
Comment 21 Martin Nagy 2008-05-09 12:57:58 EDT
Well, the beat will be probably useless for people behind the proxy and more
important for people that administer squid and it should be accessible for them.
It's not that much big a deal :-) And usually, people update all packages right
after install, so this should only affect users just shortly after the release.
Oh right, and no one really reads the release notes either way :-)
Comment 22 Alexandre Oliva 2008-05-10 12:32:17 EDT
> And usually, people update all packages right after install

*if* they can get to the updates.  Now guess when I first ran into the problem?
 :-)  Right!  Right after installing the pre-release on my
firewall/gateway/web-proxy, when trying to install the updates.  Updates that
were funneled through the web proxy, no less, in order to avoid downloading them
multiple times for the proxy and every other machine behind it.

Oh well...  It's a dead horse anyway.
Comment 23 Fedora Update System 2008-05-13 11:20:28 EDT
squid-3.0.STABLE2-3.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.