Description of problem: Squid doens't work as expected if transparent proxy is enabled Version-Release number of selected component (if applicable): squid-3.0.STABLE1-3.fc9 How reproducible: always Steps to Reproduce: 1.to start iptables and squid 2.try to connect from a network computer 3. Actual results: no connection allowed Expected results: connection allowed as usual (it was working with previous release of squid..) Additional info:
Created attachment 296398 [details] squid configuration file
iptables configuration file # Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007 *nat :OUTPUT ACCEPT [0:0] :PREROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0] -A POSTROUTING -s 192.168.0.0/24 -o ppp0 -j MASQUERADE # Forward HTTP connections to Squid proxy -A PREROUTING -p tcp -m tcp -i eth0 --dport 80 -j REDIRECT --to-ports 3128 COMMIT # Completed on Sun Nov 11 10:15:45 2007 # Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007 *mangle :PREROUTING ACCEPT [138:11158] :INPUT ACCEPT [50:6740] :FORWARD ACCEPT [88:4418] :OUTPUT ACCEPT [41:6038] :POSTROUTING ACCEPT [129:10456] COMMIT # Completed on Sun Nov 11 10:15:45 2007 # Generated by iptables-save v1.3.8 on Sun Nov 11 10:15:45 2007 *filter #Originale #:INPUT ACCEPT [50:6740] #:FORWARD ACCEPT [90:4518] #:OUTPUT ACCEPT [41:6038] #COMMIT #fine originale #inizio prova :FORWARD DROP [0:0] :INPUT DROP [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -i lo -j ACCEPT -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT -A FORWARD -i eth0 -j ACCEPT -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -i eth0 -j ACCEPT COMMIT
I can't reproduce this. I tried almost exactly the same config as you, with the exception of visible_hostname and that I used this line to define the acl: acl localnet src 192.168.23.0/24 Other than that, our configurations are the same. The problem seems to lie in iptables. Your :PREROUTING ACCEPT [0:0] suggests that there were actually no packets that were accepted with that rule. $ sudo iptables-save | /bin/grep REDIRECT -A PREROUTING -i eth1 -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 3128 $ sudo iptables -L -v -t nat | /bin/grep REDIRECT 35 2100 REDIRECT tcp -- eth1 any anywhere anywhere tcp dpt:http redir ports 3128 Notice here that 35 packets were accepted by the redirect rule. Since this is clearly not a squid bug, I'm closing this with the resolution of NOTABUG. If you don't agree or still feel this is a squid bug, feel free to reopen. Thanks.
for me it is not closed: I don' understand why with same configuration files for squid and iptables squid-3.0.STABLE1-3.fc9 doesn't work and squid-3.0.STABLE1-2.fc9.i386 is o.k.
Okay, let's reopen this, so it won't fall through the cracks.
I've run into this myself. I tried to find STABLE1-2.fc9 binaries to test but I couldn't; so I built them myself, and they failed in just the same way. This points either at a compiler bug in building squid, or at some other change, perhaps even in the kernel.
Created attachment 304520 [details] Patch that fixes the bug The problem was that the kernel netfilter headers were detected as absent, because they now use types that are not defined in userland headers included before. This patch is a bit of a hack, but it works for me, and it would be quite desirable to have it in for Fedora 9.
Antonio, can you test the proposed patch and tell me if it fixes your problem? If you don't know how to apply the patch, let me know and I'll build you a test rpm. If this'll fix the problem for you, I'll patch rawhide and request an update for F9. Thanks.
I think that it is safer for everybody to have a testing rpm from you :-) I can test immediately in the next five hours at home where F9 is running, otherwise we must wait 24 hours as in my office the proxy is still running on F8 Tnx
Done. RPMS are here: http://mnagy.fedorapeople.org/squid_bug_435499/ Please let me know about the results, thanks.
Martin It has been running fine for more than an hour. Tnx for your RPM....
Works for me as well. Any chance this could make F9 gold? Releasing it as an update would cause a major headache for anyone who wants to install F9 on their transparent proxies, for then the proxies themselves and any downstream machines would be unable to get to the update in the first place.
Fedora 9 should be out in 5 days, I don't think it is possible for this to make it to F9.
1) in my setup the transparent proxy should not have any problem, of course the computer on the network will encounter problems, as they will not connetc to the Internet. 2) a note should be included otherwise the network administrator will post bugs
squid-3.0.STABLE2-3.fc9 has been submitted as an update for Fedora 9
The update request for Fedora 9 is here: https://admin.fedoraproject.org/updates/F9/pending/squid-3.0.STABLE2-3.fc9 This is now also fixed in squid-3.0.STABLE5-2.fc10 Antonio, thank you for your report and testing, and sorry for my unresponsiveness on email. Alexandre, thanks for patch! Moving this into MODIFIED state, Bodhi should close this bug report automatically once the update is out.
Is it possible to add a comment in the release note for F9 about this update .i.e. that transparent proxy wouldn't work if you don't carry immediately an update, that anyway should be automatically run at the next boot? And also a warning that squid.conf of 2.6 has been to be updated manually when you upgrade to 3.0??? This if you run an upgrade from F8 to F9.....
(In reply to comment #17) Done: http://fedoraproject.org/wiki/Docs/Beats/WebServers Let me know if you'd like me to add something else in there, thanks.
Heh. It's just occurred to me that, with web-only release notes, people behind a broken transparent proxy won't be able to read this beat. Oh, the irony! ;-)
Alexandre, my proxy computer is not proxied, so at least one computer on your network should grab the notes :-)
Well, the beat will be probably useless for people behind the proxy and more important for people that administer squid and it should be accessible for them. It's not that much big a deal :-) And usually, people update all packages right after install, so this should only affect users just shortly after the release. Oh right, and no one really reads the release notes either way :-)
> And usually, people update all packages right after install *if* they can get to the updates. Now guess when I first ran into the problem? :-) Right! Right after installing the pre-release on my firewall/gateway/web-proxy, when trying to install the updates. Updates that were funneled through the web proxy, no less, in order to avoid downloading them multiple times for the proxy and every other machine behind it. Oh well... It's a dead horse anyway.
squid-3.0.STABLE2-3.fc9 has been pushed to the Fedora 9 stable repository. If problems still persist, please make note of it in this bug report.