[squid-users] Squid versions and FreeBSD-10.1 headache

Amos Jeffries squid3 at treenet.co.nz
Fri Jan 23 16:08:52 UTC 2015 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 24/01/2015 4:56 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 18:42, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
> 
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 24/01/2015 4:29 a.m., Odhiambo Washington wrote:
>>> On 23 January 2015 at 17:33, Amos Jeffries
>>> <squid3 at treenet.co.nz> wrote:
>> 
>> <snip>
>> 
>> 
>>> And the good news is that squid-3.5.1 is now allowing client
>>> PCs to browse. Thank you for that.
>>> 
>> 
>> Horray!
>> 
> 
> THANK YOU once again:)
> 
> 
>> 
>>> I still have issues to raise (though my small brain is now so 
>>> saturated):
>>> 
>>> 
>>> Here is what I use:
>>> 
>>> ./configure --prefix=/opt/squid35 \
>>> --enable-removal-policies="lru heap" \ --disable-epoll \
>>> --enable-auth \ --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI"
>>> \ --enable-external-acl-helpers="session unix_group
>>> file_userip" \ --enable-auth-negotiate="kerberos" \ 
>>> --with-pthreads \ --enable-storeio="ufs diskd rock aufs" \ 
>>> --enable-delay-pools \ --enable-snmp  \ --with-openssl=/usr \ 
>>> --enable-forw-via-db \ --enable-cache-digests \ --enable-wccpv2
>>> \ --enable-follow-x-forwarded-for \ --with-large-files \ 
>>> --enable-large-cache-files \ --enable-esi \ --enable-kqueue \ 
>>> --enable-icap-client \ --enable-kill-parent-hack \ --enable-ssl
>>> \ --enable-leakfinder \ --enable-ssl-crtd \ 
>>> --enable-url-rewrite-helpers \ --enable-xmalloc-statistics \ 
>>> --enable-stacktraces \ --enable-zph-qos \ --enable-eui \ 
>>> --with-nat-devpf \ --enable-pf-transparent \ 
>>> --enable-ipf-transparent
>>> 
>>> 
>>> It seems I have to remove --enable-ipf-transparent otherwise
>>> the build fails. I was thinking I could have both of 
>>> --enable-ipf-transparent and --enable-ipf-transparent so that I
>>> can be able to use either PF or IPFilter - whichever I want.
>>> 
>>> 
>>> Are those two mutually exclusive?
>> 
>> Thats a maybe. The original design was to enable that, but doing
>> so may repeat the issue you just resolved. From what I can tell
>> those two firewalls should be okay together on FreeBSD at this
>> point.
>> 
>>> When I have the two, the build fails with:
>>> 
>>> root at mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake
>>> Making all in compat gmake[1]: Entering directory 
>>> '/usr/home/wash/squid-3.5.1-20150120-r13736/compat'
>>> depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
>>> /bin/sh ../libtool --tag=CXX   --mode=compile clang++
>>> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
>>> -I../include  -I/usr/include -I/usr/include  -I../libltdl
>>> -I/usr/include -I/usr/local/include/libxml2
>>> -I/usr/local/include/libxml2  -Werror -Qunused-arguments
>>> -D_REENTRANT -g -O2  -march=native -I/usr/local/include -MT
>>> assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc
>>> &&\ mv -f $depbase.Tpo $depbase.Plo libtool: compile:  clang++
>>> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
>>> -I../include -I/usr/include -I/usr/include -I../libltdl 
>>> -I/usr/include -I/usr/local/include/libxml2 
>>> -I/usr/local/include/libxml2 -Werror -Qunused-arguments 
>>> -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT 
>>> assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc  -fPIC
>>> -DPIC -o .libs/assert.o In file included from assert.cc:9: In
>>> file included from ../include/squid.h:43:
>>> ../compat/compat.h:49:57: error: expected value in expression
>>> #if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK ^
>> 
>> Seems to be a bug in the autoconf detections. You can workaround
>> it for now by adding this to your option list:
>> 
>> CXXFLAGS="-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0"
>> 
>> (or if you unluckily hit build errors mentioning minor_t
>> re-definition try setting it to =1).
>> 
>> 
> I could be getting it all wrong, but there is where I end:
> 
> 
> 
> root at mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736
> # env
> 
> <cut> CC=clang CXX=clang++ 
> CXXFLAGS=-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 </cut>
> 
> root at mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736
> # gmake Making all in compat gmake[1]: Entering directory 
> '/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736/compat' 
> depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\ 
> /bin/sh ../libtool  --tag=CXX   --mode=compile clang++
> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include
> -I/usr/include -I/usr/include  -I../libltdl -I/usr/include
> -I/usr/local/include/libxml2 -I/usr/local/include/libxml2  -Werror
> -Qunused-arguments  -D_REENTRANT 
> -DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native
> -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o
> assert.lo assert.cc &&\ mv -f $depbase.Tpo $depbase.Plo libtool:
> compile:  clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib 
> -I../src -I../include -I/usr/include -I/usr/include -I../libltdl 
> -I/usr/include -I/usr/local/include/libxml2
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
> -D_REENTRANT -DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native
> -I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c
> assert.cc  -fPIC -DPIC -o .libs/assert.o In file included from
> assert.cc:9: In file included from ../include/squid.h:12: 
> ../include/autoconf.h:1431:9: error:
> 'USE_SOLARIS_IPFILTER_MINOR_T_HACK' macro redefined [-Werror] 
> #define USE_SOLARIS_IPFILTER_MINOR_T_HACK ^ <command line>:3:9:
> note: previous definition is here #define
> USE_SOLARIS_IPFILTER_MINOR_T_HACK 0 ^

(mutters)

> In file included from assert.cc:9: In file included from
> ../include/squid.h:43: ../compat/compat.h:49:57: error: expected
> value in expression #if IPF_TRANSPARENT &&
> USE_SOLARIS_IPFILTER_MINOR_T_HACK ^ 2 errors generated. 
> Makefile:921: recipe for target 'assert.lo' failed gmake[1]: ***
> [assert.lo] Error 1 gmake[1]: Leaving directory 
> '/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736/compat' 
> Makefile:567: recipe for target 'all-recursive' failed gmake: ***
> [all-recursive] Error 1
> 
> 
> 
> 
> 
> Plus I still have to ask:
> 
> --with-pf-transparent --with-nat-devpf works now as expected.
> 
> How about if I only had --enable-ipf-transparent ?? It means I
> would be stuck still?

Given the state of that macro definition, yes.

There are some other things on Solaris I had to fix for Yuri (who is
sponsoring those build fixes). I will put this on my list of thing to
check out and hopefully be able to point you at a new snapshot to work
with in a few days.

> 
> Is there a workaround for IPFilter on FreeBSD not to cause the
> loop?

The cause of the loop was wrong NAT lookup being done for PF. The
OpenBSD style PF which you were accidentally building used a different
system API which always returns wrong results on FreeBSD.

Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)

iQEcBAEBAgAGBQJUwnIUAAoJELJo5wb/XPRjQ1IIANnYk+6frClJG+YG8mdGqAn9
LDzDOqJXz2JPt8IM6mi66Q6+ykv/W00aQllq3VmA6oTqGs/fH6A6r6TrLXAnkv/n
77zKMo3VDO6z7It5w+IuK9X6FWSGOCVrNKZQWnwGstEpk6jpxE/wIyYHlUEJqdJi
d9Gnnek2/aZDdDYjmgdbJOu78qyuA2eXO2dzBluNgWlnRjdBCWGwlIDUKQky5Wf6
3HH+/n9eQ86EEsHL9gsfB6bJTIPBxcge9hkQWsYIapfBXj2+ynBDrVxnmPVc4y2/
xs204HYAvTO3KuNj2cJnYBl1IiJ+QnVHg43srVyeNNjpp3XQF0R3sLyJKe2Q6oU=
=G+4T
-----END PGP SIGNATURE-----

More information about the squid-users mailing list