[squid-users] ipf transparent enabled, but squid says not supported

Stephen Borrill squid at borrill.org.uk
Fri May 29 14:52:12 UTC 2015


On 27/05/2015 16:52, James Lay wrote:
> On 2015-05-27 09:45 AM, Stephen Borrill wrote:
>> I have:
>> Squid Cache: Version 3.5.4
>> Service Name: squid
>> configure options:  '--sysconfdir=/usr/pkg/etc/squid'
>> '--localstatedir=/var/squid' '--datarootdir=/usr/pkg/share/squid'
>> '--disable-strict-error-checking' '--enable-auth'
>> '--enable-cachemgr-hostname=localhost' '--enable-delay-pools'
>> '--enable-icap-client' '--enable-icmp' '--enable-poll'
>> '--enable-removal-policies=lru,heap'
>> '--enable-storeio=ufs diskd' '--with-aio' '--with-default-user=squid'
>> '--with-pidfile=/var/run/squid.pid' '--disable-arch-native'
>> '--enable-ipf-transparent' '--enable-arp-acl' '--enable-carp'
>> '--disable-ipv6' '--without-mit-krb5' '--without-heimdal-krb5'
>> '--disable-snmp' '--enable-ssl' '--with-openssl=/usr/pkg'
>> '--enable-auth-basic=NCSA getpwnam PAM' '--enable-auth-digest=file'
>> '--disable-auth-negotiate' '--enable-auth-ntlm=fake smb_lm'
>> '--enable-external-acl-helpers=file_userip unix_group'
>> '--prefix=/usr/pkg' '--build=i486--netbsdelf'
>> '--host=i486--netbsdelf' '--mandir=/usr/pkg/man'
>> 'build_alias=i486--netbsdelf' 'host_alias=i486--netbsdelf'
>> 'CC=cc' 'CFLAGS=-O2 -I/usr/include -I/usr/pkg/include'
>> 'LDFLAGS=-L/usr/lib -Wl,-R/usr/lib -L/usr/pkg/lib -Wl,-R/usr/pkg/lib'
>> 'LIBS=' 'CPPFLAGS=-I/usr/include -I/usr/pkg/include'
>> 'CXX=c++' 'CXXFLAGS=-O2 -I/usr/include -I/usr/pkg/include'
>>
>> squid.conf contains:
>> http_port 127.0.0.1:8006 intercept name=port_8006
>>
>> Yet I see the following ev:
>> 2015/05/27 16:02:46 kid1| WARNING: transparent proxying not supported
>>
>> Same config works with earlier version of squid (3.4 and earlier).
>> What's changed?
>
> Look through your config.log...I experienced a similar thing and, upon
> running my ./configure line and watching it I saw I was missing a library.

This is down to two faults in configure:

1) If USE_SOLARIS_IPFILTER_MINOR_T_HACK is not needed, then configure 
still defines it, but with no value (i.e. confdefs.h has #define 
USE_SOLARIS_IPFILTER_MINOR_T_HACK ). All tests that use #if 
USE_SOLARIS_IPFILTER_MINOR_T_HACK will then fail.

My fix was to add squid_cv_broken_ipfilter_minor_t=0 as follows (note 
the message about netinet/ headers is also highly misleading):

         { $as_echo "$as_me:${as_lineno-$LINENO}: result: unable to make 
IPFilter work with netinet/ headers" >&5
$as_echo "unable to make IPFilter work with netinet/ headers" >&6; }
---->>        squid_cv_broken_ipfilter_minor_t=0

2) The tests for IPF headers no longer include net/if.h. Fix is to add:
#if HAVE_NET_IF_H
#include <net/if.h>
#endif

Patch to configure is:
@@ -38708,7 +38708,7 @@

          { $as_echo "$as_me:${as_lineno-$LINENO}: result: unable to 
make IPFilter work with netinet/ headers" >&5
  $as_echo "unable to make IPFilter work with netinet/ headers" >&6; }
-
+       squid_cv_broken_ipfilter_minor_t=0
  fi
  rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext

@@ -38751,6 +38751,9 @@
  #if HAVE_SYS_IOCCOM_H
  #include <sys/ioccom.h>
  #endif
+#if HAVE_NET_IF_H
+#include <net/if.h>
+#endif
  #if USE_SOLARIS_IPFILTER_MINOR_T_HACK
  #undef minor_t
  #endif

-- 
Stephen



More information about the squid-users mailing list