[squid-users] Squid versions and FreeBSD-10.1 headache
Amos Jeffries
squid3 at treenet.co.nz
Fri Jan 23 16:08:52 UTC 2015
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 24/01/2015 4:56 a.m., Odhiambo Washington wrote:
> On 23 January 2015 at 18:42, Amos Jeffries <squid3 at treenet.co.nz>
> wrote:
>
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 24/01/2015 4:29 a.m., Odhiambo Washington wrote:
>>> On 23 January 2015 at 17:33, Amos Jeffries
>>> <squid3 at treenet.co.nz> wrote:
>>
>> <snip>
>>
>>
>>> And the good news is that squid-3.5.1 is now allowing client
>>> PCs to browse. Thank you for that.
>>>
>>
>> Horray!
>>
>
> THANK YOU once again:)
>
>
>>
>>> I still have issues to raise (though my small brain is now so
>>> saturated):
>>>
>>>
>>> Here is what I use:
>>>
>>> ./configure --prefix=/opt/squid35 \
>>> --enable-removal-policies="lru heap" \ --disable-epoll \
>>> --enable-auth \ --enable-auth-basic="DB NCSA PAM PAM POP3 SSPI"
>>> \ --enable-external-acl-helpers="session unix_group
>>> file_userip" \ --enable-auth-negotiate="kerberos" \
>>> --with-pthreads \ --enable-storeio="ufs diskd rock aufs" \
>>> --enable-delay-pools \ --enable-snmp \ --with-openssl=/usr \
>>> --enable-forw-via-db \ --enable-cache-digests \ --enable-wccpv2
>>> \ --enable-follow-x-forwarded-for \ --with-large-files \
>>> --enable-large-cache-files \ --enable-esi \ --enable-kqueue \
>>> --enable-icap-client \ --enable-kill-parent-hack \ --enable-ssl
>>> \ --enable-leakfinder \ --enable-ssl-crtd \
>>> --enable-url-rewrite-helpers \ --enable-xmalloc-statistics \
>>> --enable-stacktraces \ --enable-zph-qos \ --enable-eui \
>>> --with-nat-devpf \ --enable-pf-transparent \
>>> --enable-ipf-transparent
>>>
>>>
>>> It seems I have to remove --enable-ipf-transparent otherwise
>>> the build fails. I was thinking I could have both of
>>> --enable-ipf-transparent and --enable-ipf-transparent so that I
>>> can be able to use either PF or IPFilter - whichever I want.
>>>
>>>
>>> Are those two mutually exclusive?
>>
>> Thats a maybe. The original design was to enable that, but doing
>> so may repeat the issue you just resolved. From what I can tell
>> those two firewalls should be okay together on FreeBSD at this
>> point.
>>
>>> When I have the two, the build fails with:
>>>
>>> root at mail:/usr/home/wash/squid-3.5.1-20150120-r13736 # gmake
>>> Making all in compat gmake[1]: Entering directory
>>> '/usr/home/wash/squid-3.5.1-20150120-r13736/compat'
>>> depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
>>> /bin/sh ../libtool --tag=CXX --mode=compile clang++
>>> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
>>> -I../include -I/usr/include -I/usr/include -I../libltdl
>>> -I/usr/include -I/usr/local/include/libxml2
>>> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
>>> -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT
>>> assert.lo -MD -MP -MF $depbase.Tpo -c -o assert.lo assert.cc
>>> &&\ mv -f $depbase.Tpo $depbase.Plo libtool: compile: clang++
>>> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src
>>> -I../include -I/usr/include -I/usr/include -I../libltdl
>>> -I/usr/include -I/usr/local/include/libxml2
>>> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
>>> -D_REENTRANT -g -O2 -march=native -I/usr/local/include -MT
>>> assert.lo -MD -MP -MF .deps/assert.Tpo -c assert.cc -fPIC
>>> -DPIC -o .libs/assert.o In file included from assert.cc:9: In
>>> file included from ../include/squid.h:43:
>>> ../compat/compat.h:49:57: error: expected value in expression
>>> #if IPF_TRANSPARENT && USE_SOLARIS_IPFILTER_MINOR_T_HACK ^
>>
>> Seems to be a bug in the autoconf detections. You can workaround
>> it for now by adding this to your option list:
>>
>> CXXFLAGS="-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0"
>>
>> (or if you unluckily hit build errors mentioning minor_t
>> re-definition try setting it to =1).
>>
>>
> I could be getting it all wrong, but there is where I end:
>
>
>
> root at mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736
> # env
>
> <cut> CC=clang CXX=clang++
> CXXFLAGS=-DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 </cut>
>
> root at mail:/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736
> # gmake Making all in compat gmake[1]: Entering directory
> '/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736/compat'
> depbase=`echo assert.lo | sed 's|[^/]*$|.deps/&|;s|\.lo$||'`;\
> /bin/sh ../libtool --tag=CXX --mode=compile clang++
> -DHAVE_CONFIG_H -I.. -I../include -I../lib -I../src -I../include
> -I/usr/include -I/usr/include -I../libltdl -I/usr/include
> -I/usr/local/include/libxml2 -I/usr/local/include/libxml2 -Werror
> -Qunused-arguments -D_REENTRANT
> -DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native
> -I/usr/local/include -MT assert.lo -MD -MP -MF $depbase.Tpo -c -o
> assert.lo assert.cc &&\ mv -f $depbase.Tpo $depbase.Plo libtool:
> compile: clang++ -DHAVE_CONFIG_H -I.. -I../include -I../lib
> -I../src -I../include -I/usr/include -I/usr/include -I../libltdl
> -I/usr/include -I/usr/local/include/libxml2
> -I/usr/local/include/libxml2 -Werror -Qunused-arguments
> -D_REENTRANT -DUSE_SOLARIS_IPFILTER_MINOR_T_HACK=0 -march=native
> -I/usr/local/include -MT assert.lo -MD -MP -MF .deps/assert.Tpo -c
> assert.cc -fPIC -DPIC -o .libs/assert.o In file included from
> assert.cc:9: In file included from ../include/squid.h:12:
> ../include/autoconf.h:1431:9: error:
> 'USE_SOLARIS_IPFILTER_MINOR_T_HACK' macro redefined [-Werror]
> #define USE_SOLARIS_IPFILTER_MINOR_T_HACK ^ <command line>:3:9:
> note: previous definition is here #define
> USE_SOLARIS_IPFILTER_MINOR_T_HACK 0 ^
(mutters)
> In file included from assert.cc:9: In file included from
> ../include/squid.h:43: ../compat/compat.h:49:57: error: expected
> value in expression #if IPF_TRANSPARENT &&
> USE_SOLARIS_IPFILTER_MINOR_T_HACK ^ 2 errors generated.
> Makefile:921: recipe for target 'assert.lo' failed gmake[1]: ***
> [assert.lo] Error 1 gmake[1]: Leaving directory
> '/usr/home/wash/ILI/Squid/3.5/squid-3.5.1-20150120-r13736/compat'
> Makefile:567: recipe for target 'all-recursive' failed gmake: ***
> [all-recursive] Error 1
>
>
>
>
>
> Plus I still have to ask:
>
> --with-pf-transparent --with-nat-devpf works now as expected.
>
> How about if I only had --enable-ipf-transparent ?? It means I
> would be stuck still?
Given the state of that macro definition, yes.
There are some other things on Solaris I had to fix for Yuri (who is
sponsoring those build fixes). I will put this on my list of thing to
check out and hopefully be able to point you at a new snapshot to work
with in a few days.
>
> Is there a workaround for IPFilter on FreeBSD not to cause the
> loop?
The cause of the loop was wrong NAT lookup being done for PF. The
OpenBSD style PF which you were accidentally building used a different
system API which always returns wrong results on FreeBSD.
Amos
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (MingW32)
iQEcBAEBAgAGBQJUwnIUAAoJELJo5wb/XPRjQ1IIANnYk+6frClJG+YG8mdGqAn9
LDzDOqJXz2JPt8IM6mi66Q6+ykv/W00aQllq3VmA6oTqGs/fH6A6r6TrLXAnkv/n
77zKMo3VDO6z7It5w+IuK9X6FWSGOCVrNKZQWnwGstEpk6jpxE/wIyYHlUEJqdJi
d9Gnnek2/aZDdDYjmgdbJOu78qyuA2eXO2dzBluNgWlnRjdBCWGwlIDUKQky5Wf6
3HH+/n9eQ86EEsHL9gsfB6bJTIPBxcge9hkQWsYIapfBXj2+ynBDrVxnmPVc4y2/
xs204HYAvTO3KuNj2cJnYBl1IiJ+QnVHg43srVyeNNjpp3XQF0R3sLyJKe2Q6oU=
=G+4T
-----END PGP SIGNATURE-----
More information about the squid-users
mailing list