Re: Marking uncached packets with a netfilter mark value

2010-06-23 Thread Amos Jeffries 
On Tue, 22 Jun 2010 12:26:02 +0100, Andrew Beverley 
wrote:
>> > I have done some initial scoping, but have discovered that in order
to
>> > mark a packet using setsockopt(), the process needs to be run as
root.
>> 
>> Are you sure it needs root and not just a suitable capability flag?
From
>> what I can tel CAP_NET_ADMIN is sufficient.
> 
> You're right, it only needs CAP_NET_ADMIN. I've just hacked tools.cc to
> add that capability and it worked.
> 
> So, is the best way of implementing this to do the same as transparent
> proxying, and check whether the (proposed) marking option is enabled in
> squid.conf when executing restoreCapabilities? If the user has asked for
> packets to be marked, then CAP_NET_ADMIN will be retained. The mark
> would then be applied in comm.cc in a similar way to the TOS settings.
> 
> Andy

Cool.
 So, do you have a clear use-case we can add to the wiki and commit
message?

What do you think, for the config UI:
 qos_flows - adding an initial flag "tos"|"mark" which determines which
marking type is to be set. Followed by the current (or extended)
stream=value tags. Default to "tos" if missing for backward compatibility
 So we end up with:
   qos_flows tos parent-hit=0xA sibling-hit=0xB
   qos_flows mark local-miss=0x1

 The current src/ip/QosConfig.h fields may become a sub-struct of fields
if there is a double-up in wanting to label a stream with both TOS and
mark.

Amos

Re: Marking uncached packets with a netfilter mark value

2010-06-23 Thread Andrew Beverley 
> > So, is the best way of implementing this to do the same as transparent
> > proxying, and check whether the (proposed) marking option is enabled in
> > squid.conf when executing restoreCapabilities? If the user has asked for
> > packets to be marked, then CAP_NET_ADMIN will be retained. The mark
> > would then be applied in comm.cc in a similar way to the TOS settings.
> > 
> > Andy
> 
> Cool.
>  So, do you have a clear use-case we can add to the wiki and commit
> message?

I'll send one through shortly (or should I add it myself?). Should it be
the same as the items in the Features list?

> What do you think, for the config UI:
>  qos_flows - adding an initial flag "tos"|"mark" which determines which
> marking type is to be set. Followed by the current (or extended)
> stream=value tags. Default to "tos" if missing for backward compatibility
>  So we end up with:
>qos_flows tos parent-hit=0xA sibling-hit=0xB
>qos_flows mark local-miss=0x1

I was thinking of a separate config option, but you're right, it makes
sense to put this in the same option.

>  The current src/ip/QosConfig.h fields may become a sub-struct of fields
> if there is a double-up in wanting to label a stream with both TOS and
> mark.

I can't see much requirement to do both, but I guess for completeness,
as it's technically possible it should be implemented.

I'd also like to implement a preserve-miss feature. However, in my
initial testing I was unable to retrieve the mark on the packet received
by Squid.

Andy

R: [squid-users] Squid NT compile

2010-06-23 Thread Guido Serassio 
Hi,

Squid on Windows should work in transparent mode when the packet redirection is 
done from an external device like a firewall.
But I have never tested if the current 2.7 binaries work, the latest test was 
done using 2.6 binaries.

Regards

Guido Serassio
Acme Consulting S.r.l.
Microsoft Gold Certified Partner
VMware Professional Partner
Via Lucia Savarino, 110098 - Rivoli (TO) - ITALY
Tel. : +39.011.9530135   Fax. : +39.011.9781115
Email: guido.seras...@acmeconsulting.it
WWW: http://www.acmeconsulting.it


-Messaggio originale-
Da: Henrik Nordström [mailto:hen...@henriknordstrom.net] 
Inviato: lunedì 21 giugno 2010 9.45
A: winet...@gmail.com
Cc: Squid Developers
Oggetto: Re: [squid-users] Squid NT compile

sön 2010-06-20 klockan 19:03 + skrev winet...@gmail.com:
> No wonder even with port mapping and redirection working, the transparent 
> proxy still not working. Where can I get or request one that compiled with 
> transparent proxy feature?

squid-dev is the best place to discuss this.

How does the redirection method you use present the original destination
address to the applications?

Regards
Henrik

Re: R: [squid-users] Squid NT compile

2010-06-23 Thread Henrik Nordström 
ons 2010-06-23 klockan 12:19 +0200 skrev Guido Serassio:

> Squid on Windows should work in transparent mode when the packet redirection 
> is done from an external device like a firewall.

2.7 may be a little picky about that, insisting on being able to get the
original destination ip.

A workaround may be to configure Squid as an accelerator for the whole
internet..

  http_port 80 accel vhost allow-direct

not sure if 2.7 has the allow-direct option.

Regards
Henrik

Caching of the POST messages

2010-06-23 Thread Sandeep Kuttal 
Hi,

I am stuck with squid functionality in my research. Can anyone please help?

I am looking for changing the Squid code little bit to cache POST messages. The 
reason being is I am looking at mashups (yahoo pipes) and there I need to cache 
all the data going and coming from the server. Most of the information of my 
interest is in POST messages. I have posted my questions couple of times 
sometimes I have got responses but sometimes not. I was trying to read the code 
but It has poor documentation hence is time consuming. Can somebody just 
suggest me how to start with this. So that at least I get a direction. Thanks 
in advance for giving time to read the email.

Thanks
Sandeep

Build failed in Hudson: 3.HEAD-i386-opensolaris-SunStudioCc #293

2010-06-23 Thread noc 
See 


Changes:

[Amos Jeffries ] Author: Sean Critica 

Bug 2903: does not send X-Client-Ip in ICAP respmod

[Automatic source maintenance ] SourceFormat 
Enforcement

--
[...truncated 4509 lines...]
source='../../../../helpers/basic_auth/MSNT/smblib.c' object='smblib.o' 
libtool=no \
DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g -c 
../../../../helpers/basic_auth/MSNT/smblib.c
source='../../../../helpers/basic_auth/MSNT/valid.c' object='valid.o' 
libtool=no \
DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g -c 
../../../../helpers/basic_auth/MSNT/valid.c
source='../../../../helpers/basic_auth/MSNT/denyusers.c' object='denyusers.o' 
libtool=no \
DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g -c 
../../../../helpers/basic_auth/MSNT/denyusers.c
source='../../../../helpers/basic_auth/MSNT/allowusers.c' object='allowusers.o' 
libtool=no \
DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g -c 
../../../../helpers/basic_auth/MSNT/allowusers.c
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g 
-DSYSCONFDIR=\"
 -c ../../../../helpers/basic_auth/MSNT/confload.c -o confload.o
source='../../../../helpers/basic_auth/MSNT/usersfile.c' object='usersfile.o' 
libtool=no \
DEPDIR=.deps depmode=none /bin/sh ../../../../cfgaux/depcomp \
ccache /opt/SunStudioExpress/prod/bin/cc -DHAVE_CONFIG_H  -I../../../.. 
-I../../../../include -I../../../../src -I../../../include -I/usr/local/include 
-I/usr/include/gssapi -I/usr/include/kerberosv5 
-I../../../../helpers/basic_auth/MSNT  -I/usr/include/gssapi 
-I/usr/include/kerberosv5 -D_REENTRANT -g -c 
../../../../helpers/basic_auth/MSNT/usersfile.c
/bin/sh ../../../libtool --tag=CC   --mode=link ccache 
/opt/SunStudioExpress/prod/bin/cc -D_REENTRANT -g  
-L/usr/local/sunstudio-libs/lib -o msnt_auth md4.o rfcnb-io.o rfcnb-util.o 
session.o msntauth.o smbdes.o smbencrypt.o smblib-util.o smblib.o valid.o 
denyusers.o allowusers.o confload.o usersfile.o -L../../../lib -lmiscutil 
../../../compat/libcompat.la -lm -lsocket -lresolv -lnsl -lsocket 
libtool: link: ccache /opt/SunStudioExpress/prod/bin/cc -D_REENTRANT -g -o 
msnt_auth md4.o rfcnb-io.o rfcnb-util.o session.o msntauth.o smbdes.o 
smbencrypt.o smblib-util.o smblib.o valid.o denyusers.o allowusers.o confload.o 
usersfile.o  -L/usr/local/sunstudio-libs/lib 
-L
 -lmiscutil ../../../compat/.libs/libcompat.a -lm -lresolv -lnsl -lsocket
make[4]: Leaving directory 
`
Making all in MSNT-multi-domain
make[4]: Entering directory 
`
sed -e 's,[...@]perl[@],/usr/bin/perl,g' 
<../../../../helpers/basic_auth/MSNT-multi-domain/basic_msnt_multi_domain_auth.pl.in
 >basic_msnt_multi_domain_auth || (/usr/gnu/bin/rm -f -f 
basic_msnt_multi_domain_auth ; exit 1)
make[4]: Leaving directory 
`

Introduction

2010-06-23 Thread Chitresh Kakwani 
Hi,

I'm Chitresh Kakwani from India. I'm a student pursuing masters in
computer science. I came across the following issue in squid :

I tried to configure squid proxy on my machine to use another squid
proxy(installed on another machine) as the parent proxy. The parent
proxy requires HTTP Digest authentication. My objective is to set up a
local proxy which deals with the parent proxy's authentication and
provides authentication free access to programs on my machine. But the
local proxy sends HTTP Basic authentication header in HTTP requests if
the following configuration directive is used :

cache_peer 192.168.10.1 parent 8080 0 no-query login=username:password

So the parent proxy returns an error TCP_MISS/407: Authentication
Required.

I would like to implement support for HTTP Digest authentication in
squid when it works in peer mode.


Regards,
Chitresh Kakwani