I installed www/squid with TP_PF (transparent proxy on packet filter) in jail of my FreeBSD router machine. When I tried to connect to a certain external web server, it showed a log like followings in access.log, and my browser got access denied error: | 2014/09/20 21:34:06 kid1| WARNING: Forwarding loop detected for: | GET / HTTP/1.1 | Host: www.example.com | Accept: application/json, text/javascript, */*; q=0.01 | User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.120 Safari/537.36 | X-Chrome-UMA-Enabled: 1 | Accept-Encoding: gzip,deflate,sdch | Accept-Language: ja,en-US;q=0.8,en;q=0.6 | Via: 1.1 example.example.org (squid/3.4.8) | X-Forwarded-For: 172.16.0.1 | Cache-Control: max-age=0 | Connection: keep-alive What is your env? FreeBSD 10.0-STABLE r268457 How to repeat? My "router" FreeBSD machine has two network cards, one is for internal network, and the other is for external network. The steps is like followings: 1. Install www/squid in jail from ports. Don't forget to set TP_PF (Transparent proxy with packet filter). 2. configure squid.conf to listen on 8080 with intercept option. | http_port 8080 intercept 3. configure pf.conf to redirect connection on internal network interface from internal network to external network port 80 to the squid like: | rdr pass on $int_if inet proto tcp from $internal_net to ! <int_and_dmz> port http -> $squid port 8080 Then, you will see the same issue written above. As far as I checked with sockstat command, squid seems to tried to connect to its port 8080. I did not investigate why it tried to connect that port, though. Workaround? Workaround 1: do not use transparent proxy. If I connect to squid not as transparent proxy, i.e. set each browser HTTP proxy host and port, it works. However, it is very annoying. Workaround 2: use www/squid33 instead of www/squid. If I use www/squid33, I did not see the issue. However, it will be removed in next January. | DEPRECATED= Reached EOL on 28 August 2014, use www/squid (v3.4) instead | EXPIRATION_DATE=2015-01-31 When I roughly compared www/squid33 and www/squid, I noticed that www/squid do not use /dev/pf. According to work/squid-3.4.8/src/ip/Intercept.cc, it seems that USE_NAT_DEVPF should be defined to use /dev/pf on www/squid.
How to fix? Add --with-nat-devpf at configure time. I know this patch should only be used with TP_PF is enabled but when I changed www/squid Makefile like this, transparent proxy looks working. --- Makefile.bak 2014-09-19 00:22:37.000000000 +0900 +++ Makefile 2014-09-22 00:09:35.952872265 +0900 @@ -176,7 +176,8 @@ --disable-epoll \ --disable-linux-netfilter \ --disable-linux-tproxy \ - --disable-translation + --disable-translation \ + --with-nat-devpf .include <bsd.port.options.mk> Not having --with-nat-devpf may useful where /dev/pf is not available but it looks not working inside jail. Can you make --with-nat-devpf configurable with "make config"? Or, can you add --with-nat-devpf when TP_PF is enabled? Thank you in advance,
Hi, In r368596, on Fri Sep 19, I committed a change to the squid port which should fix this issue, it adds the configure option you are asking when the TP_PF option is selected. Are you using the squid port before or after that? Can you test after updating your ports collection and report back?
I am using the latest squid port using "portsnap fetch update". Anyway, the issue seems to be fixed with the latest ports. Thank you for the quick fix.
Already fixed in r368596. Thanks.