View previous topic :: View next topic |
Author |
Message |
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Fri Jan 19, 2018 3:53 pm Post subject: squid does not work in transparent mode on >4.14 [SOLVED] |
|
|
since this issue has caused me some trouble i hope this might save somebody some work or trouble.
we run a separate network for wireless-BYODs which is managed by a separate appliance (which allows traffic only with auth) and connected the productive network by a NAT-firewall. the NAT-firewall mangles the packets directed to port 80 and sends them to a squid-proxy listening in transparent mode. this setup ran happily for quite a while.
some time ago users started reporting strange errors, i cannot exactly say when but i suspect it started after an upgrade to kernel 4.12. oder 4.14.
users could log in but only get traffic on port 443 (and some other allowed ports which were not used); port 80 would immediately produce a connection reset. testing of the appliance and the NAT-firewall produced no results, so finally i checked the proxy.
netstat showed lots of connections to the NAT-fw but cache.log had lots of entries like this:
Code: | 2018/01/17 08:46:37 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=IP.OF.SQUID.PROXY:3128 remote=IP.OF.NAT.FW:36265 FD 46 flags=33: (2) No such file or directory
2018/01/17 08:46:37 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=IP.OF.SQUID.PROXY:3128 remote=IP.OF.NAT.FW:36265 FD 46 flags=33 |
i was certain all configs had been thoroughly updated but i checked again and found that the mandatory CONFIG_NETFILTER_XT_MATCH_SOCKET was not set. when i tried to set i found that this option does not exist in 4.14.
i downgraded to 4.9.76 (latest stable amd64 in portage), checked and set the relevant options and now everything works as desired again. _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
Hu Moderator
Joined: 06 Mar 2007 Posts: 21595
|
Posted: Sat Jan 20, 2018 7:02 pm Post subject: |
|
|
Thank you for posting this warning. However, I don't understand why you consider it solved. You will eventually need to upgrade to a newer kernel, and your solution so far seems to be to freeze the system on the last known good kernel.
Looking at the Kconfig entry, I disagree that this option does not exist in 4.14.x. Perhaps it gained some new dependency that you did not enable, so it was hidden from you. cat -n v4.14.13/net/netfilter/Kconfig: | 1452 config NETFILTER_XT_MATCH_SOCKET
1453 tristate '"socket" match support'
1454 depends on NETFILTER_XTABLES
1455 depends on NETFILTER_ADVANCED
1456 depends on IPV6 || IPV6=n
1457 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1458 depends on NF_SOCKET_IPV4
1459 depends on NF_SOCKET_IPV6
1460 select NF_DEFRAG_IPV4
1461 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1462 help
1463 This option adds a `socket' match, which can be used to match |
cat -n v4.9.76/net/netfilter/Kconfig: | 1408 config NETFILTER_XT_MATCH_SOCKET
1409 tristate '"socket" match support'
1410 depends on NETFILTER_XTABLES
1411 depends on NETFILTER_ADVANCED
1412 depends on !NF_CONNTRACK || NF_CONNTRACK
1413 depends on IPV6 || IPV6=n
1414 depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n
1415 select NF_DEFRAG_IPV4
1416 select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n
1417 help
1418 This option adds a `socket' match, which can be used to match |
|
|
Back to top |
|
|
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Sat Jan 20, 2018 7:46 pm Post subject: [solved] |
|
|
Well thanks for insisting :wink:
you are right!
(i was using 4.14.8.)
with all the users off my back i managed to look thru it with more time and found it.
it has a dep on NF_DEFRAG_IPV6 and since i do not use ipv6 (yet) i keep its config in the kernel to a minimum. this option was only selectable after setting NF_DEFRAG_IPV6 (and possibly some other ipv6-netfilter-stuff)
i considered it solved because the users were getting what they expected again - but now it's really solved.
i'll remeber this for the next kernel-upgrade. _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
DawgG l33t
Joined: 17 Sep 2003 Posts: 866
|
Posted: Mon Feb 05, 2018 9:05 am Post subject: |
|
|
i re-checked again and in a kernel-upgrade (from a working 4.9.76-gentoo-r1 to linux-4.14.8-gentoo-r1 with make oldconfig) this option is silently ignored.
one needs at least:
Code: | CONFIG_IPV6=y
CONFIG_NF_TABLES=y
CONFIG_NETFILTER_XTABLES=y
-> CONFIG_NETFILTER_XT_MATCH_SOCKET=y <- this is what you need for squid
CONFIG_NF_SOCKET_IPV4=y
CONFIG_NF_TABLES_IPV4=y
CONFIG_IP_NF_IPTABLES=y
CONFIG_NF_DEFRAG_IPV6=y
CONFIG_NF_SOCKET_IPV6=y
CONFIG_NF_LOG_IPV6=y
CONFIG_IP6_NF_IPTABLES=y |
in addition to the other iptables/netfilter stuff.
(when i reboot the server in a year or so i will see if this *really* works - ths was a dry-run on order to check the config) _________________ DUMM KLICKT GUT. |
|
Back to top |
|
|
|