RE: squid3HEAD/TPROXY: interception log entries from Amos Jeffries on 2008-07-23 (squid-dev)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 24 Jul 2008 17:05:15 +1200 (NZST)

>
> I should have added some specifics...here are the log items in
> cache.log:
>
> 2008/07/23 13:35:34| IPInterception.cc(171) NetfilterTransparent: NF
> getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available
> 2008/07/23 13:36:37| IPInterception.cc(137) NetfilterInterception: NF
> getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily
> unavailable

These can often be cleared up by correct use of 'intercept' and 'tproxy'
options in http_port. The old 'transparent' option is deprecated and will
to be backward-compatible, turn both on when often only one lookup type is
needed on that port.

>
> ....and occasionally the client browser sees an error page from squid
> stating a connection to the server failed, and the system returns a
> "(99) Cannot assign requested address"

This may be related to the above. If a tproxy receiving port is also used
for DNAT/REDIRECT reception the tproxy kernel sub-system may not have
records to correctly handle the apparent client address.

The getsockopt() failures should not be a problem, just annoying.
The assign failure, may be a problem. Squid will use its normal outgoing
address I think in those cases. But I'm not certain on the network routing
behavior when transparent squid become visible.

To solve both the the above. I recommend using seperate http_port's to
receive each type of traffic and setting specific 'intercept' or 'tproxy'
options to match the expected traffic types.

Amos

>
> -----Original Message-----
> From: Ritter, Nicholas
> Sent: Wednesday, July 23, 2008 1:18 PM
> To: 'squid-dev_at_squid-cache.org'
> Subject: squid3HEAD/TPROXY: interception log entries
>
> I have successfully setup squid-3.HEAD-20080721 on CentOS 5.2 with
> iptables 1.4.0, linux 2.6.25.11,
> tproxy-kernel-2.6.25-20080519-165031-1211208631, and
> tproxy-iptables-1.4.0-20080521-113954-1211362794.patch; all with WCCP
> support.
>
> I have to say the you guys are amazing as this software is working very
> nicely.
>
> I noticed that cache.log is showing IPInterception.cc(137) and
> IPInterception.cc(171) errors with NetfilterInterception. I did a search
> of the listserv and saw someone else comment on this, but no solutions
> (I think.) Is there anything I can do to help facilitate the solution of
> this log entry/error?
>
> Nicholas
>
Received on Thu Jul 24 2008 - 05:05:19 MDT

This archive was generated by hypermail 2.2.0 : Thu Jul 24 2008 - 12:00:08 MDT