[squid-users] NAT Lookup from Dean, Barry on 2008-09-30 (squid-users)

From: Dean, Barry <B.Dean_at_liverpool.ac.uk>
Date: Tue, 30 Sep 2008 15:54:49 +0100

Just searching the old Intermahweb again with my problem and found that Amos had replied to me some time ago and I missed it!!!:

> Dean, Barry wrote:
>
>> OK. I have bodged up the IPInterception.cc file and add the line from /usr/include/sys/types.h to get it to compile.
>>
>> Mu change to add the error string has resulted in the error coming out as:
>>
>> clientNatLookup: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument
>>
>> I think we have a smoking gun here! It is starting to look like Squid is constructing the structure wrong that it is
>> passing to the ipnat driver via the ioctl.
>>
>> How do debug this is the question...
>>
>> Thanks for the help so far.. I'll post my findings if I get a solution.
>>
>
>You may be right, there have been upgrades to interception recently that
>are not tested in some NAT lookup methods.
>
>To debug you can either trace it live in a debugger, or thread debugs()
>calls through the IPF section that display the parameter values.
>
>However, I'd like to be certain that anything to be merged is tested and
>working on an unpatched kernel with working compilers.
>
>Amos

In response...

These NAT Lookup errors have occurred ever since we first installed squid on the box, before any patches.

I have meticulously gone through the manual pages on this and checked each and every item. Unless there is something silly in the "me" and "peer" arguments to clientNatLookup() in IPInterception.cc the only problem I could see was that potentially the struct natLookup may have had garbage values for natLookup.nl_realip and natLookup.nl_realport, and the manual says these must be 0 before the ioctl.

So I added a memset to clear it, tried the improved version and I still get the errors!

Will these errors be affecting the way squid is working?

How important is he NAT Lookup?

We are having some problems at the moment that could be due to overfull NAT/IPF tables, so failures at the NAT level, or could be due to Squid failing to proxy a request..

Thanks for all the help.

---------------
Barry Dean
Networks Team
Computing Services Department
Web: http://pcwww.liv.ac.uk/~bvd/

---
Nice boy, but about as sharp as a sack of wet mice.
                -- Foghorn Leghorn

Received on Tue Sep 30 2008 - 14:55:00 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 12:00:03 MDT