Re: [squid-users] NAT Lookup

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Wed, 01 Oct 2008 12:55:44 +1300

Dean, Barry wrote:
> Just searching the old Intermahweb again with my problem and found that Amos had replied to me some time ago and I missed it!!!:
>
>> Dean, Barry wrote:
>>
>>> OK. I have bodged up the IPInterception.cc file and add the line from /usr/include/sys/types.h to get it to compile.
>>>
>>> Mu change to add the error string has resulted in the error coming out as:
>>>
>>> clientNatLookup: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument
>>>
>>> I think we have a smoking gun here! It is starting to look like Squid is constructing the structure wrong that it is
>>> passing to the ipnat driver via the ioctl.
>>>
>>> How do debug this is the question...
>>>
>>> Thanks for the help so far.. I'll post my findings if I get a solution.
>>>
>> You may be right, there have been upgrades to interception recently that
>> are not tested in some NAT lookup methods.
>>
>> To debug you can either trace it live in a debugger, or thread debugs()
>> calls through the IPF section that display the parameter values.
>>
>> However, I'd like to be certain that anything to be merged is tested and
>> working on an unpatched kernel with working compilers.
>>
>> Amos
>
> In response...
>
> These NAT Lookup errors have occurred ever since we first installed squid on the box, before any patches.
>
> I have meticulously gone through the manual pages on this and checked each and every item. Unless there is something silly in the "me" and "peer" arguments to clientNatLookup() in IPInterception.cc the only problem I could see was that potentially the struct natLookup may have had garbage values for natLookup.nl_realip and natLookup.nl_realport, and the manual says these must be 0 before the ioctl.
>
> So I added a memset to clear it, tried the improved version and I still get the errors!
>
> Will these errors be affecting the way squid is working?
>
> How important is he NAT Lookup?

Well, its key to whether Squid handles URL like /index.php instead of
requiring http://example.com/index.php.

Other than URI handling its only logged for admininstration purposes.
Squid uses its own outgoing IP and does independent destination DNS
lookups for security.

You might get less errors if you ensure the standard proxy port and the
intercept port are different. It will certainly cut down on the NAT
lookup load.

If its not working in a current squid can you report a bug please with
the following info:
  - squid release(s) failing
  - OS type and version
  - IPF release version
  - what you've already tried (ie the memset), and what it did.

Thanks

Amos

-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9
Received on Tue Sep 30 2008 - 23:55:59 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 01 2008 - 12:00:03 MDT