[squid-users] Having issues getting Squid 3.HEAD (March7) + TPROXY + Brouting working -- anyone see what's wrong?

From: Jim Binder <jbinder_at_cyphort.com>
Date: Sun, 13 Mar 2011 11:15:07 -0700

I'm trying to setup Squid 3.HEAD (3.2.x) in Fully transparent mode with brouting (ebtables) but don't ever see the sync request coming into squid. Anyone see what I'm missing?

I started with Fedora 14 but read there could be issues with the kernel and dropped back to FC 12 to get
        Linux fw01.localdomain 2.6.31.5-127.fc12.i686.PAE #1 SMP Sat Nov 7 21:25:57 EST 2009 i686 i686 i386 GNU/Linux

My system config is as follows:

I have three interfaces on the system... Eth1 is the the admin interface. Eth2 is the client side facing interface and Eth0 is facing the internet and br0 is the bridge.

011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb668 [call8]
2011/03/13 10:35:33.169 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410) [call8]
2011/03/13 10:35:33.169 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb750 [call10]
2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498) [call10]
2011/03/13 10:35:33.170 kid1| The AsyncCall clientListenerConnectionOpened constructed, this=0xa2fb838 [call12]
2011/03/13 10:35:33.170 kid1| StartListening.cc(52) will call clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520) [call12]
2011/03/13 10:35:33.170 kid1| HTCP Disabled.
2011/03/13 10:35:33.170 kid1| Squid plugin modules loaded: 0
2011/03/13 10:35:33.170 kid1| Adaptation support is off.
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation services
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation service groups
2011/03/13 10:35:33.170 kid1| Config.cc(134) FinalizeEach: Initialized 0 message adaptation access rules
2011/03/13 10:35:33.170 kid1| Ready to serve requests.
2011/03/13 10:35:33.170 kid1| entering clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410)
2011/03/13 10:35:33.170 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call8]
2011/03/13 10:35:33.170 kid1| AcceptingHTTP Socket connections at FD 15 on [::]:3128
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 15, err=0, port=0xa07f410)
2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498)
2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call10]
2011/03/13 10:35:33.171 kid1| Accepting spoofingHTTP Socket connections at FD 16 on 0.0.0.0:3129
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 16, err=0, port=0xa07f498)
2011/03/13 10:35:33.171 kid1| entering clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520)
2011/03/13 10:35:33.171 kid1| AsyncCall.cc(32) make: make call clientListenerConnectionOpened [call12]
2011/03/13 10:35:33.171 kid1| Accepting interceptedHTTP Socket connections at FD 17 on 0.0.0.0:3130
2011/03/13 10:35:33.171 kid1| leaving clientListenerConnectionOpened(FD 17, err=0, port=0xa07f520)
2011/03/13 10:35:34 kid1| storeLateRelease: released 0 objects

Confirmed by lsof.

root_at_fw01 ~]# lsof -i -nP | grep squid
squid 2090 squid 7u IPv6 20137 0t0 UDP *:41566
squid 2090 squid 8u IPv4 20138 0t0 UDP *:48061
squid 2090 squid 15u IPv6 20383 0t0 TCP *:3128 (LISTEN)
squid 2090 squid 16u IPv4 20384 0t0 TCP *:3129 (LISTEN)
squid 2090 squid 17u IPv4 20385 0t0 TCP *:3130 (LISTEN)

[root_at_fw01 ~]# ip rule list
0: from all lookup local
32765: from all fwmark 0x1 iif lo lookup 100
32766: from all lookup main
32767: from all lookup default

NOTE: -- I get these errors when trying to add any additional routing

[root_at_fw01 ~]# ip route add local 0.0.0.0/0 dev eth0 table 100
RTNETLINK answers: File exists

[root_at_fw01 ~]# ip route add local 0.0.0.0/0 dev eth2 table 100
RTNETLINK answers: File exists

[root_at_fw01 ~]# ip route list table all
local default dev lo table 100 scope host
192.168.1.0/24 dev br0 proto kernel scope link src 192.168.1.90
192.168.1.0/24 dev eth1 proto kernel scope link src 192.168.1.78 metric 1
default via 192.168.1.254 dev br0
broadcast 192.168.1.0 dev eth1 table local proto kernel scope link src 192.168.1.78
broadcast 192.168.1.0 dev br0 table local proto kernel scope link src 192.168.1.90
broadcast 127.255.255.255 dev lo table local proto kernel scope link src 127.0.0.1
local 192.168.1.90 dev br0 table local proto kernel scope host src 192.168.1.90
broadcast 192.168.1.255 dev eth1 table local proto kernel scope link src 192.168.1.78
broadcast 192.168.1.255 dev br0 table local proto kernel scope link src 192.168.1.90
local 192.168.1.78 dev eth1 table local proto kernel scope host src 192.168.1.78
broadcast 127.0.0.0 dev lo table local proto kernel scope link src 127.0.0.1
local 127.0.0.1 dev lo table local proto kernel scope host src 127.0.0.1
local 127.0.0.0/8 dev lo table local proto kernel scope host src 127.0.0.1
fe80::/64 dev eth1 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth2 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev br0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
fe80::/64 dev eth0 proto kernel metric 256 mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
local ::1 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::207:e9ff:fee5:ac7a via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::240:f4ff:fecd:170 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
local fe80::2a0:c9ff:fe08:4c26 via :: dev lo table local proto none metric 0 mtu 16436 advmss 16376 hoplimit 0
ff00::/8 dev eth1 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth2 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev br0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
ff00::/8 dev eth0 table local metric 256 mtu 1500 advmss 1440 hoplimit 0
unreachable default dev lo table unspec proto kernel metric -1 error -101 hoplimit 255
[root_at_fw01 ~]#

[root_at_fw01 ~]# ifconfig -a
br0 Link encap:Ethernet HWaddr 00:40:F4:CD:01:70
          inet addr:192.168.1.90 Bcast:192.168.1.255 Mask:255.255.255.0
          inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:144404 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22080 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:181401897 (172.9 MiB) TX bytes:27113936 (25.8 MiB)

eth0 Link encap:Ethernet HWaddr 00:A0:C9:08:4C:26
          inet6 addr: fe80::2a0:c9ff:fe08:4c26/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:151170 errors:0 dropped:0 overruns:0 frame:0
          TX packets:22109 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:190817348 (181.9 MiB) TX bytes:27115370 (25.8 MiB)

eth1 Link encap:Ethernet HWaddr 00:07:E9:E5:AC:7A
          inet addr:192.168.1.78 Bcast:192.168.1.255 Mask:255.255.255.0
          inet6 addr: fe80::207:e9ff:fee5:ac7a/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:13464 errors:0 dropped:0 overruns:0 frame:0
          TX packets:29328 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:959581 (937.0 KiB) TX bytes:38109473 (36.3 MiB)

eth2 Link encap:Ethernet HWaddr 00:40:F4:CD:01:70
          inet6 addr: fe80::240:f4ff:fecd:170/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
          RX packets:28 errors:0 dropped:0 overruns:0 frame:0
          TX packets:135268 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1872 (1.8 KiB) TX bytes:182786344 (174.3 MiB)
          Interrupt:18 Base address:0x2800

lo Link encap:Local Loopback
          inet addr:127.0.0.1 Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING MTU:16436 Metric:1
          RX packets:14 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1308 (1.2 KiB) TX bytes:1308 (1.2 KiB)

pan0 Link encap:Ethernet HWaddr 3A:5D:43:EE:D1:16
          BROADCAST MULTICAST MTU:1500 Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b) TX bytes:0 (0.0 b)

[root_at_fw01 ~]#

Bridge config:

[root_at_fw01 logs]# ebtables-save
# Generated by ebtables-save v1.0 on Sun Mar 13 10:52:47 PDT 2011
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT

*broute
:BROUTING ACCEPT
-A BROUTING -p IPv4 -i eth2 --ip-proto tcp --ip-dport 80 --log-level notice --log-prefix "ebt-dport-80:" -j redirect --redirect-target DROP
-A BROUTING -p IPv4 -i eth0 --ip-proto tcp --ip-sport 80 --log-level notice --log-prefix "ebt-sport-80:" -j redirect --redirect-target DROP

-----------

Mar 13 11:04:47 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:05:08 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:05:57 fw01 kernel: ebt-sport-80: IN=eth0 OUT= MAC source = b0:e7:54:6b:38:c9 MAC dest = 00:40:f4:cd:01:70 proto = 0x0800
Mar 13 11:08:48 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800
Mar 13 11:08:51 fw01 kernel: ebt-dport-80: IN=eth2 OUT= MAC source = 00:50:56:36:df:78 MAC dest = 00:17:f2:09:8a:56 proto = 0x0800

[root_at_fw01 ~]# cat /var/log/messages | grep PROXYIT
Mar 13 10:41:24 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61864 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 13 10:41:27 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61865 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0
Mar 13 10:41:33 fw01 kernel: IPT_PROXYIT: IN=eth2 OUT= MAC=00:40:f4:cd:01:70:00:50:56:36:df:78:08:00 SRC=192.168.1.91 DST=192.168.1.88 LEN=60 TOS=0x00 PREC=0x00 TTL=64 ID=61866 DF PROTO=TCP SPT=40748 DPT=80 WINDOW=5840 RES=0x00 SYN URGP=0

------------

I created a PROXYIT table to confirm the routing and also, the filter table is empty.

[root_at_fw01 ~]# iptables -t mangle -L -v
Chain PREROUTING (policy ACCEPT 649K packets, 873M bytes)
 pkts bytes target prot opt in out source destination
33821 1936K DIVERT tcp -- any any anywhere anywhere socket
   17 1020 PROXYIT tcp -- any any anywhere anywhere tcp dpt:http
 649K 873M LOGTPROXY2 all -- any any anywhere anywhere

Chain INPUT (policy ACCEPT 34681 packets, 2071K bytes)
 pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 88 packets, 117K bytes)
 pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 27623 packets, 96M bytes)
 pkts bytes target prot opt in out source destination

Chain POSTROUTING (policy ACCEPT 27731 packets, 96M bytes)
 pkts bytes target prot opt in out source destination

Chain DIVERT (1 references)
 pkts bytes target prot opt in out source destination
33821 1936K MARK all -- any any anywhere anywhere MARK or 0x1
33821 1936K LOGDIVERT all -- any any anywhere anywhere
33821 1936K ACCEPT all -- any any anywhere anywhere

Chain LOGDIVERT (1 references)
 pkts bytes target prot opt in out source destination
 1862 115K LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_LOGDIVERT: '
33821 1936K RETURN all -- any any anywhere anywhere

Chain LOGTPROXY1 (0 references)
 pkts bytes target prot opt in out source destination

Chain LOGTPROXY2 (1 references)
 pkts bytes target prot opt in out source destination
 1863 2520K LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_TPROXY2: '

Chain PROXYIT (1 references)
 pkts bytes target prot opt in out source destination
   17 1020 LOG all -- any any anywhere anywhere limit: avg 1/sec burst 10 LOG level warning prefix `IPT_PROXYIT: '
   17 1020 TPROXY tcp -- any any anywhere anywhere tcp dpt:http TPROXY redirect 0.0.0.0:3129 mark 0x1/0xffffffff

I can use squidclient to read cache stats so I'm pretty sure squid is setup ok.

[root_at_fw01 logs]# squidclient -p 3128 mgr:info
HTTP/1.1 200 OK
Server: squid/3.HEAD-20110307
Mime-Version: 1.0
Date: Sun, 13 Mar 2011 18:02:05 GMT
Content-Type: text/plain
Expires: Sun, 13 Mar 2011 18:02:05 GMT
Last-Modified: Sun, 13 Mar 2011 18:02:05 GMT
X-Cache: MISS from fw01.localdomain
Via: 1.1 fw01.localdomain (squid/3.HEAD-20110307)
Connection: close

Squid Object Cache: Version 3.HEAD-20110307
Start Time: Sun, 13 Mar 2011 18:01:54 GMT
Current Time: Sun, 13 Mar 2011 18:02:05 GMT
Connection information for squid:
        Number of clients accessing cache: 1
        Number of HTTP requests received: 0
        Number of ICP messages received: 0
        Number of ICP messages sent: 0
        Number of queued ICP replies: 0
        Number of HTCP messages received: 0
        Number of HTCP messages sent: 0
        Request failure ratio: 0.00
        Average HTTP requests per minute since start: 0.0
        Average ICP messages per minute since start: 0.0
        Select loop called: 1113 times, 9.587 ms avg

What I'm i missing? I'm pretty sure it's in the routing layer as it looks like both IPTables and EBTables seem to be doing the right thing.

James S. Binder
Vice President, Engineering

jbinder_at_cyphort.com
408.761.1403 (cell)

This information contained in this e-mail message and any attachments thereto, is intended only for the personal and confidential use of the recipient(s) named above. This message may be under the terms of a Mutual Non-Disclosure Agreement communication and/or work product and as such is privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify use immediately by e-mail and delete this original message.
Received on Sun Mar 13 2011 - 18:15:12 MDT

This archive was generated by hypermail 2.2.0 : Mon Mar 14 2011 - 12:00:02 MDT