[squid-users] Re: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 4125: (2) No such file or directory

From: Omid Kosari <omidkosari_at_yahoo.com>
Date: Fri, 11 Oct 2013 08:48:50 -0700 (PDT)

Amos Jeffries-2 wrote
> Would your proxy happen to be receiving the inbound traffic to
> www.netshahr.com port 80 ?

Let answer like this . netshahr.com is one of our customers . customers dst
port 80 will be routed to squid except if dst address is another customer .
so if netshahr.com wants access yahoo.com it goes to squid . but if clients
wants to open netshahr.com it does not goes through squid and vice versa .
Another thing i did not investigate a lot but when i removed 302: from
jesred.rules the redirection does not work and browser waits several minutes
for response .

Amos Jeffries-2 wrote
> I mean a new line above them:
> http_port 12345
> or whatever you like for the port value. It does not have to be used,
> but will help prevent traffic going to the interception ports when it
> was not intercepted.

ok got it . i changed it to following lines .
http_port 3127 intercept
http_port 3128
http_port 3129 tproxy

after that following appears in headers

X-Cache MISS from cache.xx.com
X-Cache-Lookup MISS from cache.xx.com:3127
Via 1.0 cache.xx.com (squid)

is the X-Cache-Lookup line ok ? it should show 3127 ?!

Amos Jeffries-2 wrote
> Okay. The ORIGINAL_DST security checks are not present in 3.1, so the
> NAT error is a non-fatal event for you at the moment. If it is
> encountered by a 3.2 or later proxy it is a transaction blocking event.
> In 3.1 the NAT lookup is rather strangely done after parsing each HTTP
> request, even on persistent connections, so it may just be something
> related to NAT table entries expiring while buffered requests are
> processed. Or the NAT system being overloaded with useless lookups on a
> heavily loaded machine - both those should be kind of rare though.

But it is fatal event for my network :)
root_at_cache:~# echo $( cat /proc/sys/net/netfilter/nf_conntrack_count ) / $(
cat /proc/sys/net/netfilter/nf_conntrack_max )
351452 / 524288
root_at_cache:~# grep conntrack /proc/slabinfo | awk '{ SUM += $3 * $4 } END {
print SUM / 1024 / 1024 " MB" }'
109.316 MB
Can you guide me to NOTRACK usefulness conntracks ? for example may i safely
notrack htcp traffic between 2 squid boxes ? what kind of other traffics ? i
hate try and false in production .

As i said in first post this problem appears after those 3 changes .
problems with nat existed before but this problem appears recently . BTW i
need help to clears unused conntrack .

If you say i can try to upgrade my squid package from
http://packages.ubuntu.com/saucy/squid3 .

Amos Jeffries-2 wrote
> It would be worth it for testing this problem at least. If requests were
> being looped through the proxy twice having it on will produce a warning
> message.

Via turned on sir . but one question . how loop may occur ?

View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/IpIntercept-cc-137-NetfilterInterception-NF-getsockopt-SO-ORIGINAL-DST-failed-on-FD-4125-2-No-such-fy-tp4662558p4662588.html
Sent from the Squid - Users mailing list archive at Nabble.com.
Received on Fri Oct 11 2013 - 16:18:20 MDT

This archive was generated by hypermail 2.2.0 : Sat Oct 12 2013 - 12:00:05 MDT