[squid-users] More NAT/TPROXY lookup fails (NetBSD 7.0, IPFilter 5.1)

Egerváry Gergely gergely at egervary.hu
Sat Jan 16 13:16:42 UTC 2016 

Hi,

I'm running on:
- NetBSD 7.0_STABLE (checked out today)
- Squid 3.5.12 from NetBSD pkgsrc 2015Q4
- IP Filter: v5.1.2 (536)

Configured with "--enable-ipf-transparent":

   $ ./configure --sysconfdir=/usr/pkg/etc/squid 
--localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid 
--disable-strict-e
rror-checking --enable-auth --enable-cachemgr-hostname=localhost 
--enable-delay-pools --enable-icap-client --enable-icmp --enabl
e-poll --enable-removal-policies=lru,heap --enable-storeio=ufs diskd 
--with-aio --with-default-user=squid --with-pidfile=/var/ru
n/squid.pid --disable-arch-native --enable-ipf-transparent --enable-carp 
--without-mit-krb5 --without-heimdal-krb5 --enable-snmp
  --enable-ssl --with-openssl=/usr --enable-auth-basic=NCSA getpwnam PAM 
--enable-auth-digest=file --disable-auth-negotiate --ena
ble-auth-ntlm=fake smb_lm --enable-external-acl-helpers=file_userip 
unix_group --prefix=/usr/pkg --build=x86_64--netbsd --host=x
86_64--netbsd --mandir=/usr/pkg/man

For testing, I flushed ALL ipfilter and ipnat rules, except one:

rdr wm1 from 172.28.0.0/16 to any port = 80 -> 172.28.0.20 port 80 tcp

wm1 is the LAN interface, 172.28.0.20 is the squid IP.

$ egrep -v '(^$|^#)' squid.conf

acl Safe_ports port 80          # http
acl CONNECT method CONNECT
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow localhost manager
http_access deny manager
http_access allow localnet
http_access allow localhost
http_access deny all
http_port 127.0.0.1:80 intercept
http_port 127.0.0.1:8080
http_port 172.28.0.20:80 intercept
http_port 172.28.0.20:8080
coredump_dir /var/squid/cache/squid
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

... and I get the famous message:

2016/01/16 13:57:45 kid1| ERROR: NAT/TPROXY lookup failed to locate 
original IPs on local=172.28.0.20:80 remote=172.28.0.20:6536
3 FD 19 flags=33

Do I miss something?

Thank you,
-- 
Gergely EGERVARY

More information about the squid-users mailing list