[squid-users] More NAT/TPROXY lookup fails (NetBSD 7.0, IPFilter 5.1)

Amos Jeffries squid3 at treenet.co.nz
Sat Jan 16 14:10:20 UTC 2016 

On 17/01/2016 2:16 a.m., Egerváry Gergely wrote:
> Hi,
> 
> I'm running on:
> - NetBSD 7.0_STABLE (checked out today)
> - Squid 3.5.12 from NetBSD pkgsrc 2015Q4
> - IP Filter: v5.1.2 (536)
> 
> Configured with "--enable-ipf-transparent":
> 
>   $ ./configure --sysconfdir=/usr/pkg/etc/squid
> --localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid
> --disable-strict-e
> rror-checking --enable-auth --enable-cachemgr-hostname=localhost
> --enable-delay-pools --enable-icap-client --enable-icmp --enabl
> e-poll --enable-removal-policies=lru,heap --enable-storeio=ufs diskd
> --with-aio --with-default-user=squid --with-pidfile=/var/ru
> n/squid.pid --disable-arch-native --enable-ipf-transparent --enable-carp
> --without-mit-krb5 --without-heimdal-krb5 --enable-snmp
>  --enable-ssl --with-openssl=/usr --enable-auth-basic=NCSA getpwnam PAM
> --enable-auth-digest=file --disable-auth-negotiate --ena
> ble-auth-ntlm=fake smb_lm --enable-external-acl-helpers=file_userip
> unix_group --prefix=/usr/pkg --build=x86_64--netbsd --host=x
> 86_64--netbsd --mandir=/usr/pkg/man
> 
> For testing, I flushed ALL ipfilter and ipnat rules, except one:
> 
> rdr wm1 from 172.28.0.0/16 to any port = 80 -> 172.28.0.20 port 80 tcp
> 
> wm1 is the LAN interface, 172.28.0.20 is the squid IP.
> 
> $ egrep -v '(^$|^#)' squid.conf
> 
> acl Safe_ports port 80          # http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 127.0.0.1:80 intercept
> http_port 127.0.0.1:8080
> http_port 172.28.0.20:80 intercept
> http_port 172.28.0.20:8080
> coredump_dir /var/squid/cache/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> ... and I get the famous message:
> 
> 2016/01/16 13:57:45 kid1| ERROR: NAT/TPROXY lookup failed to locate
> original IPs on local=172.28.0.20:80 remote=172.28.0.20:6536
> 3 FD 19 flags=33
> 
> Do I miss something?
> 

You missed out saying how you tested it. That matters.

For example, from the Squid log line it appears you made a connection
directly to the intercept port without going through the NAT system. Of
course the NAT system would have no record of it under those circumstances.

Amos

More information about the squid-users mailing list