[squid-users] FTP relay with active client is broken?

Alex gozzy at yandex.ru
Tue Feb 7 13:22:42 UTC 2017


  Recently I gave FTP relay a try and it seems that it doesn't work out of the box :(
  I've seen a topic regarding passive mode (when squid puts real server's IP into 'Entering passive mode' message), however, I've solved this by writing a kernel module with custom netfilter hooks (the module intercepts squid's reply, gets IP and port and marks corresponding incoming connection, so it's possible to write a REDIRECT rule).
  I thought that active mode will cause less problems, but it seems that what squid tries to do is illegal. As far as I understand, in active mode squid tries to connect to a client and spoofs source IP address. But it simply does not work: even if bind() succeeds after setting 'ip_nonlocal_bind' sysctl to 1, the connect() call fails with EINVAL. According to https://lkml.org/lkml/2001/6/7/17, such kernel's behaviour is legit and squid tries to do something nasty.

  Here's the excerpt from squid's log (3.5.24 on CentOS 6.5 with 4.x kernel):

017/02/07 15:24:12.262| 5,3| ConnOpener.cc(289) createFd: local= remote= flags=9 will timeout in 60
2017/02/07 15:24:12.262| 5,9| comm.cc(602) comm_connect_addr: connecting socket FD 16 to (want family: 2)
2017/02/07 15:24:12.262| 5,5| comm.cc(644) comm_connect_addr: sock=16, addrinfo( flags=4, family=2, socktype=1, protocol=6, &addr=0x1bffc00, addrlen=16 )
2017/02/07 15:24:12.262| 5,9| comm.cc(645) comm_connect_addr: connect FD 16: (-1) (22) Invalid argument
2017/02/07 15:24:12.262| 14,9| comm.cc(646) comm_connect_addr: connecting to:
2017/02/07 15:24:12.262| 5,7| ConnOpener.cc(357) doConnect: local= remote= flags=9: failure #1 <= 0: (22) Invalid argument
2017/02/07 15:24:12.262| 5,5| ConnOpener.cc(365) doConnect: local= remote= flags=9: * - ERR tried too many times already.
2017/02/07 15:24:12.262| 17,3| AsyncCall.cc(93) ScheduleCall: ConnOpener.cc(137) will call Ftp::Server::connectedForData(local= remote= flags=9, errno=22, flag=-8, data=0x17d6188) [call95]

  Any thoughts?

More information about the squid-users mailing list