[squid-users] FTP relay with active client is broken?
Alex
gozzy at yandex.ru
Wed Feb 8 13:10:44 UTC 2017
Anyone? Is it a bug or something should be tuned? I've specified 'ftp_port 2121 intercept' and made squid intercept outgoing FTP traffic according to the following rules:
iptables -t nat -A OUTPUT -p tcp -m owner --gid-owner squid -j ACCEPT
iptables -t nat -A OUTPUT -p tcp --dport 21 -j REDIRECT --to-port 2121
07.02.2017, 16:23, "Alex" <gozzy at yandex.ru>:
> Hello.
>
> Recently I gave FTP relay a try and it seems that it doesn't work out of the box :(
> I've seen a topic regarding passive mode (when squid puts real server's IP into 'Entering passive mode' message), however, I've solved this by writing a kernel module with custom netfilter hooks (the module intercepts squid's reply, gets IP and port and marks corresponding incoming connection, so it's possible to write a REDIRECT rule).
> I thought that active mode will cause less problems, but it seems that what squid tries to do is illegal. As far as I understand, in active mode squid tries to connect to a client and spoofs source IP address. But it simply does not work: even if bind() succeeds after setting 'ip_nonlocal_bind' sysctl to 1, the connect() call fails with EINVAL. According to https://lkml.org/lkml/2001/6/7/17, such kernel's behaviour is legit and squid tries to do something nasty.
>
> Here's the excerpt from squid's log (3.5.24 on CentOS 6.5 with 4.x kernel):
>
> 017/02/07 15:24:12.262| 5,3| ConnOpener.cc(289) createFd: local=172.17.10.30 remote=172.17.11.31:56676 flags=9 will timeout in 60
> 2017/02/07 15:24:12.262| 5,9| comm.cc(602) comm_connect_addr: connecting socket FD 16 to 172.17.11.31:56676 (want family: 2)
> 2017/02/07 15:24:12.262| 5,5| comm.cc(644) comm_connect_addr: sock=16, addrinfo( flags=4, family=2, socktype=1, protocol=6, &addr=0x1bffc00, addrlen=16 )
> 2017/02/07 15:24:12.262| 5,9| comm.cc(645) comm_connect_addr: connect FD 16: (-1) (22) Invalid argument
> 2017/02/07 15:24:12.262| 14,9| comm.cc(646) comm_connect_addr: connecting to: 172.17.11.31:56676
> 2017/02/07 15:24:12.262| 5,7| ConnOpener.cc(357) doConnect: local=172.17.10.30 remote=172.17.11.31:56676 flags=9: failure #1 <= 0: (22) Invalid argument
> 2017/02/07 15:24:12.262| 5,5| ConnOpener.cc(365) doConnect: local=172.17.10.30 remote=172.17.11.31:56676 flags=9: * - ERR tried too many times already.
> 2017/02/07 15:24:12.262| 17,3| AsyncCall.cc(93) ScheduleCall: ConnOpener.cc(137) will call Ftp::Server::connectedForData(local=172.17.10.30 remote=172.17.11.31:56676 flags=9, errno=22, flag=-8, data=0x17d6188) [call95]
>
> Any thoughts?
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
More information about the squid-users
mailing list