[squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

eliezer at ngtech.co.il eliezer at ngtech.co.il
Thu Dec 6 11:27:41 UTC 2018

I have seen this with selinux also.
I can trace the issue down but just to clear out my doubts and before delving into DEBUG all,9:
On a default squid 4.4 with one worker no cache with default squid.conf, should we expect it or maybe it is a side effect in the code?
(Technically speaking if I do not trust Squid in general then I should probably not entrust these netfilter socket to Squid)


Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il

-----Original Message-----
From: squid-users <squid-users-bounces at lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Saturday, December 1, 2018 13:12
To: squid-users at lists.squid-cache.org
Subject: Re: [squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

On 1/12/18 3:43 am, Ahmad, Sarfaraz wrote:
> I think almost every time squid opens a TCP connection, It also tried to
> open a raw socket of type AF_NETLINK. Syscall pasted below.
> Any thoughts ?

* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.

squid-users mailing list
squid-users at lists.squid-cache.org

More information about the squid-users mailing list