[squid-users] NetfilterInterception: NF > getsockopt(SO_ORIGINAL_DST) errors

kAja Ziegler ziegleka at gmail.com
Tue May 22 10:06:07 UTC 2018


Hi,

  this question/problem is extracted from the other email "The right way
how to increase max_filedescriptors on Linux".

*- my environment:*

CentOS 6.9
Squid 3.1.23 / 3.4.14
IPv4 and IPv6 addresses on interfaces

*- error and warning messages from cache.log:*

IpIntercept.cc(137) NetfilterInterception:  NF getsockopt(SO_ORIGINAL_DST)
failed on FD NN: (2) No such file or directory

NN ... many error log entries with different FD value

On Mon, May 21, 2018 at 3:29 PM, Amos Jeffries <squid3 at treenet.co.nz> wrote:

> These should not be related to FD numbers running out. As you can see FD
> 68 was already allocated to this TCP connection and the socket accept()'ed.
>
> NAT errors are usually caused by explicit-proxy traffic arriving at a
> NAT interception port. Such traffic is prohibited.
> or by NAT table overflowing under extreme traffic loads. Either way
> current Squid versions will terminate that connection immediately since
> it cannot identify where the packets were supposed to be going.
>

This is strange because I don't use any NAT iptables/netfilter rules on
this server:

[root at ...]# iptables -n -L -v -t nat
Chain PREROUTING (policy ACCEPT 26964 packets, 1870K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain POSTROUTING (policy ACCEPT 11013 packets, 817K bytes)
 pkts bytes target     prot opt in     out     source
destination

Chain OUTPUT (policy ACCEPT 11015 packets, 817K bytes)
 pkts bytes target     prot opt in     out     source
destination-


Only one weird thing I found in my Squid configuration - I had defined only
one http_port (http_port 3128 intercept) and this port was used to access
proxy via explicit definitions in systems or applications - without any
REDIRECT or marking in iptables/netfilter rules


I thank for every response that makes the error messages more clear.
-- 
Karel Ziegler
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20180522/0613eb59/attachment-0001.html>


More information about the squid-users mailing list