[squid-users] getsockopt failures, although direct access to intercept ports is blocked

Andreas Weigel andreas.weigel at securepoint.de
Wed Feb 23 23:05:58 UTC 2022 

Hi everyone,

I had the following issue with Squid in Transparent Mode (and SSL  
Interception in mode splice). It is working as expected, however after  
multiple long-running (talking about several seconds) anti-virus  
ecap-Processes have finished, I *sometimes* get the following in the  
log:

2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(224)  
doAccept: New connection on FD 21
2022/02/23 14:56:40.668 kid1| 5,2| src/comm/TcpAcceptor.cc(312)  
acceptNext: connection on local=[::]:2412 remote=[::] FD 21 flags=41
2022/02/23 14:56:40.668 kid1| 89,5| src/ip/Intercept.cc(405) Lookup:  
address BEGIN: me/client= 192.168.180.1:2412, destination/me=  
192.168.180.10:48582
2022/02/23 14:56:40.668 kid1| ERROR: NF getsockopt(ORIGINAL_DST)  
failed on local=192.168.180.1:2412 remote=192.168.180.10:48582 FD 37  
flags=33: (2) No such file or directory
2022/02/23 14:56:40.669 kid1| 89,9| src/ip/Intercept.cc(151)  
NetfilterInterception: address: local=192.168.180.1:2412  
remote=192.168.180.10:48582 FD 37 flags=33
2022/02/23 14:56:40.669 kid1| ERROR: NAT/TPROXY lookup failed to  
locate original IPs on local=192.168.180.1:2412  
remote=192.168.180.10:48582 FD 37 flags=33
2022/02/23 14:56:40.669 kid1| 5,5| src/comm/TcpAcceptor.cc(287)  
acceptOne: non-recoverable error: FD 21, [::] [ job2] handler  
Subscription: 0x55edac3d08d0*1

Sometimes, this only appears on on of the two interception ports,  
sometimes on both. After that, the squid worker does not poll the  
intercept listen port any longer, i.e. stops working.  The firewall is  
configured to drop incoming packets to port 2411/2412 according to  
https://wiki.squid-cache.org/ConfigExamples/Intercept/LinuxRedirect.

iptables-save
*raw
:PREROUTING ACCEPT [68778:58967535]
:OUTPUT ACCEPT [109753:87606960]
-A PREROUTING -p tcp -m tcp --dport 2411 -j NFLOG --nflog-prefix   
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2411 -j DROP
-A PREROUTING -p tcp -m tcp --dport 2412 -j NFLOG --nflog-prefix   
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2412 -j DROP
...
*nat
*nat
:PREROUTING ACCEPT [247:23967]
:INPUT ACCEPT [102:8035]
:OUTPUT ACCEPT [781:59761]
:POSTROUTING ACCEPT [781:59761]
-A PREROUTING -s 192.168.180.10/32 -i eth2 -p tcp -m tcp --dport 80 -j  
REDIRECT --to-ports 2411
-A PREROUTING -s 192.168.180.10/32 -i eth2 -p tcp -m tcp --dport 443  
-j REDIRECT --to-ports 2412
...
-A POSTROUTING -s 192.168.180.10/32 -o eth0 -j MASQUERADE

ip6tables-save
*raw
:PREROUTING ACCEPT [48:3865]
:OUTPUT ACCEPT [9:697]
-A PREROUTING -p tcp -m tcp --dport 2411 -j NFLOG --nflog-prefix   
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2411 -j DROP
-A PREROUTING -p tcp -m tcp --dport 2412 -j NFLOG --nflog-prefix   
"DROP: proxy intercept port" --nflog-group 13
-A PREROUTING -p tcp -m tcp --dport 2412 -j DROP

I confirmed that the rules are working by sending some requests to the  
ports manually. So, I really do not understand from where these  
packets arrive at the squid. Any pointers or ideas on what I am  
missing or what to check (e.g., debugging sections) would be highly  
appreciated. Looking at the code I only see a rather straightforward  
path from accept to getsockopt.

Squid intercept config:

http_port 2411 connection-auth=off intercept
https_port 2412 connection-auth=off ssl-bump capath=/etc/ssl/certs  
generate-host-certificates=on tls-default-ca=off  
cert=/etc/ssl/proxy_interception.pem intercept

Test setup looks like this:
client 192.168.180.10 --- 192.168.180.1 at eth2 <router running squid>  
192.168.175.1 at eth1 --- 192.168.175.10 destination

curl  
http://192.168.175.10/linux-headers-5.4.0-100_5.4.0-100.113_all.deb -o  
test.deb


Kind regards,
Andreas

More information about the squid-users mailing list