<div dir="ltr"><div>Hi,</div><div><br></div><div> this question/problem is extracted from the other email "The right way how to increase max_filedescriptors on Linux".</div><div><br></div><div><div><b>- my environment:</b></div><div><br></div><div>CentOS 6.9</div><div>Squid 3.1.23 / 3.4.14</div><div>IPv4 and IPv6 addresses on interfaces<br></div></div><div><br></div><div><div><b>- error and warning messages from cache.log:</b><br></div><div><br></div>IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD NN: (2) No such file or directory</div><div><br></div><div>NN ... many error log entries with different FD value<br></div><div><br></div><div>On Mon, May 21, 2018 at 3:29 PM, Amos Jeffries <span dir="ltr"><<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>></span> wrote:</div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div>These should not be related to FD numbers running out. As you can see FD<br>
68 was already allocated to this TCP connection and the socket accept()'ed.<br>
<br>
NAT errors are usually caused by explicit-proxy traffic arriving at a<br>
NAT interception port. Such traffic is prohibited.<br>
or by NAT table overflowing under extreme traffic loads. Either way<br>
current Squid versions will terminate that connection immediately since<br>
it cannot identify where the packets were supposed to be going.<br></div></blockquote><div><br></div><div>This is strange because I don't use any NAT iptables/netfilter rules on this server:</div><br>[root@...]# iptables -n -L -v -t nat<br>Chain PREROUTING (policy ACCEPT 26964 packets, 1870K bytes)<br> pkts bytes target prot opt in out source destination<br><br>Chain POSTROUTING (policy ACCEPT 11013 packets, 817K bytes)<br> pkts bytes target prot opt in out source destination<br><br>Chain OUTPUT (policy ACCEPT 11015 packets, 817K bytes)<br> pkts bytes target prot opt in out source destination-<br><div><br></div><div><br></div>Only one weird thing I found in my Squid configuration - I had defined only one http_port (http_port 3128 intercept) and this port was used to access proxy via explicit definitions in systems or applications - without any REDIRECT or marking in iptables/netfilter rules<br><div><br><br>I thank for every response that makes the error messages more clear.</div><div><div><div class="gmail_signature">-- <br>Karel Ziegler</div><div class="gmail_signature"><br></div></div>
</div></div>