[squid-users] More NAT/TPROXY lookup fails (NetBSD 7.0, IPFilter 5.1)

Mon Jan 18 08:36:38 UTC 2016

On 16/01/2016 13:16, Egerváry Gergely wrote:
> Hi,
> 
> I'm running on:
> - NetBSD 7.0_STABLE (checked out today)
> - Squid 3.5.12 from NetBSD pkgsrc 2015Q4
> - IP Filter: v5.1.2 (536)
> 
> Configured with "--enable-ipf-transparent":
> 
>   $ ./configure --sysconfdir=/usr/pkg/etc/squid
> --localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid
> --disable-strict-e
> rror-checking --enable-auth --enable-cachemgr-hostname=localhost
> --enable-delay-pools --enable-icap-client --enable-icmp --enabl
> e-poll --enable-removal-policies=lru,heap --enable-storeio=ufs diskd
> --with-aio --with-default-user=squid --with-pidfile=/var/ru
> n/squid.pid --disable-arch-native --enable-ipf-transparent --enable-carp
> --without-mit-krb5 --without-heimdal-krb5 --enable-snmp
>  --enable-ssl --with-openssl=/usr --enable-auth-basic=NCSA getpwnam PAM
> --enable-auth-digest=file --disable-auth-negotiate --ena
> ble-auth-ntlm=fake smb_lm --enable-external-acl-helpers=file_userip
> unix_group --prefix=/usr/pkg --build=x86_64--netbsd --host=x
> 86_64--netbsd --mandir=/usr/pkg/man
> 
> For testing, I flushed ALL ipfilter and ipnat rules, except one:
> 
> rdr wm1 from 172.28.0.0/16 to any port = 80 -> 172.28.0.20 port 80 tcp
> 
> wm1 is the LAN interface, 172.28.0.20 is the squid IP.
> 
> $ egrep -v '(^$|^#)' squid.conf
> 
> acl Safe_ports port 80          # http
> acl CONNECT method CONNECT
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost manager
> http_access deny manager
> http_access allow localnet
> http_access allow localhost
> http_access deny all
> http_port 127.0.0.1:80 intercept
> http_port 127.0.0.1:8080
> http_port 172.28.0.20:80 intercept
> http_port 172.28.0.20:8080
> coredump_dir /var/squid/cache/squid
> refresh_pattern ^ftp:           1440    20%     10080
> refresh_pattern ^gopher:        1440    0%      1440
> refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
> refresh_pattern .               0       20%     4320
> 
> ... and I get the famous message:
> 
> 2016/01/16 13:57:45 kid1| ERROR: NAT/TPROXY lookup failed to locate
> original IPs on local=172.28.0.20:80 remote=172.28.0.20:6536
> 3 FD 19 flags=33
> 
> Do I miss something?

This is a bug in IPFilter 5. We're waiting to hear back from the
IPFilter maintainer before committing.

Try this patch (and read the PR for more info):

--- sys/external/bsd/ipf/netinet/ip_nat.c       8 Aug 2015 10:09:57
-0000       1.13.2.1
+++ sys/external/bsd/ipf/netinet/ip_nat.c       18 Jan 2016 08:34:51 -0000
@@ -4626,9 +4626,10 @@
                                        np->nl_flags &= ~IPN_FINDFORWARD;
                                }
                        }
+/* XXX http://gnats.netbsd.org/50198 */

-                       np->nl_realip = nat->nat_ndstip;
-                       np->nl_realport = nat->nat_ndport;
+                       np->nl_realip = nat->nat_odstip;
+                       np->nl_realport = nat->nat_odport;

