[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] NAT Lookup
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2008-09-30 23:55:44
Message-ID: 48E2BC80.3060001 () treenet ! co ! nz
[Download RAW message or body]

Dean, Barry wrote:
> Just searching the old Intermahweb again with my problem and found that Amos had \
> replied to me some time ago and I missed it!!!: 
> > Dean, Barry wrote:
> > 
> > > OK. I have bodged up the IPInterception.cc file and add the line from \
> > > /usr/include/sys/types.h to get it to compile.  
> > > Mu change to add the error string has resulted in the error coming out as: 
> > > 
> > > clientNatLookup: NAT lookup failed: ioctl(SIOCGNATL): (22) Invalid argument 
> > > 
> > > I think we have a smoking gun here! It is starting to look like Squid is \
> > > constructing the structure wrong that it is  passing to the ipnat driver via \
> > > the ioctl.  
> > > How do debug this is the question... 
> > > 
> > > Thanks for the help so far.. I'll post my findings if I get a solution. 
> > > 
> > You may be right, there have been upgrades to interception recently that 
> > are not tested in some NAT lookup methods. 
> > 
> > To debug you can either trace it live in a debugger, or thread debugs() 
> > calls through the IPF section that display the parameter values. 
> > 
> > However, I'd like to be certain that anything to be merged is tested and 
> > working on an unpatched kernel with working compilers. 
> > 
> > Amos
> 
> In response...
> 
> These NAT Lookup errors have occurred ever since we first installed squid on the \
> box, before any patches. 
> I have meticulously gone through the manual pages on this and checked each and \
> every item. Unless there is something silly in the "me" and "peer" arguments to \
> clientNatLookup() in IPInterception.cc the only problem I could see was that \
> potentially the struct natLookup may have had garbage values for \
> natLookup.nl_realip and natLookup.nl_realport, and the manual says these must be 0 \
> before the ioctl. 
> So I added a memset to clear it, tried the improved version and I still get the \
> errors! 
> Will these errors be affecting the way squid is working?
> 
> How important is he NAT Lookup?

Well, its key to whether Squid handles URL like  /index.php instead of 
requiring http://example.com/index.php.

Other than URI handling its only logged for admininstration purposes. 
Squid uses its own outgoing IP and does independent destination DNS 
lookups for security.

You might get less errors if you ensure the standard proxy port and the 
intercept port are different. It will certainly cut down on the NAT 
lookup load.

If its not working in a current squid can you report a bug please with 
the following info:
  - squid release(s) failing
  - OS type and version
  - IPF release version
  - what you've already tried (ie the memset), and what it did.

Thanks

Amos
-- 
Please use Squid 2.7.STABLE4 or 3.0.STABLE9


[prev in list] [next in list] [prev in thread] [next in thread]