AW: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
Sorry Henrik for my lack of knowledge here. But on the squid box I have done this : $ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080 $ iptables -t nat -vL Chain PREROUTING (policy ACCEPT 885 packets, 49584 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 any anywhere anywhere tcp dpt:www redir ports 8080 Chain POSTROUTING (policy ACCEPT 59 packets, 3777 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 59 packets, 3777 bytes) pkts bytes target prot opt in out source destination The gw/router rule is done by : # iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 -p tcp --dport 80 # iptables -t mangle -vL PREROUTING Chain PREROUTING (policy ACCEPT 122K packets, 49M bytes) pkts bytes target prot opt in out source destination 553 61889 MARK tcp -- eth1 any anywhere anywhere tcp dpt:www MARK xset 0x2/0x # ip rule add fwmark 2 table 2 # ip rule show 0: from all lookup local 32765: from all fwmark 0x2 lookup 2 32766: from all lookup main 32767: from all lookup default # ip r a default via 192.168.1.10 dev eth2 table 2 # ip route sh table 2 default via 192.168.1.10 dev eth2 Where 192.168.1.10 is the IP address of the squidbox. Anyway it works well despite of the warnings. Thanks Jan -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Gesendet: Mittwoch, 8. Juli 2009 02:22 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan: Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message : squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available This error indicates that your Squid is configured for Netfilter/Iptables transparent interception, but there apparently is no netfilter NAT rules installed on the server.. (NAT engine not loaded in kernel). How have you done your transparent interception? Regards Henrik
Re: AW: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
Zeller, Jan wrote: Sorry Henrik for my lack of knowledge here. But on the squid box I have done this : The message occurs in three cases: * missing/broken NAT support on the box * packet did not arrive via NAT * packet src before NAT was the Squid receiving box (looping bounce!) There are a few things to try, one at a time to see what happens. Squid doe not need to be changed at all during these so if cache.log simply stops reporting the message you have success... $ iptables -t nat -A PREROUTING -p tcp -i eth0 --dport 80 -j REDIRECT --to-port 8080 $ iptables -t nat -vL Chain PREROUTING (policy ACCEPT 885 packets, 49584 bytes) pkts bytes target prot opt in out source destination 0 0 REDIRECT tcp -- eth0 any anywhere anywheretcp dpt:www redir ports 8080 Anything change if you add ! -s 192.168.1.10 to that rule or add a ... -s 192.168.1.10 -j ACCEPT above it? Chain POSTROUTING (policy ACCEPT 59 packets, 3777 bytes) pkts bytes target prot opt in out source destination Chain OUTPUT (policy ACCEPT 59 packets, 3777 bytes) pkts bytes target prot opt in out source destination The gw/router rule is done by : # iptables -t mangle -A PREROUTING -i eth1 -j MARK --set-mark 2 -p tcp --dport 80 # iptables -t mangle -vL PREROUTING Chain PREROUTING (policy ACCEPT 122K packets, 49M bytes) pkts bytes target prot opt in out source destination 553 61889 MARK tcp -- eth1 any anywhere anywheretcp dpt:www MARK xset 0x2/0x The policy routing config example has these rules here (it assumes Squid inside same router NIC as clients): $IPTABLES -t mangle -A PREROUTING -p tcp --dport 80 -s $PROXYIP -j ACCEPT # mark everything else on port 80 to be routed to the Squid box $IPTABLES -t mangle -A PREROUTING -i $INPUTINTERFACE -p tcp --dport 80 -j MARK --set-mark 2 $IPTABLES -t mangle -A PREROUTING -m mark --mark 2 -j ACCEPT I assume that the squid box only has one NIC and the Squid box has zero ways to send packets _in_ the router eth1, right? Amos # ip rule add fwmark 2 table 2 # ip rule show 0: from all lookup local 32765: from all fwmark 0x2 lookup 2 32766: from all lookup main 32767: from all lookup default # ip r a default via 192.168.1.10 dev eth2 table 2 # ip route sh table 2 default via 192.168.1.10 dev eth2 Where 192.168.1.10 is the IP address of the squidbox. Anyway it works well despite of the warnings. They are non-fatal from a client point of view. But you loose any hope of seeing or accounting for particular clients traffic at the IP level when it happens. Not to mention the log size :( Amos -Ursprüngliche Nachricht- Von: Henrik Nordstrom [mailto:hen...@henriknordstrom.net] Gesendet: Mittwoch, 8. Juli 2009 02:22 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan: Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message : squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available This error indicates that your Squid is configured for Netfilter/Iptables transparent interception, but there apparently is no netfilter NAT rules installed on the server.. (NAT engine not loaded in kernel). How have you done your transparent interception? Regards Henrik -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
Re: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
fre 2009-07-03 klockan 08:30 +0200 skrev Zeller, Jan: Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message : squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available This error indicates that your Squid is configured for Netfilter/Iptables transparent interception, but there apparently is no netfilter NAT rules installed on the server.. (NAT engine not loaded in kernel). How have you done your transparent interception? Regards Henrik
Re: AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
Zeller, Jan wrote: Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message : squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available squid-3.1.0.7 didn't ? Is this message harmless ? I think so... But how can I prevent squid from filling up my log ? Ah, its there for now to highlight when NAT issues are occuring. It represents a failure to locate NAT records for the request. If 8080 receives an non DNAT/REDIRECT traffic this appears. Should _only_ occur on the intercept port requests. It was not appearing in 3.1.0.3-3.1.0.7 due to a breakage in Squid which was error-reporting the successful lookups. I'll turn the silencer back on shorty when I'm confidant that its only finding the semi-harmless errors. You may want to look into why its occuring so often. (acts at the same time as normal and transparent proxy squid.conf ... http_port 80 connection-auth=on http_port 8080 intercept ... ) kind regards, --- Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Donnerstag, 2. Juli 2009 03:20 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] squid-3.1.0.9 - error directory not created automatically On Wed, 1 Jul 2009 08:55:25 +0200, Zeller, Jan jan.zel...@id.unibe.ch wrote: dear list, I compiled squid-3.1.0.9 like this : $ squid -v Squid Cache: Version 3.1.0.9 configure options: '--prefix=/opt/squid-3.1.0.9' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--enable-http-violations' '--with-filedescriptors=32768' '--with-pthreads' '--disable-ipv6' --with-squid=/usr/local/src/squid-3.1.0.9 --enable-ltdl-convenience Unfortunately there is no 'error' directory created !? Why ? squid-3.1.0.7 created this directory automatically. Should I explicitly download the language pack from http://www.squid-cache.org/Versions/langpack/ ? kind regards, Small muckup changing the install locations. I'm aware of and working on this. Yes, the langpack download+install would be a good work-around. Amos -- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE16 Current Beta Squid 3.1.0.9
AW: [squid-users] squid-3.1.0.9 - error directory not created automatically
Thank you Amos that works ! But now squid-3.1.0.9 produces nearly every second this message : squid[6609]: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 403: (92) Protocol not available squid-3.1.0.7 didn't ? Is this message harmless ? I think so... But how can I prevent squid from filling up my log ? (acts at the same time as normal and transparent proxy squid.conf ... http_port 80 connection-auth=on http_port 8080 intercept ... ) kind regards, --- Jan -Ursprüngliche Nachricht- Von: Amos Jeffries [mailto:squ...@treenet.co.nz] Gesendet: Donnerstag, 2. Juli 2009 03:20 An: Zeller, Jan Cc: squid-users@squid-cache.org Betreff: Re: [squid-users] squid-3.1.0.9 - error directory not created automatically On Wed, 1 Jul 2009 08:55:25 +0200, Zeller, Jan jan.zel...@id.unibe.ch wrote: dear list, I compiled squid-3.1.0.9 like this : $ squid -v Squid Cache: Version 3.1.0.9 configure options: '--prefix=/opt/squid-3.1.0.9' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--enable-http-violations' '--with-filedescriptors=32768' '--with-pthreads' '--disable-ipv6' --with-squid=/usr/local/src/squid-3.1.0.9 --enable-ltdl-convenience Unfortunately there is no 'error' directory created !? Why ? squid-3.1.0.7 created this directory automatically. Should I explicitly download the language pack from http://www.squid-cache.org/Versions/langpack/ ? kind regards, Small muckup changing the install locations. I'm aware of and working on this. Yes, the langpack download+install would be a good work-around. Amos
[squid-users] squid-3.1.0.9 - error directory not created automatically
dear list, I compiled squid-3.1.0.9 like this : $ squid -v Squid Cache: Version 3.1.0.9 configure options: '--prefix=/opt/squid-3.1.0.9' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--enable-http-violations' '--with-filedescriptors=32768' '--with-pthreads' '--disable-ipv6' --with-squid=/usr/local/src/squid-3.1.0.9 --enable-ltdl-convenience Unfortunately there is no 'error' directory created !? Why ? squid-3.1.0.7 created this directory automatically. Should I explicitly download the language pack from http://www.squid-cache.org/Versions/langpack/ ? kind regards, Mit freundlichen Grüssen --- Jan Zeller Informatikdienste Universität Bern
Re: [squid-users] squid-3.1.0.9 - error directory not created automatically
On Wed, 1 Jul 2009 08:55:25 +0200, Zeller, Jan jan.zel...@id.unibe.ch wrote: dear list, I compiled squid-3.1.0.9 like this : $ squid -v Squid Cache: Version 3.1.0.9 configure options: '--prefix=/opt/squid-3.1.0.9' '--enable-icap-client' '--enable-ssl' '--enable-linux-netfilter' '--enable-http-violations' '--with-filedescriptors=32768' '--with-pthreads' '--disable-ipv6' --with-squid=/usr/local/src/squid-3.1.0.9 --enable-ltdl-convenience Unfortunately there is no 'error' directory created !? Why ? squid-3.1.0.7 created this directory automatically. Should I explicitly download the language pack from http://www.squid-cache.org/Versions/langpack/ ? kind regards, Small muckup changing the install locations. I'm aware of and working on this. Yes, the langpack download+install would be a good work-around. Amos