Sorry about this....I just figured it out....the public Internet stuff works now, it was a topology config problem in my network hardware.
Setting /proc/sys/net/ipv4/ip_nonlocal_bind to 1 makes a definite positive impact on things. I still get occasional errors like the ones below, but setting ip_nonlocal_bind to 1 reduced the number errors in the log, and seemingly boosted performance of page loads. 2008/08/01 11:16:59| IPInterception.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily unavailable 2008/08/01 11:16:59| IPInterception.cc(171) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available Nick -----Original Message----- From: Ritter, Nicholas Sent: Friday, August 01, 2008 10:46 AM To: 'Amos Jeffries' Cc: 'squid-dev@squid-cache.org' Subject: RE: squid3HEAD/TPROXY: interception log entries BTW- Setting /proc/sys/net/ipv4/ip_nonlocal_bind to 1 had an interesting affect. For internal non-NAT'ed addresses, squid worked great and the getsockopt errors in cache.log went away. But for external URLs from the same workstation, the following happens: 1) the broswer hangs saying that is is waiting for the remote server 2) the getsockopt errors happen occasionally, the same (92) and (11) errors 3) squid access.log shows TCP_MISS/000 0 GET messages for each attempt URL access to a URL that is a public Internet address. I my environment, as in most, the workstation is NAT'ed to a public IP to get to the Internet. I don't know if the failure here is with the NAT'ing and access controls/protections on my border firewall, or something in between, like on the gateway router, etc. If I don't hit the stop button in the browser, eventually the squid access log sees a TCP_MISS/504 and what looks like a fetch of the page, but the client shows an error page from squid saying the url could not be retrieved because of a (110) connection timeout. Nick -----Original Message----- From: Ritter, Nicholas Sent: Tuesday, July 29, 2008 9:45 AM To: 'Amos Jeffries' Cc: 'squid-dev@squid-cache.org' Subject: RE: squid3HEAD/TPROXY: interception log entries Amos- I applied that patch you sent over. I applied it against squid-3.HEAD-20080721 and the build went fine. When I installed it and did some testing this is what I observed trying to hit the url http://www.cnn.com: This testing was done with intercept removed and just tproxy directive in the squid.conf. cache.log: 2008/07/29 09:29:52| IPInterception.cc(171) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available access.log: 1217341792.820 0 10.48.1.198 NONE/400 1831 GET / - NONE/- text/html Exact URL entered into IE7 on WindowsXP SP2 test machine: http://www.cnn.com Error on the client: The following error was encountered while trying to retrieve the URL: / Invalid URL Some aspect of the requested URL is incorrect. Some possible problems are: Missing or incorrect access protocol (should be http:// or similar) Missing hostname Illegal double-escape in the URL-Path Illegal character in hostname; underscores are not allowed. It appears as though to much is being stripped from the URL. If I renable both interception and tproxy in squid.conf, I get a working system again, with this in cache.log: 2008/07/29 09:42:29| IPInterception.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed: (11) Resource temporarily unavailable 2008/07/29 09:42:29| IPInterception.cc(171) NetfilterTransparent: NF getsockopt(IP_TRANSPARENT) failed: (92) Protocol not available 2008/07/29 09:42:50| commBind: Cannot bind socket FD 35 to 10.48.1.198:2173: (98) Address already in use 2008/07/29 09:42:50| comm.cc(1002) commResetFD: bind: (98) Address already in use 2008/07/29 09:42:52| commBind: Cannot bind socket FD 30 to 10.48.1.198:2165: (98) Address already in use 2008/07/29 09:42:52| comm.cc(1002) commResetFD: bind: (98) Address already in use I noticed that there is a non-local bind setting in proc: /proc/sys/net/ipv4/ip_nonlocal_bind should I set this to 1 or 0?
