RE: [squid-users] squid 2.5 - ipf transparent proxy - FreeBSD 5.3-p13

Henrik Nordstrom <hno@xxxxxxxxxxxxxxx> · Tue, 31 May 2005 04:03:04 +0200 (CEST)

Updated patch.

Found more errors int the same code for PF. The updated patch rearranges 
things to be a little softer and consistent on errors. In most cases it 
will work fine regardless (as you noticed with 2.5.STABLE9).

On Tue, 31 May 2005, Henrik Nordstrom wrote:

On Mon, 30 May 2005, Martijn Broeders - HUB Labs wrote:

I did some debugging en testing.... and solved the problem.

There seems to be a big difference between STABLE9 and STABLE10
concerning ipnat and the --enable-ipf-transparent make arg.

With STABLE10 you have to do a 'chown root:squid /dev/ipnat'
and a 'chmod g+rw /dev/ipnat' to succesfully enable transparent
proxying (assuming that you start your squid server with the
squid user and squid group).

With STABLE9 you could leave the /dev/ipnat owned by root:wheel,
but with STABLE10 you cannot!

It has always needed access to the nat device...

The core dump (described in my first mail with this subject)
occurs when the rights are not good on the ipnat device.

Right. A return statement has gone missing there.

The attached patch should restore the error handling equal to 2.5.STABLE9:
request rejected with error in cache.log. Please try this patch and report 
back.

note: To trigger this in 2.5.STABLE9 you need to send a HTTP/1.0 request 
without Host header.

Regards
Henrik
Index: src/client_side.c
===================================================================
RCS file: /cvsroot/squid/squid/src/client_side.c,v
retrieving revision 1.561.2.76
diff -u -p -r1.561.2.76 client_side.c

--- src/client_side.c	20 Apr 2005 21:46:06 -0000	1.561.2.76
+++ src/client_side.c	31 May 2005 01:58:37 -0000
@@ -2730,6 +2730,7 @@ parseHttpRequest(ConnStateData * conn, m
     else if (Config2.Accel.on && *url == '/') {
 	int vport;
 	if (vhost_mode) {
+	    static time_t last_reported = 0;
 #if IPF_TRANSPARENT
 	    natLookup.nl_inport = http->conn->me.sin_port;
 	    natLookup.nl_outport = http->conn->peer.sin_port;
@@ -2749,12 +2750,10 @@ parseHttpRequest(ConnStateData * conn, m
 		errno = save_errno;
 	    }
 	    if (natfd < 0) {
-		debug(50, 1) ("parseHttpRequest: NAT open failed: %s\n",
-		    xstrerror());
-		dlinkDelete(&http->active, &ClientActiveRequests);
-		xfree(http->uri);
-		cbdataFree(http);
-		xfree(inbuf);
+		if (squid_curtime - last_reported > 60) {
+		    debug(50, 1) ("parseHttpRequest: NAT open failed: %s\n", xstrerror());
+		    last_reported = squid_curtime;
+		}
 	    } else {
 		/*
 		 * IP-Filter changed the type for SIOCGNATL between
@@ -2771,48 +2770,57 @@ parseHttpRequest(ConnStateData * conn, m
 		}
 		if (x < 0) {
 		    if (errno != ESRCH) {
-			debug(50, 1) ("parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL)\n");
+			if (squid_curtime - last_reported > 60) {
+			    debug(50, 1) ("parseHttpRequest: NAT lookup failed: ioctl(SIOCGNATL): %s\n", xstrerror());
+			    last_reported = squid_curtime;
+			}
 			close(natfd);
 			natfd = -1;
-			dlinkDelete(&http->active, &ClientActiveRequests);
-			xfree(http->uri);
-			cbdataFree(http);
-			xfree(inbuf);
 		    }
 		} else {
 		    conn->me.sin_port = natLookup.nl_realport;
-		    http->conn->me.sin_addr = natLookup.nl_realip;
+		    conn->me.sin_addr = natLookup.nl_realip;
 		}
 	    }
 #elif PF_TRANSPARENT
 	    if (pffd < 0)
 		pffd = open("/dev/pf", O_RDWR);
 	    if (pffd < 0) {
-		debug(50, 1) ("parseHttpRequest: PF open failed: %s\n",
-		    xstrerror());
-		return parseHttpRequestAbort(conn, "error:pf-open-failed");
-	    }
-	    memset(&nl, 0, sizeof(struct pfioc_natlook));
-	    nl.saddr.v4.s_addr = http->conn->peer.sin_addr.s_addr;
-	    nl.sport = http->conn->peer.sin_port;
-	    nl.daddr.v4.s_addr = http->conn->me.sin_addr.s_addr;
-	    nl.dport = http->conn->me.sin_port;
-	    nl.af = AF_INET;
-	    nl.proto = IPPROTO_TCP;
-	    nl.direction = PF_OUT;
-	    if (ioctl(pffd, DIOCNATLOOK, &nl)) {
-		if (errno != ENOENT) {
-		    debug(50, 1) ("parseHttpRequest: PF lookup failed: ioctl(DIOCNATLOOK)\n");
-		    close(pffd);
-		    pffd = -1;
+		if (squid_curtime - last_reported > 60) {
+		    debug(50, 1) ("parseHttpRequest: PF open failed: %s\n", xstrerror());
+		    last_reported = squid_curtime;
 		}
 	    } else {
-		conn->me.sin_port = nl.rdport;
-		http->conn->me.sin_addr = nl.rdaddr.v4;
+		memset(&nl, 0, sizeof(struct pfioc_natlook));
+		nl.saddr.v4.s_addr = http->conn->peer.sin_addr.s_addr;
+		nl.sport = http->conn->peer.sin_port;
+		nl.daddr.v4.s_addr = http->conn->me.sin_addr.s_addr;
+		nl.dport = http->conn->me.sin_port;
+		nl.af = AF_INET;
+		nl.proto = IPPROTO_TCP;
+		nl.direction = PF_OUT;
+		if (ioctl(pffd, DIOCNATLOOK, &nl)) {
+		    if (errno != ENOENT) {
+			if (squid_curtime - last_reported > 60) {
+			    debug(50, 1) ("parseHttpRequest: PF lookup failed: ioctl(DIOCNATLOOK): %s\n", xstrerror());
+			    last_reported = squid_curtime;
+			}
+			close(pffd);
+			pffd = -1;
+		    }
+		} else {
+		    conn->me.sin_port = nl.rdport;
+		    conn->me.sin_addr = nl.rdaddr.v4;
+		}
 	    }
 #elif LINUX_NETFILTER
 	    /* If the call fails the address structure will be unchanged */
-	    getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz);
+	    if (getsockopt(conn->fd, SOL_IP, SO_ORIGINAL_DST, &conn->me, &sock_sz) != 0) {
+		if (squid_curtime - last_reported > 60) {
+		    debug(50, 1) ("parseHttpRequest: NF getsockopt(SO_ORIGINAL_DST) failed: %s\n", xstrerror());
+		    last_reported = squid_curtime;
+		}
+	    }
 #endif
 	}
 	if (vport_mode)




