Re: IpIntercept.cc(137) NetfilterInterception: NF getsockopt(SO_ORIGINAL_DST) failed on FD 4125: (2) No such file or directory

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

On 11/10/2013 2:24 a.m., Omid Kosari wrote:
> I have 2 squid boxes worked fine for long time . recently i have change a
> little bit in configs after that i see hickups in realtime graph and http
> hangups right when following error appears in cache.log of one of squid
> boxes.
>
> IpIntercept.cc(137) NetfilterInterception:  NF getsockopt(SO_ORIGINAL_DST)
> failed on FD xx: (2) No such file or directory
>
> changes i made few days ago
> 1. enabled  access_log /var/log/squid3/access.log
> 2. added (.+\.||) at start of refresh_pattern rules
> 3. started to use jesred . there were no url_rewrite_program before
>
> Which one can create the problem ?

Possibly the URL-rewriter. Depending on whether it is rewriting URLs to 
point anywhere back at this proxy.

The error itself is a message that NAT table lookup failed to produce 
original TCP connection IP details. So an update/change to iptables or 
the kernel can also cause this.

Also, Squid serves some content directly. Such as embeded objects in 
error pages, icons on FTP listing pages, cachemgr reports, cache peer 
communications. These require a regular forward-proxy http_port without 
intercept/tproxy options. Requests for these are being rejected by your 
config (to_mysef ACL) but will also get these NAT failures first.

What version of Squid are you using? 3.2 and later will silence the 
above problem most of the time but it is still corrupting your logs.

Some specific comments on your config below...

> My squid.conf
>
> acl manager proto cache_object
> acl localhost src 127.0.0.1/32

Missing:
  acl localhost src ::1

> acl trustedwebserver src xxx.xxx.160.170
> acl trustednetworks src xxx.xxx.160.0/24
> acl to_localhost dst 127.0.0.0/8

Missing:
  acl to_localhost dst 0.0.0.0/32 ::1

Note that in 3.3 and later the above are built-in ACL definitions. 
Please run "squid -k parse" over this config and fix anything it highlights.

> acl SSL_ports port 443
> acl Safe_ports port 80		# http
> acl Safe_ports port 21		# ftp
> acl Safe_ports port 443		# https
> acl Safe_ports port 70		# gopher
> acl Safe_ports port 210		# wais
> acl Safe_ports port 1025-65535	# unregistered ports
> acl Safe_ports port 280		# http-mgmt
> acl Safe_ports port 488		# gss-http
> acl Safe_ports port 591		# filemaker
> acl Safe_ports port 777		# multiling http
> acl CONNECT method CONNECT
> http_access allow manager localhost
> http_access allow manager trustedwebserver
> http_access deny manager
> http_access deny !Safe_ports
> http_access deny CONNECT !SSL_ports
> http_access allow localhost
> #Don't forget firewall to allow also
> acl allowed_hosts src xxx.xxx.160.0/19
> acl allowed_hosts src 1.1.1.0/24
> acl allowed_hosts src xxx:xxx::/32
> #bottom two lines are because of
> http://bugs.squid-cache.org/show_bug.cgi?id=2798
> acl to_myself dst 127.0.0.0/8 xxx.xxx.160.171 10.234.56.12 1.1.1.12
> http_access deny to_myself
> #up two lines are because of
> http://bugs.squid-cache.org/show_bug.cgi?id=2798
> http_access allow allowed_hosts
> http_access deny all
> http_port 3128 intercept
> http_port 3129 tproxy

Missing forward-proxy http_port (one without special mode flags).
Even if its not used normally it can be useful for servign those objects 
and administrative report access. Yes, cachemgr reports

> refresh_pattern -i
> (.+\.||)microsoft.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|iso|psf)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)windowsupdate.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|iso|psf)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)eset.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|ver|nup)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)avg.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|ctf|bin|gz)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)grisoft.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|ctf|bin|gz)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)grisoft.cz/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|ctf|bin|gz)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)avast.com/.*\.(cab|exe|dll|ms[i|u|f]|asf|wm[v|a]|dat|zip|vpx|vpu|vpa|vpaa|def|stamp)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)kaspersky-labs.com/.*\.(cab|zip|exe|msi|msp|bz2|avc|kdc|klz|dif|dat|kdz|kdl|kfb)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i
> (.+\.||)kaspersky.com/.*\.(cab|zip|exe|msi|msp|bz2|avc|kdc|klz|dif|dat|kdz|kdl|kfb)
> 10080 100% 172800 ignore-no-cache ignore-no-store ignore-reload
> ignore-private
> refresh_pattern -i (.+\.||)nai.com/.*\.(gem|zip|mcs|tar|exe|) 10080 100%
> 172800 ignore-no-cache ignore-no-store ignore-reload ignore-private
> refresh_pattern -i (.+\.||)adobe.com/.*\.(cab|aup|exe|msi|upd|msp) 10080
> 100% 172800 ignore-no-cache ignore-no-store ignore-reload ignore-private
> refresh_pattern -i (.+\.||)symantecliveupdate.com/.*\.(zip|exe|msi) 10080
> 100% 172800 ignore-no-cache ignore-no-store ignore-reload ignore-private

ignore-no-cache is useless on the recent 3.2 and later Squid releases.

> via off

So what is the objection to via?

 Note that the special access controls you have to use to avoid the 
probems removing it is causing will not prevent relay loops which happen 
as 2-hop loops via the peer and will break the URLs being served up 
directly by this proxy.

Amos