On 17/01/2016 2:16 a.m., Egerváry Gergely wrote: > Hi, > > I'm running on: > - NetBSD 7.0_STABLE (checked out today) > - Squid 3.5.12 from NetBSD pkgsrc 2015Q4 > - IP Filter: v5.1.2 (536) > > Configured with "--enable-ipf-transparent": > > $ ./configure --sysconfdir=/usr/pkg/etc/squid > --localstatedir=/var/squid --datarootdir=/usr/pkg/share/squid > --disable-strict-e > rror-checking --enable-auth --enable-cachemgr-hostname=localhost > --enable-delay-pools --enable-icap-client --enable-icmp --enabl > e-poll --enable-removal-policies=lru,heap --enable-storeio=ufs diskd > --with-aio --with-default-user=squid --with-pidfile=/var/ru > n/squid.pid --disable-arch-native --enable-ipf-transparent --enable-carp > --without-mit-krb5 --without-heimdal-krb5 --enable-snmp > --enable-ssl --with-openssl=/usr --enable-auth-basic=NCSA getpwnam PAM > --enable-auth-digest=file --disable-auth-negotiate --ena > ble-auth-ntlm=fake smb_lm --enable-external-acl-helpers=file_userip > unix_group --prefix=/usr/pkg --build=x86_64--netbsd --host=x > 86_64--netbsd --mandir=/usr/pkg/man > > For testing, I flushed ALL ipfilter and ipnat rules, except one: > > rdr wm1 from 172.28.0.0/16 to any port = 80 -> 172.28.0.20 port 80 tcp > > wm1 is the LAN interface, 172.28.0.20 is the squid IP. > > $ egrep -v '(^$|^#)' squid.conf > > acl Safe_ports port 80 # http > acl CONNECT method CONNECT > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localhost manager > http_access deny manager > http_access allow localnet > http_access allow localhost > http_access deny all > http_port 127.0.0.1:80 intercept > http_port 127.0.0.1:8080 > http_port 172.28.0.20:80 intercept > http_port 172.28.0.20:8080 > coredump_dir /var/squid/cache/squid > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > > ... and I get the famous message: > > 2016/01/16 13:57:45 kid1| ERROR: NAT/TPROXY lookup failed to locate > original IPs on local=172.28.0.20:80 remote=172.28.0.20:6536 > 3 FD 19 flags=33 > > Do I miss something? > You missed out saying how you tested it. That matters. For example, from the Squid log line it appears you made a connection directly to the intercept port without going through the NAT system. Of course the NAT system would have no record of it under those circumstances. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users