Well, I can try to make a patch for this... Two questions:
1. I should send it to squid-dev, do I?
2. Source code for which version should I use: 4.0 or 3.5?
14.02.2017, 04:59, "Amos Jeffries" <squid3@xxxxxxxxxxxxx>:
> On 14/02/2017 1:18 a.m., Alex wrote:
>> Well, actually it looks like a bug in squid to me. Some points:
>>
>> 1. When client connects with active FTP mode, squid opens a local socket and tries to assign server's IP address to it. So far so good, however this doesn't work (tested in both 'intercept' and 'tproxy' modes):
>>
>> 2017/02/13 14:58:51.234| 50,3| comm.cc(347) comm_openex: comm_openex: Attempt open socket for: 172.17.10.30
>> 2017/02/13 14:58:51.234| 50,3| comm.cc(388) comm_openex: comm_openex: Opened socket local=172.17.10.30 remote=[::] FD 17 flags=1 : family=2, type=1, protocol=6
>> 2017/02/13 14:58:51.234| 5,5| comm.cc(420) comm_init_opened: local=172.17.10.30 remote=[::] FD 17 flags=1 is a new socket
>> 2017/02/13 14:58:51.234| 51,3| fd.cc(198) fd_open: fd_open() FD 17
>> 2017/02/13 14:58:51.234| commBind: Cannot bind socket FD 17 to 172.17.10.30: (99) Cannot assign requested address
>>
>> 2. Ok, we've got the errno. Let's look in comm_apply_flags(). There's something like this in the middle:
>>
>> /* MUST be done before binding or face OS Error: "(99) Cannot assign requested address"... */
>> if ((flags & COMM_TRANSPARENT)) {
>> comm_set_transparent(new_socket);
>> }
>>
>> This means that socket is not IP_TRANSPARENT and can not be bound to arbitrary IP address ('net.ipv4.ip_nonlocal_bind' can fix bind(), but connect() will obviously fail with EINVAL).
>>
>> 3. Let's take a look on Ftp::Server::createDataConnection():
>>
>> Comm::ConnectionPointer conn = new Comm::Connection();
>> conn->flags |= COMM_DOBIND;
>>
>> // Use local IP address of the control connection as the source address
>> // of the active data connection, or some clients will refuse to accept.
>> conn->setAddrs(clientConnection->local, cltAddr);
>>
>> Fine, looks reasonable. However, connection has only COMM_DOBIND flag, COMM_TRANSPARENT is missing. AFAIU, we'll never be able to bind and connect a socket...
>
> Good catch. Thank you.
>
> So AFAICS,
> * NAT intercept needs to listen on the local IP of the Squid->server
> control connection.
> * TPROXY needs to listen on the local IP of the client->Squid control
> connection plus the TRANSPARENT flag.
>
> Any chance of a patch?
>
> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users@xxxxxxxxxxxxxxxxxxxxx
> http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
