I have seen this with selinux also. I can trace the issue down but just to clear out my doubts and before delving into DEBUG all,9: On a default squid 4.4 with one worker no cache with default squid.conf, should we expect it or maybe it is a side effect in the code? (Technically speaking if I do not trust Squid in general then I should probably not entrust these netfilter socket to Squid) Thanks, Eliezer ---- Eliezer Croitoru Linux System Administrator Mobile: +972-5-28704261 Email: eliezer@xxxxxxxxxxxx -----Original Message----- From: squid-users <squid-users-bounces@xxxxxxxxxxxxxxxxxxxxx> On Behalf Of Amos Jeffries Sent: Saturday, December 1, 2018 13:12 To: squid-users@xxxxxxxxxxxxxxxxxxxxx Subject: Re: Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ? On 1/12/18 3:43 am, Ahmad, Sarfaraz wrote: > I think almost every time squid opens a TCP connection, It also tried to > open a raw socket of type AF_NETLINK. Syscall pasted below. > ...> > Any thoughts ? > * To receive NAT intercepted connections Squid needs access to the system NAT table to identify what origin server the client was actually trying to get to before it was diverted into Squid. * To send traffic with TPROXY interception Squid must setup the socket for sending the spoofed IP addresses. * To perform Netfilter MARK operations (both fetch and set) Squid uses Netfilter Conntrack APIs. * To fetch EUI information about connections received or sent after they are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional and on by default (eui_lookup to configure) Any of those may be defined by your system Netfilter libraries in terms of AF_NETLINK traffic in the background. If they are doing things like that then the ICMP sockets and (less likely) UDS sockets may also be affected. If the behaviour is as repeatable as you say you can use a ALL,9 level cache .log trace to see what exactly Squid is trying to do at the time it happens. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
