[squid-users] FTP relay with active client is broken?

Tue, 07 Feb 2017 05:23:21 -0800 

  Hello.

  Recently I gave FTP relay a try and it seems that it doesn't work out of the 
box :(
  I've seen a topic regarding passive mode (when squid puts real server's IP 
into 'Entering passive mode' message), however, I've solved this by writing a 
kernel module with custom netfilter hooks (the module intercepts squid's reply, 
gets IP and port and marks corresponding incoming connection, so it's possible 
to write a REDIRECT rule).
  I thought that active mode will cause less problems, but it seems that what 
squid tries to do is illegal. As far as I understand, in active mode squid 
tries to connect to a client and spoofs source IP address. But it simply does 
not work: even if bind() succeeds after setting 'ip_nonlocal_bind' sysctl to 1, 
the connect() call fails with EINVAL. According to 
https://lkml.org/lkml/2001/6/7/17, such kernel's behaviour is legit and squid 
tries to do something nasty.

  Here's the excerpt from squid's log (3.5.24 on CentOS 6.5 with 4.x kernel):

017/02/07 15:24:12.262| 5,3| ConnOpener.cc(289) createFd: local=172.17.10.30 
remote=172.17.11.31:56676 flags=9 will timeout in 60
2017/02/07 15:24:12.262| 5,9| comm.cc(602) comm_connect_addr: connecting socket 
FD 16 to 172.17.11.31:56676 (want family: 2)
2017/02/07 15:24:12.262| 5,5| comm.cc(644) comm_connect_addr: sock=16, 
addrinfo( flags=4, family=2, socktype=1, protocol=6, &addr=0x1bffc00, 
addrlen=16 )
2017/02/07 15:24:12.262| 5,9| comm.cc(645) comm_connect_addr: connect FD 16: 
(-1) (22) Invalid argument
2017/02/07 15:24:12.262| 14,9| comm.cc(646) comm_connect_addr: connecting to: 
172.17.11.31:56676
2017/02/07 15:24:12.262| 5,7| ConnOpener.cc(357) doConnect: local=172.17.10.30 
remote=172.17.11.31:56676 flags=9: failure #1 <= 0: (22) Invalid argument
2017/02/07 15:24:12.262| 5,5| ConnOpener.cc(365) doConnect: local=172.17.10.30 
remote=172.17.11.31:56676 flags=9: * - ERR tried too many times already.
2017/02/07 15:24:12.262| 17,3| AsyncCall.cc(93) ScheduleCall: 
ConnOpener.cc(137) will call Ftp::Server::connectedForData(local=172.17.10.30 
remote=172.17.11.31:56676 flags=9, errno=22, flag=-8, data=0x17d6188) [call95]

  Any thoughts?
_______________________________________________
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Reply via email to