Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
Thanks for the testing and feedback. I've applied this as part-2 of the bug 4302 updates. It will be in the next releases of 3.5 and 4.x. One more patch for Intercept.cc: On NetBSD, USE_INET6 is only defined by netinet/ip_compat.h if __NetBSD_Version__ is defined by sys/param.h: #if defined(__NetBSD_Version__) && (__NetBSD_Version__ >= 10500) && \ !defined(_KERNEL) && !defined(USE_INET6) && !defined(NOINET6) # defineUSE_INET6 #endif So we have to include sys/param.h: --- Intercept.cc2016-10-13 16:24:31.0 +0200 +++ Intercept.cc.orig 2016-10-13 16:20:37.0 +0200 @@ -25,6 +25,9 @@ #define IPFILTER_VERSION504 #endif +#if HAVE_SYS_PARAM_H +#include +#endif #if HAVE_SYS_IOCCOM_H #include #endif Thank you! -- Gergely EGERVARY ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
> Thanks for the testing and feedback. I've applied this as part-2 of the > bug 4302 updates. It will be in the next releases of 3.5 and 4.x. you are the hero of the day, thank you very much! -- Gergely EGERVARY ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 04/10/2016 14:10, Amos Jeffries wrote: > On 5/10/2016 1:16 a.m., Egerváry Gergely wrote: >>> Getting closer, but still not there... >> >> Hah, we need to apply the kern/50198 patch to ipnat_6.c too. >> >> --- ip_nat6.c.orig 2015-08-08 18:31:21.0 +0200 >> +++ ip_nat6.c 2016-10-04 14:04:21.0 +0200 >> @@ -2470,8 +2469,8 @@ >> } >> } >> >> - np->nl_realip6 = nat->nat_ndst6.in6; >> - np->nl_realport = nat->nat_ndport; >> + np->nl_realip6 = nat->nat_odst6.in6; >> + np->nl_realport = nat->nat_odport; >> } >> } >> >> Thank you very much, Amos, your Squid patch works good with it! >> >> Gergely EGERVARY > > Thanks for the testing and feedback. I've applied this as part-2 of the > bug 4302 updates. It will be in the next releases of 3.5 and 4.x. Gergely, please update the NetBSD PR with your working kernel patch(es) and I'll commit them, can't wait for Darren any longer. -- Stephen ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 5/10/2016 1:16 a.m., Egerváry Gergely wrote: >> Getting closer, but still not there... > > Hah, we need to apply the kern/50198 patch to ipnat_6.c too. > > --- ip_nat6.c.orig 2015-08-08 18:31:21.0 +0200 > +++ ip_nat6.c 2016-10-04 14:04:21.0 +0200 > @@ -2470,8 +2469,8 @@ > } > } > > - np->nl_realip6 = nat->nat_ndst6.in6; > - np->nl_realport = nat->nat_ndport; > + np->nl_realip6 = nat->nat_odst6.in6; > + np->nl_realport = nat->nat_odport; > } > } > > Thank you very much, Amos, your Squid patch works good with it! > > Gergely EGERVARY Thanks for the testing and feedback. I've applied this as part-2 of the bug 4302 updates. It will be in the next releases of 3.5 and 4.x. Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
> Getting closer, but still not there... Hah, we need to apply the kern/50198 patch to ipnat_6.c too. --- ip_nat6.c.orig 2015-08-08 18:31:21.0 +0200 +++ ip_nat6.c 2016-10-04 14:04:21.0 +0200 @@ -2470,8 +2469,8 @@ } } - np->nl_realip6 = nat->nat_ndst6.in6; - np->nl_realport = nat->nat_ndport; + np->nl_realip6 = nat->nat_odst6.in6; + np->nl_realport = nat->nat_odport; } } Thank you very much, Amos, your Squid patch works good with it! Gergely EGERVARY ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
> Aha. Damn macros. > > There are a few changes needed, for both v4/v6 inputs and 'realip' > processing. This attached patch should be what you need for Squid-3.5 to > work. Getting closer, but still not there... The browser client is 2001:738:7a00:a::a:d, the remote destination is 2001:4c48:2:268::2:1c The ipnat state table entry: RDR 2001:738:7a00:a::14 3128 <- -> 2001:4c48:2:268::2:1c 80 [2001:738:7a00:a::a:d 56623] Squid log: 2016/10/04 13:16:33.365 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 22 HTTP Request 2016/10/04 13:16:33.366 kid1| 89,5| Intercept.cc(391) Lookup: address BEGIN: me/client= [2001:738:7a00:a::14]:3128, destination/me= [2001:738:7a00:a::14]:65491 2016/10/04 13:16:33.366 kid1| 89,9| Intercept.cc(290) IpfInterception: address: local=[2001:738:7a00:a::14]:3128 remote=[2001:738:7a00:a::14]:65491 FD 22 flags=33 2016/10/04 13:16:33.366 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=[2001:738:7a00:a::14]:3128 remote=[2001:738:7a00:a::14]:65491 FD 22 flags=33 2016/10/04 13:16:33.366 kid1| 5,5| TcpAcceptor.cc(287) acceptOne: Listener: local=[2001:738:7a00:a::14]:3128 remote=[::] FD 1 9 flags=41 accepted new connection local=[2001:738:7a00:a::14]:3128 remote=[2001:738:7a00:a::14]:65491 FD 22 flags=33 handler Subscription: 0x16acf40*1 -- Gergely EGERVARY ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 4/10/2016 10:52 p.m., Egerváry Gergely wrote:
>> Is there another defined somewhere else? For some reason your Squid is
>> managing to build with just "nl_inip" (no 'addr') in the field name.
>
> There's a copy in /usr/include/netinet, but it's the same:
>
> typedef struct natlookup {
> i6addr_tnl_inipaddr;
> i6addr_tnl_outipaddr;
> i6addr_tnl_realipaddr;
> int nl_v;
> int nl_flags;
> u_short nl_inport;
> u_short nl_outport;
> u_short nl_realport;
> } natlookup_t;
>
> #define nl_inip nl_inipaddr.in4
> #define nl_outipnl_outipaddr.in4
> #define nl_realip nl_realipaddr.in4
> #define nl_inip6nl_inipaddr.in6
> #define nl_outip6 nl_outipaddr.in6
> #define nl_realip6 nl_realipaddr.in6
>
> ... so "nl_inip" is a simple #define to nl_inipaddr.in4
>
> This is from Squid's Intercept.cc:
>
> natLookup.nl_inport = htons(newConn->local.port());
> newConn->local.getInAddr(natLookup.nl_inip);
> natLookup.nl_outport = htons(newConn->remote.port());
> newConn->remote.getInAddr(natLookup.nl_outip);
>
> Is this correct?
> Should we have this in the "else" section of
> if (newConn->remote.isIPv6()) ... instead?
>
Aha. Damn macros.
There are a few changes needed, for both v4/v6 inputs and 'realip'
processing. This attached patch should be what you need for Squid-3.5 to
work.
Amos
=== modified file 'src/ip/Intercept.cc'
--- src/ip/Intercept.cc 2016-04-12 06:52:39 +
+++ src/ip/Intercept.cc 2016-10-04 10:35:52 +
@@ -207,16 +207,21 @@
debugs(89, warningLevel, "IPF (IPFilter v4) NAT does not support IPv6.
Please upgrade to IPFilter v5.1");
warningLevel = (warningLevel + 1) % 10;
return false;
+}
+newConn->local.getInAddr(natLookup.nl_inip);
+newConn->remote.getInAddr(natLookup.nl_outip);
#else
natLookup.nl_v = 6;
+newConn->local.getInAddr(natLookup.nl_inipaddr.in6);
+newConn->remote.getInAddr(natLookup.nl_outipaddr.in6);
} else {
natLookup.nl_v = 4;
+newConn->local.getInAddr(natLookup.nl_inipaddr.in4);
+newConn->remote.getInAddr(natLookup.nl_outipaddr.in4);
+}
#endif
-}
natLookup.nl_inport = htons(newConn->local.port());
-newConn->local.getInAddr(natLookup.nl_inip);
natLookup.nl_outport = htons(newConn->remote.port());
-newConn->remote.getInAddr(natLookup.nl_outip);
// ... and the TCP flag
natLookup.nl_flags = IPN_TCP;
@@ -281,7 +286,14 @@
debugs(89, 9, HERE << "address: " << newConn);
return false;
} else {
+#if IPFILTER_VERSION < 503
newConn->local = natLookup.nl_realip;
+#else
+if (newConn->remote.isIPv6())
+newConn->local = natLookup.nl_realipaddr.in6;
+else
+newConn->local = natLookup.nl_realipaddr.in4;
+#endif
newConn->local.port(ntohs(natLookup.nl_realport));
debugs(89, 5, HERE << "address NAT: " << newConn);
return true;
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
> Is there another defined somewhere else? For some reason your Squid is
> managing to build with just "nl_inip" (no 'addr') in the field name.
There's a copy in /usr/include/netinet, but it's the same:
typedef struct natlookup {
i6addr_tnl_inipaddr;
i6addr_tnl_outipaddr;
i6addr_tnl_realipaddr;
int nl_v;
int nl_flags;
u_short nl_inport;
u_short nl_outport;
u_short nl_realport;
} natlookup_t;
#define nl_inip nl_inipaddr.in4
#define nl_outipnl_outipaddr.in4
#define nl_realip nl_realipaddr.in4
#define nl_inip6nl_inipaddr.in6
#define nl_outip6 nl_outipaddr.in6
#define nl_realip6 nl_realipaddr.in6
... so "nl_inip" is a simple #define to nl_inipaddr.in4
This is from Squid's Intercept.cc:
natLookup.nl_inport = htons(newConn->local.port());
newConn->local.getInAddr(natLookup.nl_inip);
natLookup.nl_outport = htons(newConn->remote.port());
newConn->remote.getInAddr(natLookup.nl_outip);
Is this correct?
Should we have this in the "else" section of
if (newConn->remote.isIPv6()) ... instead?
--
Gergely EGERVARY
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 4/10/2016 8:57 p.m., Egerváry Gergely wrote:
>> Apparently the IPFilter 5.1 code defines an 32-bit IPv4-only structure
>> for 64-bit IPv6 addresses to be placed into. That was supposed to be
>> fixed in IPFilter 5.0.3.
>>
>> Can you look through your system for code header files that define
>> "struct natlookup" and show me what they contain?
>
> in sys/external/bsd/ipf/netinet/ip_nat.h:
>
> typedef struct natlookup {
> i6addr_tnl_inipaddr;
> i6addr_tnl_outipaddr;
> i6addr_tnl_realipaddr;
> int nl_v;
> int nl_flags;
> u_short nl_inport;
> u_short nl_outport;
> u_short nl_realport;
> } natlookup_t;
>
Is there another defined somewhere else? For some reason your Squid is
managing to build with just "nl_inip" (no 'addr') in the field name.
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
Apparently the IPFilter 5.1 code defines an 32-bit IPv4-only structure
for 64-bit IPv6 addresses to be placed into. That was supposed to be
fixed in IPFilter 5.0.3.
Can you look through your system for code header files that define
"struct natlookup" and show me what they contain?
in sys/external/bsd/ipf/netinet/ip_nat.h:
typedef struct natlookup {
i6addr_tnl_inipaddr;
i6addr_tnl_outipaddr;
i6addr_tnl_realipaddr;
int nl_v;
int nl_flags;
u_short nl_inport;
u_short nl_outport;
u_short nl_realport;
} natlookup_t;
--
Gergely EGERVARY
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 4/10/2016 7:25 p.m., Egerváry Gergely wrote: >>> 2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert >>> non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128 >> Okay your setup looks fine. Apparently the IPFilter 5.1 code defines an 32-bit IPv4-only structure for 64-bit IPv6 addresses to be placed into. That was supposed to be fixed in IPFilter 5.0.3. Can you look through your system for code header files that define "struct natlookup" and show me what they contain? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128 And what are your squid.conf http_port line(s) ? http_port 127.0.0.1:8080 http_port [::1]:8080 http_port 172.28.0.20:3128 intercept http_port 172.28.0.20:8080 http_port [2001:738:7a00:a::14]:3128 intercept http_port [2001:738:7a00:a::14]:8080 What does squid log about listening HTTP ports on startup? 2016/10/04 08:25:16 kid1| Accepting HTTP Socket connections at local=127.0.0.1:8080 remote=[::] FD 14 flags=9 2016/10/04 08:25:16 kid1| Accepting HTTP Socket connections at local=[::1]:8080 remote=[::] FD 15 flags=9 2016/10/04 08:25:16 kid1| Accepting NAT intercepted HTTP Socket connections at local=172.28.0.20:3128 remote=[::] FD 16 flags=41 2016/10/04 08:25:16 kid1| Accepting HTTP Socket connections at local=172.28.0.20:8080 remote=[::] FD 17 flags=9 2016/10/04 08:25:16 kid1| Accepting NAT intercepted HTTP Socket connections at local=[2001:738:7a00:a::14]:3128 remote=[::] FD 18 flags=41 2016/10/04 08:25:16 kid1| Accepting HTTP Socket connections at local=[2001:738:7a00:a::14]:8080 remote=[::] FD 19 flags=9 -- Gergely EGERVARY ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.
On 4/10/2016 4:12 a.m., Egerváry Gergely wrote: > Hi, > > I'm running on NetBSD 7-STABLE, with IPFilter 5.1 > (--enable-ipf-transparent) > > NAT interception rule: > rdr wm1 from 2001:738:7a00:a::/64 to any port = 80 -> > 2001:738:7a00:a::14 port 3128 tcp > > cache.log: > > 2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(220) doAccept: New > connection on FD 18 > 2016/10/03 17:08:03.232 kid1| 5,2| TcpAcceptor.cc(295) acceptNext: > connection on local=[2001:738:7a00:a::14]:3128 remote=[::] FD 18 flags=41 > 2016/10/03 17:08:03.232 kid1| 51,3| fd.cc(198) fd_open: fd_open() FD 22 > HTTP Request > 2016/10/03 17:08:03.233 kid1| 89,5| Intercept.cc(375) Lookup: address > BEGIN: me/client= [2001:738:7a00:a::14]:3128, destination/me= > [2001:738:7a00:a::a:d]:52628 > 2016/10/03 17:08:03.233 kid1| Ip::Address::getInAddr : Cannot convert > non-IPv4 to IPv4. IPA=[2001:738:7a00:a::14]:3128 > 2016/10/03 17:08:03.473| 42,8| Icmp6.cc(240) Recv: 24 bytes from > [2001:738:7a00:b::1] > And what are your squid.conf http_port line(s) ? What does squid log about listening HTTP ports on startup? Amos ___ squid-users mailing list squid-users@lists.squid-cache.org http://lists.squid-cache.org/listinfo/squid-users
