- tproxy - lists.balabit.hu

Squid - Tproxy 4 - Two Bridges
by Viktor Online 13 Oct '09

13 Oct '09

Hello everyone, I'm trying to run the following configuration: * Debian testing, kernel 2.6.30, iptables 1.4.4, squid 3.1.0,14, ebtables, bridge-utils TPROXY 4 stage http://img524.imageshack.us/img524/2645/twobridge.jpg /etc/network/interfaces #------------------- # Bridge router1 #------------------- auto br1 iface br1 inet static bridge_ports eth0 eth1 address 10.1.1.2 netmask 255.255.255.0 gateway 10.1.1.1 #------------------- # Bridge router2 #------------------- auto br2 iface br2 inet static bridge_ports eth2 eth3 address 20.1.1.2 netmask 255.255.255.0 gateway 20.1.1.1 /etc/rc.local iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 echo 1 > /proc/sys/net/ipv4/ip_forward ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 /etc/squid/squid.conf http_port 3128 http_port 3129 tproxy acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32 acl localnet src 10.0.0.0/8 acl localnet src 20.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet http_access allow localhost http_access deny all So far so good, except that the squid is not cached, but they work the two bridges and each out of your gateway, if I do a iptables-t mangle-L-n-v I see that the rules of rc.local marked packages. When I add the following lines begins to cache the squid but it only works one of two bridges (any) and the other is at 0 and can not navigate. ebtables -t broute -I BROUTING -i eth1 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth0 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth3 -p ipv4 --ip-proto tcp --ip-dport 80 -j redirect --redirect-target DROP ebtables -t broute -I BROUTING -i eth2 -p ipv4 --ip-proto tcp --ip-sport 80 -j redirect --redirect-target DROP It is possible to operate the two bridges each for their gateway using squid?

1 0

Problem with options tproxy in squid 3.0
by Snaiper 05 Oct '09

05 Oct '09

Hi, I use Debian 5.0 with kernel 2.6.31 compiled with tproxy dmesg |grep TPROXY NF_TPROXY: Transparent proxy support initialized, version 4.1.0 NF_TPROXY: Copyright (c) 2006-2007 BalaBit IT Ltd. I downloaded ad installed iptables from git.balabit.hu/bazsi (downloaded with command git clone git://git.balabit.hu/bazsi/iptables-tproxy.git) my iptables rules iptables -t mangle -N DIVERT iptables -t mangle -A DIVERT -j MARK --set-mark 1 iptables -t mangle -A DIVERT -j ACCEPT iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-ip 127.0.0.1 --on-port 3129 and ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 cd /proc/sys/net/bridge/ for i in * do echo 0 > $i done unset i ip ro flu ca I use current squid (version squid-3.HEAD-20090929) with options squid -v Squid Cache: Version 3.HEAD-20090929 configure options: '--build=i686-linux-gnu' '--prefix=/usr' '--includedir=${prefix}/include' '--mandir=${prefix}/share/man' '--infodir=${prefix}/share/info' '--sysconfdir=/etc' '--localstatedir=/var' '--libexecdir=${prefix}/lib/squid3' '--srcdir=.' '--datadir=/usr/share/squid3' '--sysconfdir=/etc/squid3' '--mandir=/usr/share/man' '--enable-removal-policies=lru,heap' '--enable-delay-pools' '--enable-cache-digests' '--enable-follow-x-forwarded-for' '--enable-arp-acl' '--enable-snmp' '--with-large-files' '--enable-kill-parent-hack' '--enable-linux-netfilter' I use squid.conf ########### Start of squid.conf ############## cache_effective_user squid http_port 3128 http_port 3129 tproxy debug_options ALL,9 cache_dir ufs /data 50000 16 256 cache_access_log /var/log/squid/access.log cache_log /var/log/squid3/cache.log cache_store_log /var/log/squid/store.log via off forwarded_for off cache_replacement_policy heap LFUDA memory_replacement_policy heap GDSF fqdncache_size 51200 ipcache_size 51200 pipeline_prefetch on hierarchy_stoplist cgi-bin ? acl QUERY urlpath_regex cgi-bin \? no_cache deny QUERY hosts_file /etc/hosts refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern . 0 40% 4320 acl all src 0.0.0.0/0.0.0.0 ##Define your network below acl Customers src xxx.xxx.xxx.xx/32 acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl purge method PURGE acl CONNECT method CONNECT acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 1025-65535 # ports acl SSL_ports port 443 563 http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localhost http_access allow Customers http_access deny all http_reply_access allow all icp_access allow Customers icp_access deny all visible_hostname proxy coredump_dir /usr/local/squid ######## End of squid.conf ########## I can't open web page from client. I get error (example) The following error was encountered while trying to retrieve the URL: http://www.whatismyip.com/ Connection to 72.233.89.199 failed. The system returned: (110) Connection timed out The remote host or network may be down. Please try the request again. in tcpdump (tcpdump -vvv -nne -i any port 80) i view more connections from web server to my client ip : 01:33:57.220480 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 674, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.55549 > 72.233.89.199.80: Flags [S], cksum 0xc77b (correct), seq 3045315523, win 5840, options [mss 1460,sackOK,TS val 28960222 ecr 0,nop,wscale 6], length 0 01:33:57.220494 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 674, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.55549 > 72.233.89.199.80: Flags [S], cksum 0xc77b (correct), seq 3045315523, win 5840, options [mss 1460,sackOK,TS val 28960222 ecr 0,nop,wscale 6], length 0 01:34:02.313347 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34224, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1811 > 72.233.89.199.80: Flags [R.], cksum 0x0cac (correct), seq 46900914, ack 2096256457, win 0, length 0 01:34:02.313436 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34224, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1811 > 72.233.89.199.80: Flags [R.], cksum 0x0cac (correct), seq 0, ack 1, win 0, length 0 01:34:02.355379 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 128, id 34232, offset 0, flags [DF], proto TCP (6), length 48) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [S], cksum 0x668d (correct), seq 1946517920, win 65535, options [mss 1460,nop,nop,sackOK], length 0 01:34:02.355466 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 128, id 34232, offset 0, flags [DF], proto TCP (6), length 48) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [S], cksum 0x668d (correct), seq 1946517920, win 65535, options [mss 1460,nop,nop,sackOK], length 0 01:34:02.355562 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1812: Flags [S.], cksum 0xb3f1 (correct), seq 3439185596, ack 1946517921, win 5840, options [mss 1460,nop,nop,sackOK], length 0 01:34:02.355568 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1812: Flags [S.], cksum 0xb3f1 (correct), seq 3439185596, ack 1946517921, win 5840, options [mss 1460,nop,nop,sackOK], length 0 01:34:02.355788 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34234, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [.], cksum 0xf785 (correct), seq 1, ack 1, win 65535, length 0 01:34:02.355861 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34234, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [.], cksum 0xf785 (correct), seq 1, ack 1, win 65535, length 0 01:34:02.355955 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 1257: (tos 0x0, ttl 128, id 34235, offset 0, flags [DF], proto TCP (6), length 1241) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [P.], seq 1:1202, ack 1, win 65535, length 1201 01:34:02.356066 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 1257: (tos 0x0, ttl 128, id 34235, offset 0, flags [DF], proto TCP (6), length 1241) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [P.], seq 1:1202, ack 1, win 65535, length 1201 01:34:02.356166 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 9311, offset 0, flags [DF], proto TCP (6), length 40) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1812: Flags [.], cksum 0xd6ae (correct), seq 1, ack 1202, win 7206, length 0 01:34:02.356173 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 56: (tos 0x0, ttl 64, id 9311, offset 0, flags [DF], proto TCP (6), length 40) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1812: Flags [.], cksum 0xd6ae (correct), seq 1, ack 1202, win 7206, length 0 01:34:02.369890 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40495, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xfd81 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28961509 ecr 0,nop,wscale 6], length 0 01:34:02.369911 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40495, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xfd81 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28961509 ecr 0,nop,wscale 6], length 0 01:34:02.559422 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 28699, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:02.559430 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 28699, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:05.368856 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40496, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xfa93 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28962259 ecr 0,nop,wscale 6], length 0 01:34:05.368866 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40496, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xfa93 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28962259 ecr 0,nop,wscale 6], length 0 01:34:05.923366 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 29952, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:05.923382 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 29952, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:09.259233 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20218, offset 0, flags [DF], proto TCP (6), length 60) 01:34:09.259253 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20218, offset 0, flags [DF], proto TCP (6), length 60) 01:34:09.259802 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:09.259819 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:11.369115 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40497, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xf4b7 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28963759 ecr 0,nop,wscale 6], length 0 01:34:11.369123 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 40497, offset 0, flags [DF], proto TCP (6), length 60) xxx.xxx.xxx.xxx.58739 > 72.233.89.199.80: Flags [S], cksum 0xf4b7 (correct), seq 3438900426, win 5840, options [mss 1460,sackOK,TS val 28963759 ecr 0,nop,wscale 6], length 0 01:34:12.257174 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20219, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.257188 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20219, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.257650 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.257666 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.542042 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.542050 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:12.594189 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 199, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:12.594196 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 80: (tos 0xb8, ttl 113, id 199, offset 0, flags [none], proto TCP (6), length 64) 72.233.89.199.80 > xxx.xxx.xxx.xxx.58739: Flags [S.], cksum 0xe83f (correct), seq 1205108507, ack 3438900427, win 16384, options [mss 1380,nop,wscale 0,nop,nop,TS val 0 ecr 0,nop,nop,sackOK], length 0 01:34:18.257459 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20220, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.257471 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 64, id 20220, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.258049 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.258061 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.513928 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34291, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [R.], cksum 0xf2d0 (correct), seq 1202, ack 1, win 0, length 0 01:34:18.514026 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 62: (tos 0x0, ttl 128, id 34291, offset 0, flags [DF], proto TCP (6), length 40) xxx.xxx.xxx.xxx.1812 > 72.233.89.199.80: Flags [R.], cksum 0xf2d0 (correct), seq 1202, ack 1, win 0, length 0 01:34:18.543303 P 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.543314 Out 00:11:20:1b:74:40 ethertype IPv4 (0x0800), length 76: (tos 0x0, ttl 59, id 0, offset 0, flags [DF], proto TCP (6), length 60) 01:34:18.555887 P 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 128, id 34297, offset 0, flags [DF], proto TCP (6), length 48) xxx.xxx.xxx.xxx.1813 > 72.233.89.199.80: Flags [S], cksum 0x0c36 (correct), seq 3900663676, win 65535, options [mss 1460,nop,nop,sackOK], length 0 01:34:18.555979 In 00:13:20:8a:da:6c ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 128, id 34297, offset 0, flags [DF], proto TCP (6), length 48) xxx.xxx.xxx.xxx.1813 > 72.233.89.199.80: Flags [S], cksum 0x0c36 (correct), seq 3900663676, win 65535, options [mss 1460,nop,nop,sackOK], length 0 01:34:18.556085 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1813: Flags [S.], cksum 0x455d (correct), seq 3705262877, ack 3900663677, win 5840, options [mss 1460,nop,nop,sackOK], length 0 01:34:18.556091 Out 00:06:5b:8d:2a:0a ethertype IPv4 (0x0800), length 64: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 48) 72.233.89.199.80 > xxx.xxx.xxx.xxx.1813: Flags [S.], cksum 0x455d (correct), seq 3705262877, ack 3900663677, win 5840, options [mss 1460,nop,nop,sackOK], length 0 in squid log i see 2009/10/02 01:39:32.697| comm_select(): got FD 13 events=1 monitoring=19 F->read_handler=1 F->write_handler=0 2009/10/02 01:39:32.697| comm_select(): Calling read handler on FD 13 2009/10/02 01:39:32.697| fd_open() FD 15 HTTP Request 2009/10/02 01:39:32.697| AcceptFD::acceptOne accepted: FD 13 newfd: 15 from: xxx.xxx.xxx.xxx:1814 handler: SomeCommAcceptHandler(FD -1, data=0x837b248 ) 2009/10/02 01:39:32.697| comm.cc(2339) will call SomeCommAcceptHandler(FD 13, data=0x837b248, newFD 15) [call833] 2009/10/02 01:39:32.697| entering SomeCommAcceptHandler(FD 13, data=0x837b248, newFD 15) 2009/10/02 01:39:32.697| AsyncCall.cc(32) make: make call SomeCommAcceptHandler [call833] 2009/10/02 01:39:32.697| cbdataReferenceValid: 0x837b248 2009/10/02 01:39:32.697| comm_accept: FD 13 handler: 0x80c5260 2009/10/02 01:39:32.697| cbdataLock: 0x837b248=2 2009/10/02 01:39:32.697| cbdataLock: 0x837b248=3 2009/10/02 01:39:32.697| The AsyncCall SomeCommAcceptHandler constructed, this=0x84983c8 [call1294] 2009/10/02 01:39:32.697| cbdataLock: 0x837b248=4 2009/10/02 01:39:32.697| cbdataUnlock: 0x837b248=3 2009/10/02 01:39:32.697| cbdataUnlock: 0x837b248=2 2009/10/02 01:39:32.697| comm_old_accept: FD 13: (11) Resource temporarily unavailable 2009/10/02 01:39:32.697| comm.cc(2304) acceptOne: try later: FD 13 handler: SomeCommAcceptHandler(FD -1, data=0x837b248) 2009/10/02 01:39:32.697| commSetSelect(FD 13,type=1,handler=1,client_data=0,timeout=0) 2009/10/02 01:39:32.697| httpAccept: FD 15: accepted 2009/10/02 01:39:32.697| AsyncJob of type ConnStateData constructed, this=0x85f9e14 [async9] 2009/10/02 01:39:32.697| cbdataLock: 0x837b248=3 2009/10/02 01:39:32.698| IpIntercept.cc(381) NatLookup: address BEGIN: me= 72.233.89.199:80, client= 72.233.89.199:80, dst= xxx.xxx.xxx.xxx:1814, peer = xxx.xxx.xxx.xxx:1814 2009/10/02 01:39:32.698| IpIntercept.cc(166) NetfilterTransparent: address TPROXY: me= 72.233.89.199:80, client= xxx.xxx.xxx.xxx 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=1 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=2 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=3 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=2 2009/10/02 01:39:32.698| The AsyncCall ConnStateData::connStateClosed constructed, this=0x8498448 [call1295] 2009/10/02 01:39:32.698| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=3 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=4 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=3 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=2 2009/10/02 01:39:32.698| comm_add_close_handler: FD 15, AsyncCall=0x8498448*1 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=3 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=4 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=5 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=4 2009/10/02 01:39:32.698| The AsyncCall ConnStateData::requestTimeout constructed, this=0x849ae88 [call1296] 2009/10/02 01:39:32.698| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=5 2009/10/02 01:39:32.698| cbdataLock: 0x85f9d00=6 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=5 2009/10/02 01:39:32.698| cbdataUnlock: 0x85f9d00=4 2009/10/02 01:39:32.698| comm.cc(1200) commSetTimeout: FD 15 timeout 900 2009/10/02 01:39:32.698| cbdataLock: 0x8372ca0=1 2009/10/02 01:39:32.698| aclCheckFast: list: 0x8372ca0 2009/10/02 01:39:32.698| ACLChecklist::preCheck: 0xbfaf6768 checking 'ident_lookup_access deny all' 2009/10/02 01:39:32.698| ACLList::matches: checking all 2009/10/02 01:39:32.698| ACL::checklistMatches: checking 'all' 2009/10/02 01:39:32.698| aclIpAddrNetworkCompare: compare: xxx.xxx.xxx.xxx:1814/[::] ([::]:1814) vs [::]-[::]/[::] 2009/10/02 01:39:32.698| aclIpMatchIp: 'xxx.xxx.xxx.xxx:1814' found 2009/10/02 01:39:32.699| ACL::ChecklistMatches: result for 'all' is 1 2009/10/02 01:39:32.699| ACLList::matches: result is true 2009/10/02 01:39:32.699| aclmatchAclList: 0xbfaf6768 returning true (AND list satisfied) 2009/10/02 01:39:32.699| ACLChecklist::markFinished: 0xbfaf6768 checklist processing finished 2009/10/02 01:39:32.699| cbdataUnlock: 0x8372ca0=0 2009/10/02 01:39:32.699| FilledChecklist.cc(162) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfaf6768 2009/10/02 01:39:32.699| ACLChecklist::~ACLChecklist: destroyed 0xbfaf6768 2009/10/02 01:39:32.699| clientReadSomeData: FD 15: reading request... 2009/10/02 01:39:32.699| cbdataLock: 0x85f9d00=5 2009/10/02 01:39:32.699| cbdataLock: 0x85f9d00=6 2009/10/02 01:39:32.699| cbdataLock: 0x85f9d00=7 2009/10/02 01:39:32.699| cbdataUnlock: 0x85f9d00=6 2009/10/02 01:39:32.699| The AsyncCall ConnStateData::clientReadRequest constructed, this=0x849aed8 [call1297] 2009/10/02 01:39:32.699| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.699| cbdataLock: 0x85f9d00=7 2009/10/02 01:39:32.699| cbdataLock: 0x85f9d00=8 2009/10/02 01:39:32.699| cbdataUnlock: 0x85f9d00=7 2009/10/02 01:39:32.699| cbdataUnlock: 0x85f9d00=6 2009/10/02 01:39:32.699| comm_read, queueing read for FD 15; asynCall 0x849aed8*1 2009/10/02 01:39:32.699| commSetSelect(FD 15,type=1,handler=1,client_data=0xb646f480,timeout=0) 2009/10/02 01:39:32.699| leaving SomeCommAcceptHandler(FD 13, data=0x837b248, newFD 15) 2009/10/02 01:39:32.699| cbdataUnlock: 0x837b248=2 2009/10/02 01:39:32.699| Engine 0xbfaf6abc is idle. 2009/10/02 01:39:32.699| Engine 0xbfaf6ad8 is idle. 2009/10/02 01:39:32.699| comm_select(): got FD 15 events=1 monitoring=19 F->read_handler=1 F->write_handler=0 2009/10/02 01:39:32.699| comm_select(): Calling read handler on FD 15 2009/10/02 01:39:32.699| comm_read_try: FD 15, size 4095, retval 1201, errno 0 2009/10/02 01:39:32.699| commio_finish_callback: called for FD 15 (0, 0) 2009/10/02 01:39:32.699| comm.cc(163) will call ConnStateData::clientReadRequest(FD 15, data=0x85f9d00, size=1201, buf=0xb60a6008) [call1297] 2009/10/02 01:39:32.700| entering ConnStateData::clientReadRequest(FD 15, data=0x85f9d00, size=1201, buf=0xb60a6008) 2009/10/02 01:39:32.700| AsyncCall.cc(32) make: make call ConnStateData::clientReadRequest [call1297] 2009/10/02 01:39:32.700| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.700| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.700| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.700| ConnStateData status in: [ job9] 2009/10/02 01:39:32.700| client_side.cc(2639) clientReadRequest: clientReadRequest FD 15 size 1201 2009/10/02 01:39:32.700| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.700| clientParseRequest: FD 15: attempting to parse 2009/10/02 01:39:32.700| httpParseInit: Request buffer is GET / HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appli cation/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-US,he;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0. 04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: www.whatismyip.com Connection: Keep-Alive Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLHHNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; A SPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161.1254437183.5; __utmc=18138879; __utmz=18138879.12542719 24.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; AS PSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALNNF 2009/10/02 01:39:32.700| httpParserParseReqLine: parsing GET / HTTP/1.0 Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appli cation/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-US,he;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0. 04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Host: www.whatismyip.com Connection: Keep-Alive Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLHHNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; A SPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161.1254437183.5; __utmc=18138879; __utmz=18138879.12542719 24.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; AS PSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALNNF 2009/10/02 01:39:32.700| Parser: retval 1: from 0->15: method 0->2; url 4->4; version 6->14 (1/1) 2009/10/02 01:39:32.700| parseHttpRequest: req_hdr = {Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, applicat ion/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, appl ication/x-ms-application, */* Accept-Language: en-US,he;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0. 04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: www.whatismyip.com Connection: Keep-Alive Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLHHNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; A SPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161.1254437183.5; __utmc=18138879; __utmz=18138879.12542719 24.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; AS PSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALNNF } 2009/10/02 01:39:32.700| parseHttpRequest: end = { } 2009/10/02 01:39:32.700| parseHttpRequest: prefix_sz = 1201, req_line_sz = 16 2009/10/02 01:39:32.700| cbdataLock: 0x85f9d00=7 2009/10/02 01:39:32.700| cbdataLock: 0x86023b0=1 2009/10/02 01:39:32.700| cbdataLock: 0x860a3c8=1 2009/10/02 01:39:32.700| clientStreamInsertHead: Inserted node 0x860a410 with data 0xb60440a8 after head 2009/10/02 01:39:32.700| cbdataLock: 0x860a410=1 2009/10/02 01:39:32.700| parseHttpRequest: Request Header is Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appli cation/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-US,he;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0. 04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729) Accept-Encoding: gzip, deflate Host: www.whatismyip.com Connection: Keep-Alive Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLHHNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; A SPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161.1254437183.5; __utmc=18138879; __utmz=18138879.12542719 24.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; AS PSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALNNF 2009/10/02 01:39:32.700| mime_get_header: looking for 'Host' 2009/10/02 01:39:32.700| mime_get_header: checking 'Host: www.whatismyip.com' 2009/10/02 01:39:32.700| mime_get_header: returning 'www.whatismyip.com' 2009/10/02 01:39:32.700| TRANSPARENT HOST REWRITE: 'http://www.whatismyip.com/' 2009/10/02 01:39:32.700| parseHttpRequest: Complete request received 2009/10/02 01:39:32.700| clientParseRequest: FD 15: parsed a request 2009/10/02 01:39:32.700| comm.cc(1189) commSetTimeout: FD 15 timeout 86400 2009/10/02 01:39:32.701| cbdataLock: 0x86023b0=2 2009/10/02 01:39:32.701| cbdataLock: 0x86023b0=3 2009/10/02 01:39:32.701| The AsyncCall SomeTimeoutHandler constructed, this=0x84aaf90 [call1298] 2009/10/02 01:39:32.701| cbdataLock: 0x86023b0=4 2009/10/02 01:39:32.701| cbdataUnlock: 0x86023b0=3 2009/10/02 01:39:32.701| cbdataUnlock: 0x86023b0=2 2009/10/02 01:39:32.701| comm.cc(1200) commSetTimeout: FD 15 timeout 86400 2009/10/02 01:39:32.701| cbdataUnlock: 0x85f9d00=6 2009/10/02 01:39:32.701| cbdataUnlock: 0x85f9d00=5 2009/10/02 01:39:32.701| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.701| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.701| urlParse: Split URL 'http://www.whatismyip.com/' into proto='http', host='www.whatismyip.com', port='80', path='/' 2009/10/02 01:39:32.701| init-ing hdr: 0x85cc1b4 owner: 2 2009/10/02 01:39:32.701| parsing hdr: (0x85cc1b4) Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, appli cation/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, application/x-ms-application, */* Accept-Language: en-US,he;q=0.5 User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0. 04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.2102 2009/10/02 01:39:32.701| parsing HttpHeaderEntry: near 'Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, applic ation/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, ap plication/x-ms-application, */*' 2009/10/02 01:39:32.701| parsed HttpHeaderEntry: 'Accept: image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/ vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xbap, applicat ion/x-ms-application, */*' 2009/10/02 01:39:32.701| created HttpHeaderEntry 0x85daf48: 'Accept : image/gif, image/jpeg, image/pjpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, application/xaml+xml, application/vnd.ms-xpsdocument, application/x-ms-xb ap, application/x-ms-application, */* 2009/10/02 01:39:32.701| 0x85cc1b4 adding entry: 0 at 0 2009/10/02 01:39:32.701| parsing HttpHeaderEntry: near 'Accept-Language: en-US,he;q=0.5' 2009/10/02 01:39:32.701| parsed HttpHeaderEntry: 'Accept-Language: en-US,he;q=0.5' 2009/10/02 01:39:32.701| created HttpHeaderEntry 0x85daf64: 'Accept-Language : en-US,he;q=0.5 2009/10/02 01:39:32.701| 0x85cc1b4 adding entry: 3 at 1 2009/10/02 01:39:32.701| parsing HttpHeaderEntry: near 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 020 94); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.307 29)' 2009/10/02 01:39:32.701| parsed HttpHeaderEntry: 'User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (build 02094); G TB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729)' 2009/10/02 01:39:32.701| created HttpHeaderEntry 0x85daf80: 'User-Agent : Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; MRA 5.0 (bui ld 02094); GTB6; InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET CLR 3.0.4506.2152; .NET CLR 3 .5.30729) 2009/10/02 01:39:32.701| 0x85cc1b4 adding entry: 55 at 2 2009/10/02 01:39:32.702| parsing HttpHeaderEntry: near 'Accept-Encoding: gzip, deflate' 2009/10/02 01:39:32.702| parsed HttpHeaderEntry: 'Accept-Encoding: gzip, deflate' 2009/10/02 01:39:32.702| created HttpHeaderEntry 0x85daf9c: 'Accept-Encoding : gzip, deflate 2009/10/02 01:39:32.702| 0x85cc1b4 adding entry: 2 at 3 2009/10/02 01:39:32.702| parsing HttpHeaderEntry: near 'Host: www.whatismyip.com' 2009/10/02 01:39:32.702| parsed HttpHeaderEntry: 'Host: www.whatismyip.com' 2009/10/02 01:39:32.702| created HttpHeaderEntry 0x85dafb8: 'Host : www.whatismyip.com 2009/10/02 01:39:32.702| 0x85cc1b4 adding entry: 24 at 4 2009/10/02 01:39:32.702| parsing HttpHeaderEntry: near 'Connection: Keep-Alive' 2009/10/02 01:39:32.702| parsed HttpHeaderEntry: 'Connection: Keep-Alive' 2009/10/02 01:39:32.702| created HttpHeaderEntry 0x85dafd4: 'Connection : Keep-Alive 2009/10/02 01:39:32.702| 0x85cc1b4 adding entry: 9 at 5 2009/10/02 01:39:32.702| parsing HttpHeaderEntry: near 'Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLH HNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; ASPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161 .1254437183.5; __utmc=18138879; __utmz=18138879.1254271924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLD PBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; ASPSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAAR' 2009/10/02 01:39:32.702| parsed HttpHeaderEntry: 'Cookie: ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIBGGHDLHHNGMKO ; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; ASPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254433161.12544 37183.5; __utmc=18138879; __utmz=18138879.1254271924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBEDFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; ASPSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALNNF' 2009/10/02 01:39:32.702| created HttpHeaderEntry 0x85daff0: 'Cookie : ASPSESSIONIDSSQDDATA=PPCHOFDBFDOPKKJJIKKFIFDG; ASPSESSIONIDQSSCBBSA=AAANIGMANJIB GGHDLHHNGMKO; ASPSESSIONIDCSCDSBAR=PHFOAMFCHFMJEGFMGABBECFP; ASPSESSIONIDSSQDDBSB=INHCAHBCNHNABPKCHJJOILBD; __utma=18138879.1116318747.1254271923.1254 433161.1254437183.5; __utmc=18138879; __utmz=18138879.1254271924.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none); ASPSESSIONIDQADQSQSB=CGOBLHJBDLGBE DFJPLDPBICH; ASPSESSIONIDQSQBBCSA=GEOMCGHBCDEBCKEIKFIFNHJP; ASPSESSIONIDSQRDBCSA=AKNELGBCJKPGMFAJFIIEPPPC; ASPSESSIONIDQAARRTTA=MLNBPEBCCEEAGPKKIDPALN NF 2009/10/02 01:39:32.702| 0x85cc1b4 adding entry: 19 at 6 2009/10/02 01:39:32.702| 0x85cc1b4 lookup for 51 2009/10/02 01:39:32.702| clientSetKeepaliveFlag: http_ver = 1.1 2009/10/02 01:39:32.702| clientSetKeepaliveFlag: method = GET 2009/10/02 01:39:32.702| 0x85cc1b4 lookup for 57 2009/10/02 01:39:32.702| 0x85cc1b4 lookup for 39 2009/10/02 01:39:32.702| 0x85cc1b4 lookup for 9 2009/10/02 01:39:32.702| 0x85cc1b4joining for id 9 2009/10/02 01:39:32.702| 0x85cc1b4: joined for id 9: Keep-Alive 2009/10/02 01:39:32.702| cbdataLock: 0x86023b0=3 2009/10/02 01:39:32.702| client_side_request.cc(136) ClientRequestContext: 0x86124f8 ClientRequestContext constructed 2009/10/02 01:39:32.702| client_side_request.cc(1258) doCallouts: Doing calloutContext->clientAccessCheck() 2009/10/02 01:39:32.702| 0x85cc1b4 lookup for 63 2009/10/02 01:39:32.702| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.702| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.702| cbdataLock: 0x8372e80=1 2009/10/02 01:39:32.703| cbdataLock: 0x85f9d00=6 2009/10/02 01:39:32.703| cbdataLock: 0x86124f8=1 2009/10/02 01:39:32.703| cbdataReferenceValid: 0x86124f8 2009/10/02 01:39:32.703| cbdataReferenceValid: 0x8372e80 2009/10/02 01:39:32.703| ACLChecklist::preCheck: 0x86165b8 checking 'http_access allow manager localhost' 2009/10/02 01:39:32.703| ACLList::matches: checking manager 2009/10/02 01:39:32.703| ACL::checklistMatches: checking 'manager' 2009/10/02 01:39:32.703| ACL::ChecklistMatches: result for 'manager' is 0 2009/10/02 01:39:32.703| ACLList::matches: result is false 2009/10/02 01:39:32.703| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.703| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.703| cbdataLock: 0x8372c60=1 2009/10/02 01:39:32.703| cbdataUnlock: 0x8372e80=0 2009/10/02 01:39:32.703| cbdataReferenceValid: 0x8372c60 2009/10/02 01:39:32.703| ACLChecklist::preCheck: 0x86165b8 checking 'http_access deny manager' 2009/10/02 01:39:32.703| ACLList::matches: checking manager 2009/10/02 01:39:32.703| ACL::checklistMatches: checking 'manager' 2009/10/02 01:39:32.703| ACL::ChecklistMatches: result for 'manager' is 0 2009/10/02 01:39:32.703| ACLList::matches: result is false 2009/10/02 01:39:32.703| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.703| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.703| cbdataLock: 0x8372e60=1 2009/10/02 01:39:32.703| cbdataUnlock: 0x8372c60=0 2009/10/02 01:39:32.703| cbdataReferenceValid: 0x8372e60 2009/10/02 01:39:32.703| ACLChecklist::preCheck: 0x86165b8 checking 'http_access allow purge localhost' 2009/10/02 01:39:32.703| ACLList::matches: checking purge 2009/10/02 01:39:32.703| ACL::checklistMatches: checking 'purge' 2009/10/02 01:39:32.703| ACL::ChecklistMatches: result for 'purge' is 0 2009/10/02 01:39:32.703| ACLList::matches: result is false 2009/10/02 01:39:32.703| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.703| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.703| cbdataLock: 0x8372e40=1 2009/10/02 01:39:32.704| cbdataUnlock: 0x8372e60=0 2009/10/02 01:39:32.704| cbdataReferenceValid: 0x8372e40 2009/10/02 01:39:32.704| ACLChecklist::preCheck: 0x86165b8 checking 'http_access deny purge' 2009/10/02 01:39:32.704| ACLList::matches: checking purge 2009/10/02 01:39:32.704| ACL::checklistMatches: checking 'purge' 2009/10/02 01:39:32.704| ACL::ChecklistMatches: result for 'purge' is 0 2009/10/02 01:39:32.704| ACLList::matches: result is false 2009/10/02 01:39:32.704| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.704| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.704| cbdataLock: 0x8372e00=1 2009/10/02 01:39:32.704| cbdataUnlock: 0x8372e40=0 2009/10/02 01:39:32.704| cbdataReferenceValid: 0x8372e00 2009/10/02 01:39:32.704| ACLChecklist::preCheck: 0x86165b8 checking 'http_access deny !Safe_ports' 2009/10/02 01:39:32.704| ACLList::matches: checking !Safe_ports 2009/10/02 01:39:32.704| ACL::checklistMatches: checking 'Safe_ports' 2009/10/02 01:39:32.704| ACL::ChecklistMatches: result for 'Safe_ports' is 1 2009/10/02 01:39:32.704| ACLList::matches: result is false 2009/10/02 01:39:32.704| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.704| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.704| cbdataLock: 0x8372de0=1 2009/10/02 01:39:32.704| cbdataUnlock: 0x8372e00=0 2009/10/02 01:39:32.704| cbdataReferenceValid: 0x8372de0 2009/10/02 01:39:32.704| ACLChecklist::preCheck: 0x86165b8 checking 'http_access deny CONNECT !SSL_ports' 2009/10/02 01:39:32.704| ACLList::matches: checking CONNECT 2009/10/02 01:39:32.704| ACL::checklistMatches: checking 'CONNECT' 2009/10/02 01:39:32.704| ACL::ChecklistMatches: result for 'CONNECT' is 0 2009/10/02 01:39:32.704| ACLList::matches: result is false 2009/10/02 01:39:32.704| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.704| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.704| cbdataLock: 0x8372dc0=1 2009/10/02 01:39:32.704| cbdataUnlock: 0x8372de0=0 2009/10/02 01:39:32.704| cbdataReferenceValid: 0x8372dc0 2009/10/02 01:39:32.704| ACLChecklist::preCheck: 0x86165b8 checking 'http_access allow localhost' 2009/10/02 01:39:32.705| ACLList::matches: checking localhost 2009/10/02 01:39:32.705| ACL::checklistMatches: checking 'localhost' 2009/10/02 01:39:32.705| aclIpAddrNetworkCompare: compare: xxx.xxx.xxx.xxx/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (xxx.xxx.xxx.xxx) vs 127.0.0.1-[ ::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] 2009/10/02 01:39:32.705| aclIpMatchIp: 'xxx.xxx.xxx.xxx' NOT found 2009/10/02 01:39:32.705| ACL::ChecklistMatches: result for 'localhost' is 0 2009/10/02 01:39:32.705| ACLList::matches: result is false 2009/10/02 01:39:32.705| aclmatchAclList: 0x86165b8 returning false (AND list entry failed to match) 2009/10/02 01:39:32.705| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.705| cbdataLock: 0x8372da0=1 2009/10/02 01:39:32.705| cbdataUnlock: 0x8372dc0=0 2009/10/02 01:39:32.705| cbdataReferenceValid: 0x8372da0 2009/10/02 01:39:32.705| ACLChecklist::preCheck: 0x86165b8 checking 'http_access allow Customers' 2009/10/02 01:39:32.705| ACLList::matches: checking Customers 2009/10/02 01:39:32.705| ACL::checklistMatches: checking 'Customers' 2009/10/02 01:39:32.705| aclIpAddrNetworkCompare: compare: xxx.xxx.xxx.xxx/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] (xxx.xxx.xxx.xxx) vs 192.115.188 .100-[::]/[ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff] 2009/10/02 01:39:32.705| aclIpMatchIp: 'xxx.xxx.xxx.xxx' found 2009/10/02 01:39:32.705| ACL::ChecklistMatches: result for 'Customers' is 1 2009/10/02 01:39:32.705| ACLList::matches: result is true 2009/10/02 01:39:32.705| aclmatchAclList: 0x86165b8 returning true (AND list satisfied) 2009/10/02 01:39:32.705| ACLChecklist::markFinished: 0x86165b8 checklist processing finished 2009/10/02 01:39:32.705| ACLChecklist::check: 0x86165b8 match found, calling back with 1 2009/10/02 01:39:32.705| cbdataUnlock: 0x8372da0=0 2009/10/02 01:39:32.705| ACLFilledChecklist::checkCallback: 0x86165b8 answer=1 2009/10/02 01:39:32.705| ACLChecklist::checkCallback: 0x86165b8 answer=1 2009/10/02 01:39:32.705| cbdataReferenceValid: 0x86124f8 2009/10/02 01:39:32.705| cbdataUnlock: 0x86124f8=0 2009/10/02 01:39:32.705| cbdataReferenceValid: 0x86023b0 2009/10/02 01:39:32.705| The request GET http://www.whatismyip.com/ is ALLOWED, because it matched 'Customers' 2009/10/02 01:39:32.705| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.705| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.705| client_side_request.cc(1287) doCallouts: Doing clientInterpretRequestHeaders() 2009/10/02 01:39:32.706| 0x85cc1b4 lookup for 35 2009/10/02 01:39:32.706| 0x85cc1b4 lookup for 7 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.706| 0x85cc1b4 lookup for 7 2009/10/02 01:39:32.706| 0x85cc1b4 lookup for 38 2009/10/02 01:39:32.706| 0x85cc1b4 lookup for 57 2009/10/02 01:39:32.706| clientInterpretRequestHeaders: REQ_NOCACHE = NOT SET 2009/10/02 01:39:32.706| clientInterpretRequestHeaders: REQ_CACHABLE = SET 2009/10/02 01:39:32.706| clientInterpretRequestHeaders: REQ_HIERARCHICAL = SET 2009/10/02 01:39:32.706| client_side_request.cc(1296) doCallouts: Doing calloutContext->checkNoCache() 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.706| cbdataLock: 0x8372c80=1 2009/10/02 01:39:32.706| cbdataLock: 0x85f9d00=7 2009/10/02 01:39:32.706| cbdataLock: 0x86124f8=1 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x86124f8 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x8372c80 2009/10/02 01:39:32.706| ACLChecklist::preCheck: 0x86166a0 checking 'no_cache deny QUERY' 2009/10/02 01:39:32.706| ACLList::matches: checking QUERY 2009/10/02 01:39:32.706| ACL::checklistMatches: checking 'QUERY' 2009/10/02 01:39:32.706| aclRegexData::match: checking '/' 2009/10/02 01:39:32.706| aclRegexData::match: looking for 'cgi-bin' 2009/10/02 01:39:32.706| aclRegexData::match: looking for '\?' 2009/10/02 01:39:32.706| ACL::ChecklistMatches: result for 'QUERY' is 0 2009/10/02 01:39:32.706| ACLList::matches: result is false 2009/10/02 01:39:32.706| aclmatchAclList: 0x86166a0 returning false (AND list entry failed to match) 2009/10/02 01:39:32.706| aclmatchAclList: async=0 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0 2009/10/02 01:39:32.706| cbdataUnlock: 0x8372c80=0 2009/10/02 01:39:32.706| Checklist.cc(124) check: 0x86166a0 NO match found, returning 1 2009/10/02 01:39:32.706| ACLFilledChecklist::checkCallback: 0x86166a0 answer=1 2009/10/02 01:39:32.706| ACLChecklist::checkCallback: 0x86166a0 answer=1 2009/10/02 01:39:32.706| cbdataReferenceValid: 0x86124f8 2009/10/02 01:39:32.707| cbdataUnlock: 0x86124f8=0 2009/10/02 01:39:32.707| cbdataReferenceValid: 0x86023b0 2009/10/02 01:39:32.707| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.707| FilledChecklist.cc(162) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfaf61c0 2009/10/02 01:39:32.707| ACLChecklist::~ACLChecklist: destroyed 0xbfaf61c0 2009/10/02 01:39:32.707| cbdataUnlock: 0x86023b0=2 2009/10/02 01:39:32.707| client_side_request.cc(127) ~ClientRequestContext: 0x86124f8 ClientRequestContext destructed 2009/10/02 01:39:32.707| cbdataFree: 0x86124f8 2009/10/02 01:39:32.707| cbdataFree: Freeing 0x86124f8 2009/10/02 01:39:32.707| client_side_request.cc(1322) doCallouts: calling processRequest() 2009/10/02 01:39:32.707| clientProcessRequest: GET 'http://www.whatismyip.com/' 2009/10/02 01:39:32.707| ClientHttpRequest::httpStart: NONE for 'http://www.whatismyip.com/' 2009/10/02 01:39:32.707| clientStreamRead: Calling 1 with cbdata 0xb60220f8 from node 0x860a410 2009/10/02 01:39:32.707| cbdataReferenceValid: 0x860a3c8 2009/10/02 01:39:32.707| storeGet: looking up B59C974F6C68D46AC022EA13FF05023D 2009/10/02 01:39:32.707| clientProcessRequest2: StoreEntry is NULL - MISS 2009/10/02 01:39:32.707| clientProcessMiss: 'GET http://www.whatismyip.com/' 2009/10/02 01:39:32.707| storeCreateEntry: 'http://www.whatismyip.com/' 2009/10/02 01:39:32.707| store.cc(370) StoreEntry: new StoreEntry 0xb6129890 2009/10/02 01:39:32.707| MemObject.cc(76) MemObject: new MemObject 0x85bf178 2009/10/02 01:39:32.707| init-ing hdr: 0x85c3454 owner: 3 2009/10/02 01:39:32.707| 0x85c3454 lookup for 39 2009/10/02 01:39:32.707| 0x85c3454 lookup for 9 2009/10/02 01:39:32.707| 0x85c3454 lookup for 22 2009/10/02 01:39:32.707| storeKeyPrivate: GET http://www.whatismyip.com/ 2009/10/02 01:39:32.707| StoreEntry::hashInsert: Inserting Entry 0xb6129890 key 'BBFE1C7C79928B3B58688F1014E68F2E' 2009/10/02 01:39:32.707| store_client::copy: BBFE1C7C79928B3B58688F1014E68F2E, from 0, for length 4096, cb 1, cbdata 0xb6021094 2009/10/02 01:39:32.707| cbdataLock: 0xb6021094=1 2009/10/02 01:39:32.707| storeClientCopy2: BBFE1C7C79928B3B58688F1014E68F2E 2009/10/02 01:39:32.707| cbdataLock: 0x861b124=1 2009/10/02 01:39:32.708| store_client::doCopy: co: 0, hi: 0 2009/10/02 01:39:32.708| store_client::doCopy: Waiting for more 2009/10/02 01:39:32.708| cbdataUnlock: 0x861b124=0 2009/10/02 01:39:32.708| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.708| cbdataReferenceValid: 0x85f9d00 2009/10/02 01:39:32.708| cbdataLock: 0x8372ea0=1 2009/10/02 01:39:32.708| aclCheckFast: list: 0x8372ea0 2009/10/02 01:39:32.708| ACLChecklist::preCheck: 0xbfaf5fec checking 'miss_access allow all' 2009/10/02 01:39:32.708| ACLList::matches: checking all 2009/10/02 01:39:32.708| ACL::checklistMatches: checking 'all' 2009/10/02 01:39:32.708| aclIpAddrNetworkCompare: compare: xxx.xxx.xxx.xxx/[::] ([::]) vs [::]-[::]/[::] 2009/10/02 01:39:32.708| aclIpMatchIp: 'xxx.xxx.xxx.xxx' found 2009/10/02 01:39:32.708| ACL::ChecklistMatches: result for 'all' is 1 2009/10/02 01:39:32.708| ACLList::matches: result is true 2009/10/02 01:39:32.708| aclmatchAclList: 0xbfaf5fec returning true (AND list satisfied) 2009/10/02 01:39:32.708| ACLChecklist::markFinished: 0xbfaf5fec checklist processing finished 2009/10/02 01:39:32.708| cbdataUnlock: 0x8372ea0=0 2009/10/02 01:39:32.708| FilledChecklist.cc(162) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfaf5fec 2009/10/02 01:39:32.708| ACLChecklist::~ACLChecklist: destroyed 0xbfaf5fec 2009/10/02 01:39:32.708| FwdState::start() 'http://www.whatismyip.com/' 2009/10/02 01:39:32.708| StoreEntry::lock: key 'BBFE1C7C79928B3B58688F1014E68F2E' count=2 2009/10/02 01:39:32.708| cbdataLock: 0x861f204=1 2009/10/02 01:39:32.708| peerSelect: http://www.whatismyip.com/ 2009/10/02 01:39:32.708| cbdataLock: 0x861f204=2 2009/10/02 01:39:32.708| StoreEntry::lock: key 'BBFE1C7C79928B3B58688F1014E68F2E' count=3 2009/10/02 01:39:32.708| peerSelectFoo: 'GET www.whatismyip.com' 2009/10/02 01:39:32.708| peerSelectFoo: direct = DIRECT_MAYBE 2009/10/02 01:39:32.708| peerSelectIcpPing: http://www.whatismyip.com/ 2009/10/02 01:39:32.708| neighborsCount: 0 2009/10/02 01:39:32.708| peerSelectIcpPing: counted 0 neighbors 2009/10/02 01:39:32.708| peerGetSomeParent: GET www.whatismyip.com 2009/10/02 01:39:32.709| getDefaultParent: returning NULL 2009/10/02 01:39:32.709| neighbors.cc(322) getRoundRobinParent: returning NULL 2009/10/02 01:39:32.709| getWeightedRoundRobinParent: returning NULL 2009/10/02 01:39:32.709| getFirstUpParent: returning NULL 2009/10/02 01:39:32.709| getAnyParent: returning NULL 2009/10/02 01:39:32.709| peerAddFwdServer: adding DIRECT HIER_DIRECT 2009/10/02 01:39:32.709| peerSelectCallback: http://www.whatismyip.com/ 2009/10/02 01:39:32.709| cbdataReferenceValid: 0x861f204 2009/10/02 01:39:32.709| cbdataUnlock: 0x861f204=1 2009/10/02 01:39:32.709| fwdStartComplete: http://www.whatismyip.com/ 2009/10/02 01:39:32.709| fwdConnectStart: http://www.whatismyip.com/ 2009/10/02 01:39:32.709| PconnPool::key(www.whatismyip.com,80,(no domain),xxx.xxx.xxx.xxxis {www.whatismyip.com:80-xxx.xxx.xxx.xxx} 2009/10/02 01:39:32.709| PconnPool::pop: lookup for key {www.whatismyip.com:80-xxx.xxx.xxx.xxx} failed. 2009/10/02 01:39:32.709| FilledChecklist.cc(162) ~ACLFilledChecklist: ACLFilledChecklist destroyed 0xbfaf5d38 2009/10/02 01:39:32.709| ACLChecklist::~ACLChecklist: destroyed 0xbfaf5d38 2009/10/02 01:39:32.709| fwdConnectStart: got outgoing addr xxx.xxx.xxx.xxx, tos 0 2009/10/02 01:39:32.709| comm_openex: Attempt open socket for: xxx.xxx.xxx.xxx 2009/10/02 01:39:32.709| comm_openex: Opened socket FD 16 : family=2, type=1, protocol=6 2009/10/02 01:39:32.709| comm_open: FD 16 is a new socket 2009/10/02 01:39:32.709| fd_open() FD 16 http://www.whatismyip.com/ 2009/10/02 01:39:32.709| commBind: bind socket FD 16 to xxx.xxx.xxx.xxx 2009/10/02 01:39:32.709| fwdConnectStart: got TCP FD 16 2009/10/02 01:39:32.709| comm_add_close_handler: FD 16, handler=1, data=0x861f204 2009/10/02 01:39:32.709| cbdataLock: 0x861f204=2 2009/10/02 01:39:32.709| cbdataLock: 0x861f204=3 2009/10/02 01:39:32.709| The AsyncCall SomeCloseHandler constructed, this=0x84a84d0 [call1299] 2009/10/02 01:39:32.709| cbdataLock: 0x861f204=4 2009/10/02 01:39:32.709| cbdataUnlock: 0x861f204=3 2009/10/02 01:39:32.709| cbdataUnlock: 0x861f204=2 2009/10/02 01:39:32.709| comm_add_close_handler: FD 16, AsyncCall=0x84a84d0*1 2009/10/02 01:39:32.709| comm.cc(1189) commSetTimeout: FD 16 timeout 60 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=3 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=4 2009/10/02 01:39:32.710| The AsyncCall SomeTimeoutHandler constructed, this=0x8637d98 [call1300] 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=5 2009/10/02 01:39:32.710| cbdataUnlock: 0x861f204=4 2009/10/02 01:39:32.710| cbdataUnlock: 0x861f204=3 2009/10/02 01:39:32.710| comm.cc(1200) commSetTimeout: FD 16 timeout 60 2009/10/02 01:39:32.710| commConnectStart: FD 16, data 0x861f204, www.whatismyip.com:80 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=4 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=5 2009/10/02 01:39:32.710| The AsyncCall SomeCommConnectHandler constructed, this=0x849af30 [call1301] 2009/10/02 01:39:32.710| cbdataLock: 0x861f204=6 2009/10/02 01:39:32.710| cbdataUnlock: 0x861f204=5 2009/10/02 01:39:32.710| cbdataUnlock: 0x861f204=4 2009/10/02 01:39:32.710| commConnectStart: FD 16, cb 0x849af30*1, www.whatismyip.com:80 2009/10/02 01:39:32.710| comm_add_close_handler: FD 16, handler=1, data=0x862b4a4 2009/10/02 01:39:32.710| cbdataLock: 0x862b4a4=1 2009/10/02 01:39:32.710| cbdataLock: 0x862b4a4=2 2009/10/02 01:39:32.710| The AsyncCall SomeCloseHandler constructed, this=0x860e330 [call1302] 2009/10/02 01:39:32.710| cbdataLock: 0x862b4a4=3 2009/10/02 01:39:32.710| cbdataUnlock: 0x862b4a4=2 2009/10/02 01:39:32.710| cbdataUnlock: 0x862b4a4=1 2009/10/02 01:39:32.710| comm_add_close_handler: FD 16, AsyncCall=0x860e330*1 2009/10/02 01:39:32.710| ipcache_nbgethostbyname: Name 'www.whatismyip.com'. 2009/10/02 01:39:32.710| ipcacheRelease: Releasing entry for 'www.whatismyip.com' 2009/10/02 01:39:32.710| ipcache_nbgethostbyname: MISS for 'www.whatismyip.com' 2009/10/02 01:39:32.710| cbdataLock: 0x862b4a4=2 2009/10/02 01:39:32.710| idnsALookup: buf is 36 bytes for www.whatismyip.com, id = 0x2a64 2009/10/02 01:39:32.710| cbdataLock: 0x862f780=1 squid work fine with options transparent with iptable rule iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 3129 what problem ? it's problem in kernel, iptables or squid ? please help !!! Thanks Roman

2 1

Squid is not caching
by Rafael Moraes 16 Sep '09

16 Sep '09

Hello everyone, I'm using Patch cttproxy-2.6.18-2.0.6 + Squid 2.6-5 + Iptables 3.6.0 + Kernel 2.6.18-6. + Thundercache 2.1 I've based my experience on http://web.suffieldacademy.org/ils/netadmin/docs/software/squid/#toc11 The whole thing is working very well, I can cache videos from youtube and most of the video websites. The clients do everything on the internet with their own IP adresses. BUT, my squid cache is not working properly. It caches everything but when we try to use the cache it doesn't work. Please, check my squid.conf: *http_port 3128 tproxy transparent visible_hostname proxy cache_mem 20 MB maximum_object_size_in_memory 5 MB maximum_object_size 600 MB minimum_object_size 0 KB cache_swap_low 90 cache_swap_high 95 cache_dir ufs /cache01/squid 2048 16 256 cache_access_log /var/log/squid/access.log refresh_pattern ^ftp: 15 20% 2280 refresh_pattern ^gopher: 15 0% 2280 refresh_pattern . 15 20% 2280 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl SSL_ports port 443 563 acl Safe_ports port 21 80 443 563 70 210 280 488 59 777 901 1025-65535 acl purge method PURGE acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access allow purge localhost http_access deny purge http_access deny !Safe_ports http_access deny CONNECT !SSL_ports acl redelocal src xxx.xxx.xxx..0/24 acl externo src xxx.xxx.xxx.xxx http_access allow externo http_access allow localhost http_access allow redelocal http_access deny all acl local1 src xxx.xxx.xxx.0/24 tcp_outgoing_address ip_squid local1 url_rewrite_children 200 acl store_rewrite_list url_regex -i "/etc/squid/thunder.lst" url_rewrite_access allow store_rewrite_list url_rewrite_access deny all url_rewrite_program /etc/squid/loader.php #url_rewrite_access allow store_rewrite_list #url_rewrite_access deny all #url_rewrite_program /etc/squid/loader.php #nega cache local, para não haver duplicação acl localcache dstdomain ip_squid cache deny localcache #Bloquear ICP e HTCP - Usado para conversar com outros caches Hierarquicamente icp_port 0 htcp_port 0 icp_access deny all htcp_access deny all #Desabilitar SNMP snmp_port 0 snmp_access deny all cache_effective_user proxy cache_effective_group proxy #Extras detect_broken_pconn on pipeline_prefetch on ~ * -------------------------------------------------------------------------------------------------------------------------------- Iptables Rule: iptables -t tproxy -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128

2 1

Re: [tproxy] [PATCH 00/11] TProxy for IPv6
by Balazs Scheidler 08 Sep '09

08 Sep '09

On Fri, 2009-09-04 at 18:07 +1200, Amos Jeffries wrote: > Balazs Scheidler wrote: > > [ Sorry if this reaches you twice, I sent to the wrong address the first time ] > > > > I've just pushed a set of patches that implement TProxy for IPv6 to > > > > http://git.balabit.hu/bazsi/tproxy-2.6.git > > > > The patches are also posted in reply to this mail. > > > > Although some work is still needed, basic testing shows that it works all > > right. > > > > The accompanying iptables patches are available at > > > > http://git.balabit.hu/bazsi/iptables-tproxy.git > > > > There are some things left to do: > > > > * the recognition of related ICMPv6 packets missing (from xt_socket.c) > > > > * I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as > > right now those depend on both stacks at the same time. > > > > I'm on a holiday right now, thus I might not respond to comments in a timely > > manner, however I'm interested in any comments/feedback nevertheless. > > > > Harry, I didn't remember that you actually wanted to work on TProxy for > > IPv6, I just vaguely remembered that there was someone asking for IPv6 > > support, thus I implemented this without being in the know. If you started > > hacking, I hope that we didn't completely duplicate effort. I'd appreciate > > help in the missing bits and/or testing whichever fits you best. > > > > Also, I have written a Python test script to test TProxy functionality > > automatically both for IPv4 and IPv6, I can post that as well if anyone is > > interested. > > I'm interested :) > > Now that you have done this I'm going to have to find a robust userland > run-time test to see if the underlying TPROXY is v4-only or v6-enabled. > If anyone has suggestions they would be welcome. > > Thank you very much by the way. The script I wrote is not a runtime test, it is a functional test that tests various TPROXY scenarios for proper functionality. It basically assumes that: 1) you run it on the 'client' host, and it has ssh connectivity to the 'tproxy' host 2) it assumes that IP/route configuration is already prepared 3) it uses hardwired IP addresses, but generates iptables/ip6tables rules automatically I used a virtual machine running on my development computer to do the testing. IPV6 topology: dead:1::1/64 is the client dead:1::2/64 is the proxy box dead:2::1/64 is the server behind the proxy box The script basically copies an agent script to the other box (test-agent.py) and uses that to change iptables config/start listeners as needed. Then initiates tcp/udp connections to the target host and checks if the proper listener received the new connection or a bogus one. I'm not that responsive these days, but I'm glad to help. Last but not least, here's the gitweb interface: http://git.balabit.hu/?p=bazsi/tproxy-test.git;a=summary and the git URL git://git.balabit.hu/bazsi/tproxy-test.git -- Bazsi

1 0

Tproxy Iptables + ebtables Problem
by Asif Bakali 03 Sep '09

03 Sep '09

Gday Hello one of my server FC11 x64 bit running Tproxy with combination of iptables + ebtables rules during peek hours machine was rash with given such as error "kernel panic " . when i replace tproxy with netfilter and remove ebtables rules just use simple iptables with NAT rules everything was fine. anyone faced this issue before ? find below my configuration Kernel =2.6.29.6-217.2.8.fc11.x86_64 O/S= FC 11 x64 Intel based iptables= v1.4.3.1 ebtables= v2.0.9-1 firewall.conf #!/bin/sh IPTABLES=/sbin/iptables EBTABLES=/sbin/ebtables EXTDEV="eth0" INTDEV="eth1" SERVERIP="xxx.xxx.xxx.15" ${EBTABLES} -t broute -F ${EBTABLES} -t broute -A BROUTING -i $EXTDEV -p ipv4 --ip-protocol tcp --ip-source-port 80 -j redirect --redirect-target DROP ${EBTABLES} -t broute -A BROUTING -i $INTDEV -p ipv4 --ip-protocol tcp --ip-destination-port 80 -j redirect --redirect-target DROP ${IPTABLES} -F ${IPTABLES} -F -t nat ${IPTABLES} -F -t mangle ${IPTABLES} -v -t mangle -N DIVERT ${IPTABLES} -v -t mangle -A DIVERT -j MARK --set-mark 1 ${IPTABLES} -v -t mangle -A DIVERT -j ACCEPT ${IPTABLES} -v -t mangle -A PREROUTING -p tcp -m socket -j DIVERT ${IPTABLES} -v -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3129 ${IPTABLES} -I INPUT -s $SERVERIP -i br0 -j REJECT ${IPTABLES} -A INPUT -m state --state INVALID -j DROP ${IPTABLES} -A INPUT -s xxx.xxx.xxx.0/24 -j ACCEPT ${IPTABLES} -I INPUT -i lo -j ACCEPT ${IPTABLES} -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT ${IPTABLES} -A INPUT -j DROP ip rule add fwmark 1 lookup 100 ip route add local 0.0.0.0/0 dev lo table 100 sysctl -w net.ipv4.ip_nonlocal_bind=1 sysctl -w net.ipv4.ip_forward=1

2 2

Re: [tproxy] [PATCH] TProxy: added IPv6 support for socket match
by Balazs Scheidler 31 Aug '09

31 Aug '09

On Sun, 2009-08-30 at 14:26 +0200, Jan Engelhardt wrote: > On Friday 2009-08-28 07:56, Balazs Scheidler wrote: > >+++ b/include/linux/netfilter/xt_socket.h > >@@ -0,0 +1,8 @@ > >+#ifndef _XT_SOCKET_H_match > >+#define _XT_SOCKET_H_match > >+ > >+struct xt_socket_match_info1 { > >+ __u8 transparent:1; > >+}; > >+ > >+#endif /* _XT_SOCKET_H_match */ > > Bitfields are a no-no in the ABI. > Ops, I took that patch from an ancient userspace patch created earlier by Panther. It did work for me, as the kernel uses: enum { XT_SOCKET_TRANSPARENT = 1 << 0, }; struct xt_socket_mtinfo1 { __u8 flags; }; Thanks for noticing. -- Bazsi

1 0

Re: [tproxy] TPROXY 4
by Farhad Ibragimov 31 Aug '09

31 Aug '09

I am having some trouble redirecting port 80 traffic to 3129 using tproxy for transparent proxying. The SYNs come in but there is no SYN-ACK going out. Please help me !!!!! My server have only one single interface with global ip addresses wich connect directly to the internet > Detailed information from my server > ####################################################################### > ############### > Squid Cache: Version 3.1.0.13 > configure options: '--enable-linux-netfilter' '--prefix=/squid/' > --with-squid=/src/squid-3.1.0.13 --enable-ltdl-convenience > [root@proxymain sysconfig]# cat /squid/etc/squid.conf > acl manager proto cache_object > acl localhost src 127.0.0.1/32 > acl to_localhost dst 127.0.0.0/8 > acl test src 85.132.47.0/24 > acl test2 src 85.132.32.0/24 > acl test3 src 62.212.227.0/24 > acl localnet src 10.0.0.0/8 # RFC1918 possible internal network > acl localnet src 172.16.0.0/12 # RFC1918 possible internal network > acl localnet src 192.168.0.0/16 # RFC1918 possible internal network > acl SSL_ports port 443 > acl Safe_ports port 80 # http > acl Safe_ports port 21 # ftp > acl Safe_ports port 443 # https > acl Safe_ports port 70 # gopher > acl Safe_ports port 210 # wais > acl Safe_ports port 1025-65535 # unregistered ports > acl Safe_ports port 280 # http-mgmt > acl Safe_ports port 488 # gss-http > acl Safe_ports port 591 # filemaker > acl Safe_ports port 777 # multiling http > acl Safe_ports port 3129 > acl CONNECT method CONNECT > http_access allow manager localhost > http_access deny manager > http_access deny !Safe_ports > http_access deny CONNECT !SSL_ports > http_access allow localnet > http_access allow localhost > http_access allow test > http_access allow test2 > http_access allow test3 > http_access deny all > http_port 3128 > http_port 3129 tproxy > hierarchy_stoplist cgi-bin ? > coredump_dir /squid/var/cache > refresh_pattern ^ftp: 1440 20% 10080 > refresh_pattern ^gopher: 1440 0% 1440 > refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 > refresh_pattern . 0 20% 4320 > cache_effective_user squid > cache_effective_group squid > visible_hostname proxymain > cache_dir ufs /cache 6000 16 256 > ###################################################################### > [root@proxymain sysconfig]# iptables -V (DOWNLOADED FROM > NETFILTER.ORG-NOT PATCHED) > iptables v1.4.3 > ####################################################################### > root@proxymain sysconfig]# uname -a (DONLOADED FORM KERNEL.ORG - > WITHOWT ANY PATCHES FROM bALABIT) > Linux 2.6.30.5-second #1 SMP Sun Aug 30 22:45:27 AZST 2009 x86_64 x86_64 x86_64 GNU/Linux > ####################################################################### > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > DIVERT tcp -- anywhere anywhere socket > TPROXY tcp -- anywhere anywhere tcp > dpt:80 TPROXY redirect 0.0.0.0:3129 mark 0x1/0x1 > Chain INPUT (policy ACCEPT) > target prot opt source destination > Chain FORWARD (policy ACCEPT) > target prot opt source destination > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > Chain DIVERT (1 references) > target prot opt source destination > MARK all -- anywhere anywhere MARK xset 0x1/0xffffffff > ACCEPT all -- anywhere anywhere > ####################################################################### > [root@proxymain sysconfig]# ip rule ls > 0: from all lookup 255 > 32765: from all fwmark 0x1 lookup 100 > 32766: from all lookup main > 32767: from all lookup default > ##################################################################### > [root@proxymain sysconfig]# ip route ls table 100 > local default dev lo scope host > ##################################################################### > [root@proxymain sysconfig]# lsmod | egrep "xt|nf" > nf_nat 18924 1 iptable_nat > nf_conntrack_ipv4 14448 3 iptable_nat,nf_nat > xt_TPROXY 2616 1 > xt_tcpudp 3544 1 > xt_MARK 3064 1 > xt_socket 2904 1 > nf_tproxy_core 3160 2 xt_TPROXY,xt_socket,[permanent] > nf_conntrack 68208 4 > iptable_nat,nf_nat,nf_conntrack_ipv4,xt_socket > nf_defrag_ipv4 2456 3 nf_conntrack_ipv4,xt_TPROXY,xt_socket > x_tables 22624 6 > iptable_nat,ip_tables,xt_TPROXY,xt_tcpudp,xt_MARK,xt_socket > i2c_nforce2 7768 0 > i2c_core 25568 1 i2c_nforce2 > ext3 123528 2 > jbd 46848 1 ext3 > > ###################################################################### > [root@proxymain sysconfig]# tcpdump -nn -i eth0 port 80 > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes > 00:12:02.402611 IP 85.132.32.40.1532 > 85.132.32.34.80: S > 3187993921:3187993921(0) win 65535 <mss 1460,nop,nop,sackOK> > 00:12:02.403087 IP 85.132.32.34.80 > 85.132.32.40.1532: S > 3741385741:3741385741(0) ack 3187993922 win 5840 <mss 1460,nop,nop,sackOK> > 00:12:02.402697 IP 85.132.32.40.1532 > 85.132.32.34.80: . ack 1 win 65535 > 00:12:02.407937 IP 85.132.32.40.1532 > 85.132.32.34.80: P 1:413(412) ack 1 win 65535 > 00:12:02.407971 IP 85.132.32.34.80 > 85.132.32.40.1532: . ack 413 win 6432 > 00:12:02.408389 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4169685 0,nop,wscale 7> > 00:12:05.407861 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4172685 0,nop,wscale 7> > 00:12:11.407465 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4178685 0,nop,wscale 7> > 00:12:23.406682 IP 85.132.32.40.42747 > 194.87.0.50.80: S > 3750675832:3750675832(0) win 5840 <mss 1460,sackOK,timestamp 4190685 0,nop,wscale 7> > ####################################################################### > ## > 2009/08/30 23:31:56| Starting Squid Cache version 3.1.0.13 for x86_64-unknown-linux-gnu... > 2009/08/30 23:31:56| Process ID 12787 > 2009/08/30 23:31:56| With 1024 file descriptors available > 2009/08/30 23:31:56| Initializing IP Cache... > 2009/08/30 23:31:56| DNS Socket created at 0.0.0.0, FD 7 > 2009/08/30 23:31:56| Adding domain caspel.com from /etc/resolv.conf > 2009/08/30 23:31:56| Adding nameserver 85.132.32.41 from /etc/resolv.conf > 2009/08/30 23:31:56| Adding nameserver 85.132.32.42 from /etc/resolv.conf > 2009/08/30 23:31:56| Unlinkd pipe opened on FD 12 > 2009/08/30 23:31:56| Store logging disabled > 2009/08/30 23:31:56| Swap maxSize 6144000 + 262144 KB, estimated 492780 objects > 2009/08/30 23:31:56| Target number of buckets: 24639 > 2009/08/30 23:31:56| Using 32768 Store buckets > 2009/08/30 23:31:56| Max Mem size: 262144 KB > 2009/08/30 23:31:56| Max Swap size: 6144000 KB > 2009/08/30 23:31:56| Version 1 of swap file without LFS support detected... > 2009/08/30 23:31:56| Rebuilding storage in /cache (CLEAN) > 2009/08/30 23:31:56| Using Least Load store dir selection > 2009/08/30 23:31:56| Set Current Directory to /squid/var/cache > 2009/08/30 23:31:56| Loaded Icons. > 2009/08/30 23:31:56| Accepting HTTP connections at 0.0.0.0:3128, FD 15. > 2009/08/30 23:31:56| Accepting spoofing HTTP connections at 0.0.0.0:3129, FD 16. > 2009/08/30 23:31:56| HTCP Disabled. > 2009/08/30 23:31:56| Squid modules loaded: 0 > 2009/08/30 23:31:56| Ready to serve requests. > 2009/08/30 23:31:56| Done reading /cache swaplog (0 entries) > 2009/08/30 23:31:56| Finished rebuilding storage from disk. > 2009/08/30 23:31:56| 0 Entries scanned > 2009/08/30 23:31:56| 0 Invalid entries. > 2009/08/30 23:31:56| 0 With invalid flags. > 2009/08/30 23:31:56| 0 Objects loaded. > 2009/08/30 23:31:56| 0 Objects expired. > 2009/08/30 23:31:56| 0 Objects cancelled. > 2009/08/30 23:31:56| 0 Duplicate URLs purged. > 2009/08/30 23:31:56| 0 Swapfile clashes avoided. > 2009/08/30 23:31:56| Took 0.01 seconds ( 0.00 objects/sec). > 2009/08/30 23:31:56| Beginning Validation Procedure > 2009/08/30 23:31:56| Completed Validation Procedure > 2009/08/30 23:31:56| Validated 25 Entries > 2009/08/30 23:31:56| store_swap_size = 0 > 2009/08/30 23:31:57| storeLateRelease: released 0 objects > [root@proxymain sysconfig]# > 1251655621.226 155982 85.132.32.40 TCP_MISS/503 4143 GET > http://www.squid-cache.org/Artwork/SN.png - > DIRECT/www.squid-cache.org text/html > 1251655621.226 107693 85.132.47.219 TCP_MISS/503 4151 GET > http://www.squid-cache.org/Artwork/SN.png - > DIRECT/www.squid-cache.org text/html > 1251655621.230 0 85.132.32.40 TCP_MISS/503 4143 GET > http://www.squid-cache.org/Artwork/SN.png - > DIRECT/www.squid-cache.org text/html > 1251655646.107 6457 85.132.47.219 TCP_MISS/000 0 GET > http://www.google.az/ - DIRECT/www.google.az - > 1251655658.226 60014 85.132.47.219 TCP_MISS/504 4510 POST > http://safebrowsing.clients.google.com/safebrowsing/downloads? - > DIRECT/safebrowsing.clients.google.com text/html > 1251656346.912 21227 85.132.32.40 TCP_MISS/000 0 GET > http://194.87.0.50/ - DIRECT/194.87.0.50 - > 1251656526.724 179798 85.132.32.40 TCP_MISS/504 3977 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html > 1251656586.724 59968 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251656867.544 88637 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru - > 1251657043.812 176266 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru - > 1251657101.539 60109 85.132.32.40 TCP_MISS/504 4018 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html > 1251657207.136 64675 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru - > 1251657387.522 180384 85.132.32.40 TCP_MISS/504 4018 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html > 1251657567.525 179983 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251657569.936 9407 85.132.47.219 TCP_MISS/000 0 GET > http://85.132.32.34/ - DIRECT/85.132.32.34 - > 1251657725.527 180669 85.132.32.40 TCP_MISS/504 4018 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html > 1251657905.534 179988 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251658194.669 112560 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru - > 1251658283.066 88394 85.132.32.40 TCP_MISS/000 0 GET http://www.ru/ - DIRECT/www.ru - > 1251658463.543 180476 85.132.32.40 TCP_MISS/504 4018 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html > 1251658643.547 179986 85.132.32.40 TCP_MISS/504 4069 GET > http://www.squid-cache.org/Artwork/SN.png - DIRECT/12.160.37.9 text/html > 1251659072.554 60493 85.132.32.40 TCP_MISS/504 4473 POST > http://safebrowsing.clients.google.com/safebrowsing/downloads? - DIRECT/74.125.87.100 text/html > 1251659703.563 181155 85.132.32.40 TCP_MISS/504 4018 GET > http://www.ru/ - DIRECT/194.87.0.50 text/html -- Best regards, Farhad mailto:inara.ibragimova@gmail.com

1 0

Re: [tproxy] [PATCH 03/11] TProxy: reuse a 32bit hole in struct ipv6_pinfo
by Balazs Scheidler 30 Aug '09

30 Aug '09

On Sat, 2009-08-29 at 18:46 +0200, Jan Engelhardt wrote: > On Sunday 2009-08-23 11:02, Balazs Scheidler wrote: > > >While looking for a place to add a new bitfield in ipv6_pinfo, > >I've found a 32 bit hole (in 64 bit mode) at the beginning of the struct. > >Since dst_cookie is used in the output fastpath, I've moved this field to > >fill the hole, thus decreasing the struct size on 64 bit platforms by > >4 bytes. > > Hm? I do not see a size reduction. pahole(1) tells me [for a base of > v2.6.31-rc1-103-g644fc2c] the size is the same before and after. you are right. I was inserting another bitfield and with that the size didn't grow. at the end the bitfield wasn't needed, but I still felt that dst_cookie should be moved to the first cacheline. it is used in the output fastpath. However since that's not necessarily worth in itself I can completely drop this patch. An updated version follows. By the way, what should be the proper procedure for posting patches that are tproxy specific but touch the core networking code? Should those go through Patrick, or should I just post them to netdev? Or just cross-post the patch series to both lists? commit 5ddc846b926be02c6cab93406d6e8adb1e3c9124 Author: Balazs Scheidler <bazsi(a)balabit.hu> Date: Sun Aug 30 08:52:01 2009 +0200 TProxy: move dst_cookie to the first cacheline in ipv6_pinfo While looking for a place to add a new bitfield in ipv6_pinfo, I've found a 32 bit hole (in 64 bit mode) at the beginning of the struct. Since dst_cookie is used in the output fastpath, I've moved this field to fill the hole. The original place of dst_cookie is now empty, but can become a place to add further fields to the struct. Signed-off-by: Balazs Scheidler <bazsi(a)balabit.hu> diff --git a/include/linux/ipv6.h b/include/linux/ipv6.h index c662efa..be4c9c6 100644 --- a/include/linux/ipv6.h +++ b/include/linux/ipv6.h @@ -285,6 +285,7 @@ struct ipv6_pinfo { struct in6_addr saddr; struct in6_addr rcv_saddr; struct in6_addr daddr; + __u32 dst_cookie; struct in6_pktinfo sticky_pktinfo; struct in6_addr *daddr_cache; #ifdef CONFIG_IPV6_SUBTREES @@ -348,7 +349,7 @@ struct ipv6_pinfo { */ __u8 tclass; - __u32 dst_cookie; + /* 32 bits hole on 64 bit platforms */ struct ipv6_mc_socklist *ipv6_mc_list; struct ipv6_ac_socklist *ipv6_ac_list; > > > --- p.1 2009-08-29 18:45:37.996787299 +0200 > +++ p.2 2009-08-29 18:43:08.152753849 +0200 > @@ -21824,10 +21824,8 @@ struct ipv6_pinfo { > struct in6_addr saddr; /* 0 16 */ > struct in6_addr rcv_saddr; /* 16 16 */ > struct in6_addr daddr; /* 32 16 */ > - struct in6_pktinfo sticky_pktinfo; /* 48 20 */ > - > - /* XXX 4 bytes hole, try to pack */ > - > + __u32 dst_cookie; /* 48 4 */ > + struct in6_pktinfo sticky_pktinfo; /* 52 20 */ > /* --- cacheline 1 boundary (64 bytes) was 8 bytes ago --- */ > struct in6_addr * daddr_cache; /* 72 8 */ > struct in6_addr * saddr_cache; /* 80 8 */ > @@ -21862,7 +21860,9 @@ struct ipv6_pinfo { > __u8 ipv6only:1; /* 106: 3 1 */ > __u8 srcprefs:3; /* 106: 0 1 */ > __u8 tclass; /* 107 1 */ > - __u32 dst_cookie; /* 108 4 */ > + > + /* XXX 4 bytes hole, try to pack */ > + > struct ipv6_mc_socklist * ipv6_mc_list; /* 112 8 */ > struct ipv6_ac_socklist * ipv6_ac_list; /* 120 8 */ > /* --- cacheline 2 boundary (128 bytes) --- */ > -- Bazsi

1 0

[PATCH] userspace support for IPv6 TProxy
by Balazs Scheidler 28 Aug '09

28 Aug '09

This patchset implements support for the IPv6 TProxy functionality. It also includes the still missing option to the socket match (--transparent) which is already present in the kernel but not in the userspace sources. Balazs Scheidler (2): TProxy: added IPv6 support for socket match TProxy: added IPv6 support to the TPROXY target extensions/libxt_TPROXY.c | 213 +++++++++++++++++++++++++++++------ extensions/libxt_socket.c | 103 ++++++++++++++++-- extensions/libxt_socket.man | 6 +- include/linux/netfilter/xt_TPROXY.h | 15 ++- include/linux/netfilter/xt_socket.h | 8 ++ 5 files changed, 295 insertions(+), 50 deletions(-) create mode 100644 include/linux/netfilter/xt_socket.h

1 2

[PATCH 00/11] TProxy for IPv6
by Balazs Scheidler 24 Aug '09

24 Aug '09

I've just pushed a set of patches that implement TProxy for IPv6 to http://git.balabit.hu/bazsi/tproxy-2.6.git The patches are also posted in reply to this mail. Although some work is still needed, basic testing shows that it works all right. The accompanying iptables patches are available at http://git.balabit.hu/bazsi/iptables-tproxy.git There are some things left to do: * the recognition of related ICMPv6 packets missing (from xt_socket.c) * I should probably split xt_TPROXY/xt_socket to IPv4 and IPv6 modules, as right now those depend on both stacks at the same time. I'm on a holiday right now, thus I might not respond to comments in a timely manner, however I'm interested in any comments/feedback nevertheless. Harry, I didn't remember that you actually wanted to work on TProxy for IPv6, I just vaguely remembered that there was someone asking for IPv6 support, thus I implemented this without being in the know. If you started hacking, I hope that we didn't completely duplicate effort. I'd appreciate help in the missing bits and/or testing whichever fits you best. Also, I have written a Python test script to test TProxy functionality automatically both for IPv4 and IPv6, I can post that as well if anyone is interested. Balazs Scheidler (11): TProxy: kick out TIME_WAIT sockets in case a new connection comes in with the same tuple TProxy: add lookup type checks for UDP in nf_tproxy_get_sock_v4() TProxy: reuse a 32bit hole in struct ipv6_pinfo TProxy: split off ipv6 defragmentation to a separate module TProxy: added const specifiers to udp lookup functions TProxy: added udp6_lib_lookup function TProxy: implement IPv6 "local" routing type TProxy: allow non-local binds of IPv6 sockets if IP_TRANSPARENT is enabled TProxy: added IPv6 socket lookup function to nf_tproxy_core TProxy: added IPv6 support to the TPROXY target TProxy: added IPv6 support to the socket match include/linux/ipv6.h | 3 +- include/linux/netfilter/xt_TPROXY.h | 15 +- include/net/netfilter/ipv6/nf_defrag_ipv6.h | 6 + include/net/netfilter/nf_tproxy_core.h | 192 +++++++++++++++++++- include/net/udp.h | 3 + net/ipv6/af_inet6.c | 2 +- net/ipv6/netfilter/Makefile | 5 +- net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 58 +------ net/ipv6/netfilter/nf_conntrack_reasm.c | 12 +- net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 109 +++++++++++ net/ipv6/route.c | 6 +- net/ipv6/udp.c | 16 ++- net/netfilter/nf_tproxy_core.c | 35 ---- net/netfilter/xt_TPROXY.c | 239 +++++++++++++++++++++--- net/netfilter/xt_socket.c | 113 +++++++++++- 15 files changed, 675 insertions(+), 139 deletions(-) create mode 100644 include/net/netfilter/ipv6/nf_defrag_ipv6.h create mode 100644 net/ipv6/netfilter/nf_defrag_ipv6_hooks.c

1 11