# squid does not work in transparent mode on >4.14 [SOLVED]

## DawgG

since this issue has caused me some trouble i hope this might save somebody some work or trouble.

we run a separate network for wireless-BYODs which is managed by a separate appliance (which allows traffic only with auth) and connected the productive network by a NAT-firewall. the NAT-firewall mangles the packets directed to port 80 and sends them to a squid-proxy listening in transparent mode. this setup ran happily for quite a while.

some time ago users started reporting strange errors, i cannot exactly say when but i suspect it started after an upgrade to kernel 4.12. oder 4.14.

users could log in but only get traffic on port 443 (and some other allowed ports which were not used); port 80 would immediately produce a connection reset. testing of the appliance and the NAT-firewall produced no results, so finally i checked the proxy.

netstat showed lots of connections to the NAT-fw but cache.log had lots of entries like this:

```
2018/01/17 08:46:37 kid1| ERROR: NF getsockopt(ORIGINAL_DST) failed on local=IP.OF.SQUID.PROXY:3128 remote=IP.OF.NAT.FW:36265 FD 46 flags=33: (2) No such file or directory

2018/01/17 08:46:37 kid1| ERROR: NAT/TPROXY lookup failed to locate original IPs on local=IP.OF.SQUID.PROXY:3128 remote=IP.OF.NAT.FW:36265 FD 46 flags=33
```

i was certain all configs had been thoroughly updated but i checked again and found that the mandatory CONFIG_NETFILTER_XT_MATCH_SOCKET was not set. when i tried to set i found that this option does not exist in 4.14.

i downgraded to 4.9.76 (latest stable amd64 in portage), checked and set the relevant options and now everything works as desired again.

----------

## Hu

Thank you for posting this warning.  However, I don't understand why you consider it solved.  You will eventually need to upgrade to a newer kernel, and your solution so far seems to be to freeze the system on the last known good kernel.

Looking at the Kconfig entry, I disagree that this option does not exist in 4.14.x.  Perhaps it gained some new dependency that you did not enable, so it was hidden from you.

```
  1452   config NETFILTER_XT_MATCH_SOCKET

  1453      tristate '"socket" match support'

  1454      depends on NETFILTER_XTABLES

  1455      depends on NETFILTER_ADVANCED

  1456      depends on IPV6 || IPV6=n

  1457      depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  1458      depends on NF_SOCKET_IPV4

  1459      depends on NF_SOCKET_IPV6

  1460      select NF_DEFRAG_IPV4

  1461      select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n

  1462      help

  1463        This option adds a `socket' match, which can be used to match
```

```
  1408   config NETFILTER_XT_MATCH_SOCKET

  1409      tristate '"socket" match support'

  1410      depends on NETFILTER_XTABLES

  1411      depends on NETFILTER_ADVANCED

  1412      depends on !NF_CONNTRACK || NF_CONNTRACK

  1413      depends on IPV6 || IPV6=n

  1414      depends on IP6_NF_IPTABLES || IP6_NF_IPTABLES=n

  1415      select NF_DEFRAG_IPV4

  1416      select NF_DEFRAG_IPV6 if IP6_NF_IPTABLES != n

  1417      help

  1418        This option adds a `socket' match, which can be used to match
```

----------

## DawgG

Well thanks for insisting :wink: 

you are right!

(i was using 4.14.8.)

with all the users off my back i managed to look thru it with more time and found it.

it has a dep on  NF_DEFRAG_IPV6 and since i do not use ipv6 (yet) i keep its config in the kernel to a minimum. this option was only selectable after setting NF_DEFRAG_IPV6 (and possibly some other ipv6-netfilter-stuff)

i considered it solved because the users were getting what they expected again - but now it's really solved.

i'll remeber this for the next kernel-upgrade.

----------

## DawgG

i re-checked again and in a kernel-upgrade (from a working 4.9.76-gentoo-r1  to linux-4.14.8-gentoo-r1 with make oldconfig) this option is silently ignored.

one needs at least:

```
CONFIG_IPV6=y

CONFIG_NF_TABLES=y

CONFIG_NETFILTER_XTABLES=y

-> CONFIG_NETFILTER_XT_MATCH_SOCKET=y  <- this is what you need for squid

CONFIG_NF_SOCKET_IPV4=y

CONFIG_NF_TABLES_IPV4=y

CONFIG_IP_NF_IPTABLES=y

CONFIG_NF_DEFRAG_IPV6=y

CONFIG_NF_SOCKET_IPV6=y

CONFIG_NF_LOG_IPV6=y

CONFIG_IP6_NF_IPTABLES=y
```

in addition to the other iptables/netfilter stuff.

(when i reboot the server in a year or so i will see if this *really* works - ths was a dry-run on order to check the config)

----------

