Discussion:
[squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?
Ahmad, Sarfaraz
2018-11-30 14:43:30 UTC
Permalink
I think almost every time squid opens a TCP connection, It also tried to open a raw socket of type AF_NETLINK. Syscall pasted below.
All that I can make sense of this is that Squid is trying to engage with iptables subsystem somehow ?
I have SELinux enforcing and would like to know what Squid is trying to do before figuring out how to allow that.

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 90
socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied)

I am using WCCP and TLS interception with Squid 4.0.24 release. Everything works as expected except auditd is getting spammed with denial messages.
type=AVC msg=audit(1543478005.027:49455970): avc: denied { getattr } for pid=13766 comm="squid" scontext=system_u:system_r:squid_t:s0 tcontext=sys
tem_u:system_r:squid_t:s0 tclass=netlink_socket

Any thoughts ?
Amos Jeffries
2018-12-01 11:11:53 UTC
Permalink
Post by Ahmad, Sarfaraz
I think almost every time squid opens a TCP connection, It also tried to
open a raw socket of type AF_NETLINK. Syscall pasted below.
...>
Post by Ahmad, Sarfaraz
Any thoughts ?
* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be
affected.

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.

Amos
e***@ngtech.co.il
2018-12-06 11:27:41 UTC
Permalink
I have seen this with selinux also.
I can trace the issue down but just to clear out my doubts and before delving into DEBUG all,9:
On a default squid 4.4 with one worker no cache with default squid.conf, should we expect it or maybe it is a side effect in the code?
(Technically speaking if I do not trust Squid in general then I should probably not entrust these netfilter socket to Squid)

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: ***@ngtech.co.il


-----Original Message-----
From: squid-users <squid-users-***@lists.squid-cache.org> On Behalf Of Amos Jeffries
Sent: Saturday, December 1, 2018 13:12
To: squid-***@lists.squid-cache.org
Subject: Re: [squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?
Post by Ahmad, Sarfaraz
I think almost every time squid opens a TCP connection, It also tried to
open a raw socket of type AF_NETLINK. Syscall pasted below.
...>
Post by Ahmad, Sarfaraz
Any thoughts ?
* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be
affected.

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.

Amos
_______________________________________________
squid-users mailing list
squid-***@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Loading...