Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

Ahmad, Sarfaraz

I think almost every time squid opens a TCP connection, It also tried to open a raw socket of type AF_NETLINK. Syscall pasted below.

All that I can make sense of this is that Squid is trying to engage with iptables subsystem somehow ?

I have SELinux enforcing and would like to know what Squid is trying to do before figuring out how to allow that.

 

socket(AF_INET, SOCK_STREAM, IPPROTO_IP) = 90

socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied)

 

I am using WCCP and TLS interception with Squid 4.0.24 release. Everything works as expected except auditd is getting spammed with denial messages.

type=AVC msg=audit(1543478005.027:49455970): avc:  denied  { getattr } for  pid=13766 comm="squid" scontext=system_u:system_r:squid_t:s0 tcontext=sys

tem_u:system_r:squid_t:s0 tclass=netlink_socket

 

Any thoughts ?

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

Amos Jeffries
Administrator
On 1/12/18 3:43 am, Ahmad, Sarfaraz wrote:
> I think almost every time squid opens a TCP connection, It also tried to
> open a raw socket of type AF_NETLINK. Syscall pasted below.
>
...>
> Any thoughts ?
>


* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be
affected.

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

Eliezer Croitoru
I have seen this with selinux also.
I can trace the issue down but just to clear out my doubts and before delving into DEBUG all,9:
On a default squid 4.4 with one worker no cache with default squid.conf, should we expect it or maybe it is a side effect in the code?
(Technically speaking if I do not trust Squid in general then I should probably not entrust these netfilter socket to Squid)

Thanks,
Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


-----Original Message-----
From: squid-users <[hidden email]> On Behalf Of Amos Jeffries
Sent: Saturday, December 1, 2018 13:12
To: [hidden email]
Subject: Re: [squid-users] Why does Squid4 do socket(AF_NETLINK, SOCK_RAW, NETLINK_NETFILTER) = -1 EACCES (Permission denied) ?

On 1/12/18 3:43 am, Ahmad, Sarfaraz wrote:
> I think almost every time squid opens a TCP connection, It also tried to
> open a raw socket of type AF_NETLINK. Syscall pasted below.
>
...>
> Any thoughts ?
>


* To receive NAT intercepted connections Squid needs access to the
system NAT table to identify what origin server the client was actually
trying to get to before it was diverted into Squid.

* To send traffic with TPROXY interception Squid must setup the socket
for sending the spoofed IP addresses.

* To perform Netfilter MARK operations (both fetch and set) Squid uses
Netfilter Conntrack APIs.

* To fetch EUI information about connections received or sent after they
are open via POSIX getsockopt() or BSD ioctl() APIs. This is optional
and on by default (eui_lookup to configure)

Any of those may be defined by your system Netfilter libraries in terms
of AF_NETLINK traffic in the background. If they are doing things like
that then the ICMP sockets and (less likely) UDS sockets may also be
affected.

If the behaviour is as repeatable as you say you can use a ALL,9 level
cache .log trace to see what exactly Squid is trying to do at the time
it happens.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users