Testing 'squid 4.0.24' (was: Re: Testing squid 4.0.23 - grsec denied kernel module auto-load of nf_conntrack_netlink by uid 23)

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 4365 bytes --]

Hi,

FYI:

I added '--without-netfilter-conntrack' to configure options. Building
with Core 118 was OK. Since yesterday, 'squid 4.0.24' is running on
GREEN (non-transparent) and BLUE (transparent) without any further
kernel messages, no seen problems so far.

Running addons/services: 'squidguard', 'sgraph', 'clamav',
'snort/guardian' (RED/BLUE), 'hostapd', 'wio', 'QoS', and 'privoxy'.

Overall performance seems to be a bit faster. We'll see.

Furthermore, while searching I found this 'squid-nabble' diskussion:

http://squid-web-proxy-cache.1019090.n4.nabble.com/Squid-4-Development-Blog-td4684900.html

***SNIP***
On 25/02/18 06:26, Chase Wright wrote:
> It's been nearly 2 years since there was a blog post about Squid 4.x
> and I've noticed that the daily auto-generated Squid 3.5 stable branch
> release last updated on "08 Dec 2017"
>
> I've also noticed that the last two CVEs were only fixed in the 4.x
> branch (2018)
>
> Is the squid team planning to move 4.x to stable soon?
>

"Soon" yes. Those last few bugs proved to be extremely painful and slow
to get fixed.

As of today we have one major bug unfixed, and some testing needed for
checking the stability of the recent huge fixes. I'm just waiting on the
backports of some small regressions already found before the next v4
beta package.

I am *hoping* not to have to release any more 3.5 packages. But that of
course depends on what the timeline this final bug turns into.

Amos
***SNAP***

Best,
Matthias

On 10.03.2018 12:22, Matthias Fischer wrote:
> Hi,
> 
> Found something...but since I don't have much experience with this:
> 
> What impact is to be expected when I translate 'squid 4.0.24' with the
> configure option '--without-netfilter-conntrack'?
> 
> Help says:
> "--without-netfilter-conntrack
> Do not use Netfilter conntrack libraries for packet marking. A path to
> alternative library location may be specified by using
> --with-netfilter-conntrack=PATH.
> Default: auto-detect."
> 
> I didn't find any further or helpful informations about the
> (side-)effects when I turn this off.
> 
> Best,
> Matthias
> 
> On 22.01.2018 14:30, Michael Tremer wrote:
>> Okay, please keep an eye on squid 4 for us then. I am not following this very
>> closely and have no idea what will change in squid 4.
>> 
>> Best,
>> -Michael
>> 
>> On Sun, 2018-01-21 at 21:35 +0100, Matthias Fischer wrote:
>>> On 21.01.2018 19:57, Michael Tremer wrote:
>>> > Hello,
>>> > 
>>> > yes this is correct.
>>> > 
>>> > We don't allow an unprivileged user to load any kernel modules.
>>> 
>>> Ok, then my suspicion was right.
>>> 
>>> > What does squid need this for? Why are you playing around with squid 4?
>>> 
>>> 1. I don't know. 3.5.27 doesn't do this.
>>> 2. As I wrote - just to keep in touch with their development. Once in a
>>> while, 'squid 3' will be deprecated and I wanted to see what comes next,
>>> even though this may take a long time. Just being curious and the
>>> 'Devel' was somehow bored. ;-)
>>> 
>>> > You should be able to load the module first and then start squid.
>>> 
>>> I'm not that curious - this was for testing and for testing only.
>>> 
>>> Best,
>>> Matthias
>>> 
>>> > Best,
>>> > -Michael
>>> > 
>>> > On Sun, 2018-01-21 at 01:50 +0100, Matthias Fischer wrote:
>>> > > Hi,
>>> > > 
>>> > > Just to keep in touch, I tested 'squid 4.0.23' yesterday - it seemed to
>>> > > run fine at first. But after a while I took a closer look at the logs
>>> > > and discovered a bunch of kernel messages within a few hours and I don't
>>> > > know what exactly triggered these messages:
>>> > > 
>>> > > ...
>>> > > 132 Time(s): grsec: denied kernel module auto-load of
>>> > > nf_conntrack_netlink by uid 23
>>> > > ...
>>> > > 
>>> > > As far as I found out: "uid 23" => squid-user, and the new squid tried
>>> > > to 'autoload' a module which 'grsec' didn't like. Is this a correct
>>> > > interpretation and has anyone some useable clue how to avoid this?
>>> > > 
>>> > > Besides, after going back to '3.5.27' the messages didn't came back
>>> > > again. '4.0.22' didn't throw these messages, too. They changed something
>>> > > and I don't know what it is...
>>> > > 
>>> > > Thanks for all tips!
>>> > > 
>>> > > Best,
>>> > > Matthias
> 
>