[squid-users] IPv6 and TPROXY

Eliezer Croitoru eliezer at ngtech.co.il
Sun Aug 20 21:27:03 UTC 2017 

Hey Amos,

Leaving aside with very old kernels, I still don't know if this setup works in the routing level not to speak about tproxy interception.

The known issues are not relevant for the case if I will be able to test it and make sure the issue doesn’t apply to the latest CentOS 6 kernels.

Also even if CentOS have ancient kernel from the 2.X era it doesn't mean that more advanced OS versions are not affected by the same or similar issues.
CentOS 7 now uses 3.10 Linux kernel and it's not an ancient Kernel but also not the tip or mainline.

Also from what I have seen in the CentOS 7 and RHEL 7 and Netfilter man pages and other documentation it seems that a tproxy socket (IP_TRANSPARENT ie 19) is required for both trpoxy and REDIRECT ip6tables targets to work properly.

I have yet to test the REDIRECT with ipv6 on a CentOS 7 and I am not sure how it should\would work(even if it compiles..).
With ipv4 you would have used SO_ORIGINAL on the socket to know the original remote address but with tproxy and IP_TRANSPARENT based sockets from what I remember you had to use another option to know the original destination address.
It should be something like "get local address" of the socket(for tproxy) is the equivalent to get_sock_opt(..SO_ORIGINAL..).

Until I will try to test the ipv6 REDIRECT with squid intercept I will not know if it works the same as the ipv4 redirect and what the recommendation should be for general usage in the socket level and squid level.

And if there is no other option then using a transparent proxy socket for both tproxy and REDIRECT targets then the outgoing ip address for traffic usage should be configurable using some fast acls(leaving aside this specific thread use case).

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: eliezer at ngtech.co.il



-----Original Message-----
From: Amos Jeffries [mailto:squid3 at treenet.co.nz] 
Sent: Sunday, August 20, 2017 18:32
To: Eliezer Croitoru <eliezer at ngtech.co.il>; squid-users at lists.squid-cache.org
Subject: Re: [squid-users] IPv6 and TPROXY

On 20/08/17 23:47, Eliezer Croitoru wrote:
> I am still waiting for couple answers about the system and the setup.
> Also to resolve the issue it will be required to know if the issue is on squid side or the kernel side(ipv6 related) or iptables rules.
> All of the above will allow us to help Walter make this system work.
> 
> And Amos, about the part of avoiding using tproxy for the outgoing traffic and only use it to intercept the connections:
> For a CentOS 6 system it's the only option to run an INTERCEPT proxy which hides the client IPv6 address so I think it's something that need to be documented somewhere in the wiki.

CentOS 6 still supplies kernel 2.6.32 apparently. Issues with those 
kernels are listed in the TPROXY wiki page:
"
TPROXYv4 support reached a usable form in 2.6.28. However several 
Kernels have various known bugs:

  * 2.6.28 to 2.6.32 have different rp_filter configuration. The 
rp_filter settings (0 or 1) for these kernels will silently block TPROXY 
if used on newer kernels.
  * 2.6.28 to 2.6.36 are known to have ICMP and TIME_WAIT issues.
  * 2.6.32 to 2.6.34 have bridging issues on some systems.
"



> I would be happy to write the article if I would have known how to disable tproxy for the outgoing traffic.

There is nothing to document, it is not configurable.

When one is stuck with an ancient kernel the available modern features 
are naturally rather limited.

Amos

More information about the squid-users mailing list