<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<div class="moz-cite-prefix">Hello,</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">I did something different, that
prevents using the IPv6 of the tunnel device als source address;</div>
<div class="moz-cite-prefix">(a general solution not just squid)</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">Walter<br>
</div>
<div class="moz-cite-prefix"><br>
</div>
<div class="moz-cite-prefix">On 11.01.2021 21:29, Eliezer Croitoru
wrote:<br>
</div>
<blockquote type="cite"
cite="mid:000601d6e858$852f3d40$8f8db7c0$@gmail.com">
<meta name="Generator" content="Microsoft Word 15 (filtered
medium)">
<div class="WordSection1">
<p class="MsoNormal">The detection of an IPV6 available DST can
be determined by DNS and external ACL helper.</p>
<p class="MsoNormal">It will “slow” down the first couple bytes
of the connection but can be much more reliable then the basic
“dst” acl.</p>
<p class="MsoNormal">The basic test would be something like:</p>
<p class="MsoNormal">nslookup -type=aaaa <a class="moz-txt-link-abbreviated" href="http://www.squid-cache.org">www.squid-cache.org</a>
-timeout=10 |grep -v '#53'|grep Address:|wc -l</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">if the wc -l gt 0 then try to use IPV6.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I believe it’s pretty simple and the main
issue is that if a service advertises unreachable IPV6
address.</p>
<p class="MsoNormal">It can be either because of network
misconfiguration or FW or misconfigured DNS.</p>
<p class="MsoNormal">I have seen all of the above happen in
production services in the last year.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">I can write a helper for this if required.</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">Eliezer</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">----</p>
<p class="MsoNormal">Eliezer Croitoru</p>
<p class="MsoNormal">Tech Support</p>
<p class="MsoNormal">Mobile: +972-5-28704261</p>
<p class="MsoNormal">Email: <a
href="mailto:ngtech1ltd@gmail.com" moz-do-not-send="true"><span>ngtech1ltd@gmail.com</span></a></p>
<p class="MsoNormal">Zoom: Coming soon</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal"><b>From:</b> squid-users
<a class="moz-txt-link-rfc2396E" href="mailto:squid-users-bounces@lists.squid-cache.org"><squid-users-bounces@lists.squid-cache.org></a> <b>On
Behalf Of </b>?Amos Jeffries?<br>
<b>Sent:</b> Monday, January 11, 2021 10:10 PM<br>
<b>To:</b> Walter H. <a class="moz-txt-link-rfc2396E" href="mailto:Walter.H@mathemainzel.info"><Walter.H@mathemainzel.info></a>;
<a class="moz-txt-link-abbreviated" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br>
<b>Subject:</b> Re: [squid-users] distinguish between IPv4
and IPv6</p>
</div>
<p class="MsoNormal"> </p>
<div>
<p class="MsoNormal">The dst ACL type accepts the special
value of "ipv4". You can use that and the "!" operator to
split traffic.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">However, please be aware dst is not
very reliable until *after* the outgoing connection has
been created, and we are still finding some access checks
that do not use it correctly. YMMV.</p>
<div>
<p class="MsoNormal"> </p>
</div>
<div>
<p class="MsoNormal">Amos</p>
</div>
</div>
</div>
<div>
<p class="MsoNormal"><br>
-------- Original message --------<br>
From: "Walter H."<br>
Date: Tue, 12 Jan 2021, 03:19</p>
<blockquote>
<p class="MsoNormal">Hello,<br>
<br>
is there a way, that I can do something like<br>
<br>
if ( dst is IPv4 ) go direct<br>
if ( dst is IPv6 ) use parent proxy xxx<br>
<br>
The reason for my question, I'm using a IPv6-in-IPv4
tunnel,<br>
and it would make sense to forward all traffic going to
IPv6 to squid <br>
running on tunnel end;<br>
<br>
Thanks,<br>
Walter</p>
</blockquote>
</div>
</div>
</blockquote>
<br>
</body>
</html>