[squid-users] IPv6 and TPROXY
Amos Jeffries
squid3 at treenet.co.nz
Sun Aug 20 15:31:52 UTC 2017
On 20/08/17 23:47, Eliezer Croitoru wrote:
> I am still waiting for couple answers about the system and the setup.
> Also to resolve the issue it will be required to know if the issue is on squid side or the kernel side(ipv6 related) or iptables rules.
> All of the above will allow us to help Walter make this system work.
>
> And Amos, about the part of avoiding using tproxy for the outgoing traffic and only use it to intercept the connections:
> For a CentOS 6 system it's the only option to run an INTERCEPT proxy which hides the client IPv6 address so I think it's something that need to be documented somewhere in the wiki.
CentOS 6 still supplies kernel 2.6.32 apparently. Issues with those
kernels are listed in the TPROXY wiki page:
"
TPROXYv4 support reached a usable form in 2.6.28. However several
Kernels have various known bugs:
* 2.6.28 to 2.6.32 have different rp_filter configuration. The
rp_filter settings (0 or 1) for these kernels will silently block TPROXY
if used on newer kernels.
* 2.6.28 to 2.6.36 are known to have ICMP and TIME_WAIT issues.
* 2.6.32 to 2.6.34 have bridging issues on some systems.
"
> I would be happy to write the article if I would have known how to disable tproxy for the outgoing traffic.
There is nothing to document, it is not configurable.
When one is stuck with an ancient kernel the available modern features
are naturally rather limited.
Amos
More information about the squid-users
mailing list