[squid-users] IP_FREEBIND or IP_TRANSPARENT support?
Amos Jeffries
squid3 at treenet.co.nz
Tue Oct 3 02:18:43 UTC 2017
On 03/10/17 07:44, xpro6000 wrote:
> If one were to assign a whole /64 block of IPv6 IPs to a NIC on Linux
> then they would use the "ip route add local" method instead of adding
> each IP in the /etc/network/interfaces file.
>
> From the testing I have done the IPs that were assigned with the "ip
> route add local" don't work with Squid and the main reason for this is
> because Squid does not use IP_FREEBIND or IP_TRANSPARENT option on the
> socket connection.
Any machine can be setup to *route* traffic (ip route add ...). That is
a very different proposition to assigning those IPs as belonging to that
machine (ip addr add ...).
IP_TRANSPARENT is the spoofing part of the TPROXYv4 feature and is used
by Squid when TPROXY is setup.
>
> You can read more about it here
>
> https://serverfault.com/a/591435/141509
>
That whole SF entry is all kinds of mixed up. It is basically saying
that to "assign a whole range" one has to *spoof* the IPs in that range.
Which is a very wrong thing to do.
The list of 'ip addr add' settings in the original interfaces file is
correct for what the person was wanting (and you?), though I'm not sure
if there is another place to do them. I do the same but in a trigger
script called from the interfaces file instead of listing them all in
that file directly.
>
> Is there any option in the config file that enables this option?
>
Not for Squid.
Squid prefers the OS to select the IP which is used, though for a small
number of IPs you can use tcp_outgoing_addr to tell the OS that any
specific one of the set *assigned* to the machine should be used on
server connections.
Amos
More information about the squid-users
mailing list