[squid-users] distinguish between IPv4 and IPv6
Walter H.
Walter.H at mathemainzel.info
Tue Jan 12 17:24:05 UTC 2021
Hello,
I did something different, that prevents using the IPv6 of the tunnel
device als source address;
(a general solution not just squid)
Walter
On 11.01.2021 21:29, Eliezer Croitoru wrote:
>
> The detection of an IPV6 available DST can be determined by DNS and
> external ACL helper.
>
> It will “slow” down the first couple bytes of the connection but can
> be much more reliable then the basic “dst” acl.
>
> The basic test would be something like:
>
> nslookup -type=aaaa www.squid-cache.org -timeout=10 |grep -v
> '#53'|grep Address:|wc -l
>
> if the wc -l gt 0 then try to use IPV6.
>
> I believe it’s pretty simple and the main issue is that if a service
> advertises unreachable IPV6 address.
>
> It can be either because of network misconfiguration or FW or
> misconfigured DNS.
>
> I have seen all of the above happen in production services in the last
> year.
>
> I can write a helper for this if required.
>
> Eliezer
>
> ----
>
> Eliezer Croitoru
>
> Tech Support
>
> Mobile: +972-5-28704261
>
> Email: ngtech1ltd at gmail.com <mailto:ngtech1ltd at gmail.com>
>
> Zoom: Coming soon
>
> *From:* squid-users <squid-users-bounces at lists.squid-cache.org> *On
> Behalf Of *?Amos Jeffries?
> *Sent:* Monday, January 11, 2021 10:10 PM
> *To:* Walter H. <Walter.H at mathemainzel.info>;
> squid-users at lists.squid-cache.org
> *Subject:* Re: [squid-users] distinguish between IPv4 and IPv6
>
> The dst ACL type accepts the special value of "ipv4". You can use that
> and the "!" operator to split traffic.
>
> However, please be aware dst is not very reliable until *after* the
> outgoing connection has been created, and we are still finding some
> access checks that do not use it correctly. YMMV.
>
> Amos
>
>
> -------- Original message --------
> From: "Walter H."
> Date: Tue, 12 Jan 2021, 03:19
>
> Hello,
>
> is there a way, that I can do something like
>
> if ( dst is IPv4 ) go direct
> if ( dst is IPv6 ) use parent proxy xxx
>
> The reason for my question, I'm using a IPv6-in-IPv4 tunnel,
> and it would make sense to forward all traffic going to IPv6 to squid
> running on tunnel end;
>
> Thanks,
> Walter
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210112/b108ecc4/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3511 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20210112/b108ecc4/attachment-0001.bin>
More information about the squid-users
mailing list