Project

General

Profile

Feature #10335

Squid IPv6 transparent mode

Added by Viktor Gurov 3 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Normal
Category:
Squid
Target version:
-
Start date:
03/11/2020
Due date:
% Done:

100%

Estimated time:

Description

Add IPv6 transparent mode feature to Squid

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568#c2:

Your PF rule redirects a packet to ::1, but doesn't change the receiving interface. Thus, it violates scoping rules. You can tell by running 'netstat -s -f inet6 | grep "violated scope"' before and after generating the traffic that you want to redirect. The check is in in6_setscope().

The simple workaround is to change your rdr rule to redirect to your actual link-local, site-local, or global IPv6 address instead of ::1.

from https://github.com/pfsense/FreeBSD-ports/pull/776:
Does transparent mode have to use localhost? Seems like for IPv6 it could bind to an interface address or a dedicated VIP bound to localhost and setup intercept in squid + corresponding NAT rules to redirect traffic. Either way would avoid the use of ::1 which seems to be the primary issue.

History

#2 Updated by Jim Pingle about 2 months ago

  • Status changed from New to Pull Request Review

#3 Updated by Renato Botelho about 2 months ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

#4 Updated by Viktor Gurov about 2 months ago

  • Status changed from Feedback to Resolved

works as expected on 2.4.5/2.5 with squid 0.4.44_19

Also available in: Atom PDF