Feature #10335
closed
Squid IPv6 transparent mode
100%
Description
Add IPv6 transparent mode feature to Squid
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568#c2:
Your PF rule redirects a packet to ::1, but doesn't change the receiving interface. Thus, it violates scoping rules. You can tell by running 'netstat -s -f inet6 | grep "violated scope"' before and after generating the traffic that you want to redirect. The check is in in6_setscope().
The simple workaround is to change your rdr rule to redirect to your actual link-local, site-local, or global IPv6 address instead of ::1.
from https://github.com/pfsense/FreeBSD-ports/pull/776:
Does transparent mode have to use localhost? Seems like for IPv6 it could bind to an interface address or a dedicated VIP bound to localhost and setup intercept in squid + corresponding NAT rules to redirect traffic. Either way would avoid the use of ::1 which seems to be the primary issue.
Updated by Viktor Gurov over 4 years ago
Updated by Jim Pingle over 4 years ago
- Status changed from New to Pull Request Review
Updated by Renato Botelho over 4 years ago
- Status changed from Pull Request Review to Feedback
- Assignee set to Renato Botelho
- % Done changed from 0 to 100
PR has been merged. Thanks!
Updated by Viktor Gurov over 4 years ago
- Status changed from Feedback to Resolved
works as expected on 2.4.5/2.5 with squid 0.4.44_19