Project

General

Profile

Actions

Feature #10335

closed

Squid IPv6 transparent mode

Added by Viktor Gurov over 4 years ago. Updated over 4 years ago.

Status:
Resolved
Priority:
Normal
Category:
Squid
Target version:
-
Start date:
03/11/2020
Due date:
% Done:

100%

Estimated time:
Plus Target Version:

Description

Add IPv6 transparent mode feature to Squid

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=193568#c2:

Your PF rule redirects a packet to ::1, but doesn't change the receiving interface. Thus, it violates scoping rules. You can tell by running 'netstat -s -f inet6 | grep "violated scope"' before and after generating the traffic that you want to redirect. The check is in in6_setscope().

The simple workaround is to change your rdr rule to redirect to your actual link-local, site-local, or global IPv6 address instead of ::1.

from https://github.com/pfsense/FreeBSD-ports/pull/776:
Does transparent mode have to use localhost? Seems like for IPv6 it could bind to an interface address or a dedicated VIP bound to localhost and setup intercept in squid + corresponding NAT rules to redirect traffic. Either way would avoid the use of ::1 which seems to be the primary issue.

Actions #2

Updated by Jim Pingle over 4 years ago

  • Status changed from New to Pull Request Review
Actions #3

Updated by Renato Botelho over 4 years ago

  • Status changed from Pull Request Review to Feedback
  • Assignee set to Renato Botelho
  • % Done changed from 0 to 100

PR has been merged. Thanks!

Actions #4

Updated by Viktor Gurov over 4 years ago

  • Status changed from Feedback to Resolved

works as expected on 2.4.5/2.5 with squid 0.4.44_19

Actions

Also available in: Atom PDF