Project

General

Profile

Actions
Copy link

Bug #7048

closed

Add IPv6 support to squid

Added by Matthew Hall over 7 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
-
Category:
Squid
Target version:
-
Start date:
12/28/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Affected Version:
2.3.x
Affected Plus Version:
Affected Architecture:
All

Description

Missing IPv6 support in the squid package allows traffic to escape intended inspection and apparently also the firewall rules (which should not allow the bypass either but still apparently do). The MITM rules configured by the Squid package configuration process do not appear to pick up IPv6 traffic; it looks like these interception ACLs are only doing "inet4" and not "inet6" or similar:

rdr on igb0_vlan50 inet proto tcp from any to ! (igb0_vlan50) port = http > 127.0.0.1 port 3128
rdr on igb0_vlan50 inet proto tcp from any to ! (igb0_vlan50) port = https -> 127.0.0.1 port 3129
pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = 3128 flags S/SA keep state
pass in quick on igb0_vlan50 proto tcp from any to ! (igb0_vlan50) port = 3129 flags S/SA keep state
igb0_vlan50 tcp 127.0.0.1:3128 (198.211.116.210:80) < 10.200.5.5:57242 FIN_WAIT_2:FIN_WAIT_2
igb0_vlan50 tcp 127.0.0.1:3128 (208.69.120.55:80) <- 10.200.5.5:45536 FIN_WAIT_2:FIN_WAIT_2

IPv6 is supported upstream and so is BSD's interception system for IPv6: http://wiki.squid-cache.org/Features/IPv6 . This issue prevents me from realizing the intended use case of monitoring and filtering outbound traffic from a test lab. At present, the IPv6 traffic leaks through due to the missing rules even if the normal firewall policies on the interface block the traffic, and dual-stack is intentionally used in the test lab to provide the most complete realistic environment possible.

Further context from email discussion w/ Jim Thompson and Jim Pingle:

"As far as I'm aware the squid package has not claimed to support IPv6,
so this is expected. To add that in we would need a feature request on
redmine. There aren't any IPv6 options in the squid GUI.

Since the source address would be lost in the process, attempting to
intercept IPv6 is much more disruptive than its IPv4 counterpart, which
usually has NAT hiding the source. To work around that requires tproxy
or similar in both squid and the host OS (read: FreeBSD). We have squid
compiled with TP_PF, at least on 2.4, but I don't know that anyone has
attempted to get that working. If it actually does work in
FreeBSD+pf+squid then it may be possible to add that feature, but it
would take development and testing time.

Jim P."

Actions
Copy link

Also available in: Atom PDF