Your explanation is much clearer. Working on the ipchains redirect now. Will let you know when it is completed and tested.
Thank you very much!!
Mark
>>> Joe Cooper <joe@swelltech.com> 07/19/02 03:16PM >>>
You're misreading the FAQ, or the FAQ is not clear enough on this point.
Squid cannot do anything with packets that do not get to it. The
redirection still has to happen using iptables/ipchains, regardless of
your method of getting packets to the cache machine (i.e. WCCP, policy
routing, L4/L7, etc.).
Packets that arrive on the GRE interface (or GRE encapsulated on the eth
interface, if you're using ip_wccp) are descapsulated into normal
packets which are /still/ destined for the internet. Only the outer
packet is directed to the Squid machine, and once its 'shell' is
stripped off, the packet inside is what the client actually sent out.
So if you're Squid machine can route the packets to the internet it will
do so, if it cannot it will reply with a destination unreachable. Most
likely a theoretical infinite loop will happen
(WCCP->cache->WCCP->cache...) and the router will stop those packets,
probably giving the response you're seeing. If instead of routing those
packets at the Squid box, you redirect them to a local port on which
Squid is listening, the loop is broken because Squid is a different IP
and the router knows not to redirect it and things will work as they should.
Mark Eanes wrote:
> WCCP module loaded with no errors.
>
> Looking at whether ipchains on the same box needs to be doing any
> redirection. Currently, all the rules all flushed until I get
> communications flowing properly. The FAQs and others listings seem
> to indicate that squid.conf handles the redirections from the router
> on httpd_accel_port and handles requests outbound on httpd_port. I'm
> re-reading FAQs once again to see if I've misunderstood.
>
> Mark
>
>
>>>> Henrik Nordstrom <hno@marasystems.com> 07/18/02 05:28PM >>>
>>>
> On Thursday 18 July 2002 18.26, Mark Eanes wrote:
>
>> Setting up a linux7.3 running 2.4S6 squid as a transparent proxy.
>> Have enabled wccp with Cisco router and, using ethereal, see the
>> initial communications for wccp (here i am/i see you/assign bucket)
>> with no problem.
>>
>> However, one the first packet is redirected, the squid box is
>> senfing an ICMP Dest Unreach/Protocol Unreach message to the
>> router, effectively killing Internet access. Wccp is still talking
>> as I see other here i am/i see you messages.
>
>
> Have you loaded the required WCCP support in your Linux kernel?
>
> Either the ip_wccp module, or a patched GRE module with support for
> WCCP is needed. See the Squid FAQ.
>
> Regards Henrik
>
>
-- Joe Cooper <joe@swelltech.com> Web caching appliances and support. http://www.swelltech.comReceived on Fri Jul 19 2002 - 13:27:32 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:18 MST