Moser, Stefan (SIDB) wrote:
> Hi,
>
> we are testing with squid, latest beta, in a dual-stack
> configuration:
>
> squid is running on SLES 11. Server has 1 interface card only,
> configured with an IPv4 and IPv6 address, both running on standard
> 3128 port. Server has true, native IPv4 and IPv6 internet
> connectivity (no IPv6 tunnel broker, etc.). I have applied "IPv6
> magic ACLs" as described in
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address. Client
> (latest Internet Explorer and Firefox) talks to squid via IPv4 and
> IPv6 transport (that means, I enter an IPv4- or IPv6- address in
> browser´s connection settings).
>
>
> Now, what DOES work, is the following:
>
> 1. IPv4 transport from browser to squid, squid can access an IPv4
> only internet site (site has an A record only in DNS) 2. IPv4
> transport from browser to squid, squid accesses an IPv6 only internet
> site (site has an AAAA record only in DNS) 3. IPv6 transport from
> browser to squid, squid accesses an IPv4 only internet site (site has
> an A record only in DNS) 4. IPv6 transport from browser to squid,
> squid accesses an IPv6 only internet site (site has an AAAA record
> only in DNS)
>
> So far, so good, this IPv4 / IPv6 bridging obviously works.
>
> Now, what does NOT work, is:
>
> 1. IPv4 transport from browser to squid, squid CANNOT access an
> IPv4/IPv6 internet site (that means, a site that has both A and AAAA
> in DNS and that is reachable via IPv6 and IPv4) 2. IPv6 transport
> from browser to squid, squid CANNOT access an IPv4/IPv6 internet site
> (that means, a site that has both A and AAAA in DNS and that is
> reachable via IPv6 and IPv4)
>
> The cache log says (true IPv4 address removed for privacy reasons):
>
> 2009/10/28 15:59:46| commBind: Cannot bind socket FD 10 to <IPv4
> address from my providers range>: (22) Invalid argument 2009/10/28
> 15:59:46| WARNING: Reset of FD 10 for <IPv4 address from my providers
> range>:failed to bind: (22) Invalid argument
>
>
> Has everybody encountered the same problem?
Yes. The magic is not complete and has a point of failure.
FWIW, crossover works perfectly for me without tcp_outgoing_addr.
tcp_outgoing_addr is a "fast" category access control and cannot do the
dst lookup on its own. The destination IP address needs to be forced by
something earlier (http_access) for the magic to work.
I'm working on a few ways to fix this. But for now try adding
"http_access allow to_ipv6 !to_ipv6" to your config.
Amos
-- Please be using Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19 Current Beta Squid 3.1.0.14Received on Fri Oct 30 2009 - 00:33:59 MDT
This archive was generated by hypermail 2.2.0 : Fri Oct 30 2009 - 12:00:03 MDT