AW: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only)

From: Moser, Stefan \(SIDB\) <stefan.moser_at_siemens.com>
Date: Tue, 3 Nov 2009 08:45:58 +0100

Amos, Henrik,

"http_access allow to_ipv6 !to_ipv6" did work, squid now seems to work as required and can access both single (IPv4 or IPv6) and dual-stack (IPv4 and IPv6) destinations.

I´m going to play with the configuration within the next days and post a summary of my findings, this may be evolved by the community into a guideline for early IPv6 adaptors of squid (although, as you already have written, some more discussion seems to be necessary).

Thanks for your help so far!

Stefan

-----Ursprüngliche Nachricht-----
Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
Gesendet: Freitag, 30. Oktober 2009 01:34
An: Moser, Stefan (SIDB)
Cc: squid-users_at_squid-cache.org
Betreff: Re: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only)

Moser, Stefan (SIDB) wrote:
> Hi,
>
> we are testing with squid, latest beta, in a dual-stack
> configuration:
>
> squid is running on SLES 11. Server has 1 interface card only,
> configured with an IPv4 and IPv6 address, both running on standard
> 3128 port. Server has true, native IPv4 and IPv6 internet
> connectivity (no IPv6 tunnel broker, etc.). I have applied "IPv6
> magic ACLs" as described in
> http://www.squid-cache.org/Doc/config/tcp_outgoing_address. Client
> (latest Internet Explorer and Firefox) talks to squid via IPv4 and
> IPv6 transport (that means, I enter an IPv4- or IPv6- address in
> browser´s connection settings).
>
>
> Now, what DOES work, is the following:
>
> 1. IPv4 transport from browser to squid, squid can access an IPv4
> only internet site (site has an A record only in DNS) 2. IPv4
> transport from browser to squid, squid accesses an IPv6 only internet
> site (site has an AAAA record only in DNS) 3. IPv6 transport from
> browser to squid, squid accesses an IPv4 only internet site (site has
> an A record only in DNS) 4. IPv6 transport from browser to squid,
> squid accesses an IPv6 only internet site (site has an AAAA record
> only in DNS)
>
> So far, so good, this IPv4 / IPv6 bridging obviously works.
>
> Now, what does NOT work, is:
>
> 1. IPv4 transport from browser to squid, squid CANNOT access an
> IPv4/IPv6 internet site (that means, a site that has both A and AAAA
> in DNS and that is reachable via IPv6 and IPv4) 2. IPv6 transport
> from browser to squid, squid CANNOT access an IPv4/IPv6 internet site
> (that means, a site that has both A and AAAA in DNS and that is
> reachable via IPv6 and IPv4)
>
> The cache log says (true IPv4 address removed for privacy reasons):
>
> 2009/10/28 15:59:46| commBind: Cannot bind socket FD 10 to <IPv4
> address from my providers range>: (22) Invalid argument 2009/10/28
> 15:59:46| WARNING: Reset of FD 10 for <IPv4 address from my providers
> range>:failed to bind: (22) Invalid argument
>
>
> Has everybody encountered the same problem?

Yes. The magic is not complete and has a point of failure.

FWIW, crossover works perfectly for me without tcp_outgoing_addr.

tcp_outgoing_addr is a "fast" category access control and cannot do the
dst lookup on its own. The destination IP address needs to be forced by
something earlier (http_access) for the magic to work.

I'm working on a few ways to fix this. But for now try adding
"http_access allow to_ipv6 !to_ipv6" to your config.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE19
   Current Beta Squid 3.1.0.14
Received on Tue Nov 03 2009 - 07:46:08 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST