Re: [squid-users] IPv6 + Intercept proxy

From: Amos Jeffries <>
Date: Wed, 23 Oct 2013 17:14:00 +1300

On 23/10/2013 12:21 a.m., Mike Cardwell wrote:
> "NAT simply does not exist in IPv6. By Design."
> This is no longer true as of Linux 3.7 + IPTables 1.4.17.
> I wanted to introduce a transparent caching web proxy on my network,
> however most of my clients are dual IP stack. As it stands, if I use
> Squid, whenever those clients connect to an IPv6 address instead of
> an IPv4 address, they will bypass the caching proxy.
> Is there a plan to make the "intercept" argument to "http_port" work
> with IPv6?
> P.S. Sorry if this email comes through twice. I sent it from the wrong
> address last time.

Couple of things...

  For starters NAT has never been "transparent proxy". NAT is the lazy
admins replacement, using the proxy IP on outbound to avoid having to
setup proper routing rules.
For the real Transparent Proxy use TPROXY interception ("TPROXY" being
an abbreviation of "transparent proxy"

  TPROXY in Squid has aways supported IPv6 traffic interception. There
is no need to be waiting for NAT.

  Also, TPROXY functionality has been extended slightly in Squid-3.4 to
allow non-spoofed outgoing ..... identical to NAT behaviour but without
several of the NAT-specific problems.

  And finally, support for NATv6 via the new Linux 3.7 abilities and
also PF divert on some versions of BSD has been added in squid-3.4.

Received on Wed Oct 23 2013 - 04:14:10 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 23 2013 - 12:00:06 MDT