Re: [squid-users] Ubuntu Server 13.10. Squid 3.3.8. WARNING: external ACL 'memberof' queue overload

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Thu, 14 Nov 2013 14:42:40 +1300

On 2013-11-14 11:29, Eliezer Croitoru wrote:

Eliezer, two pieces of information that should get you back on track
with understanding this one:

1) The connection between Squid and external_acl_type helpers uses TCP.

2) Preventing the kernel assigning IPv6 addresse to its NIC does not
actually disable IPv6 inside the kernel.

The situation of (2) means that Squid, and other software, is still able
to open IPv6 sockets but nothing goes bad until traffic is sent over
those sockets. As a result the helper is started successfully on IPv6
connection, then the first actual use of the helper breaks.
Alternatively, starting the helper with an explicit IPv6 (::1) breaks on
setup.
  When this kind of problem happens over normal client/server connections
Squid has logics to failover and open new connections on other IP's
(such as IPv4). But the helper API has no such backup connections
possible.

The easy solution is to configure that ipv4 flag on external_acl_type.
The more difficult solution is to fully disable the kernel IPv6 module
from loading. The *right* solution is to configure IPv6 properly on the
machine as working with correct firewall rules to make it obey the local
traffic policies (even if that policy is "no IPv6 packets to leave the
machine").

Amos
Received on Thu Nov 14 2013 - 01:42:33 MST

This archive was generated by hypermail 2.2.0 : Thu Nov 14 2013 - 12:00:03 MST