On 04/03/11 04:58, mbruell wrote:
Amos Jeffries-2 wrote:
On Wed, 2 Mar 2011 14:29:01 -0800 (PST), mbruell wrote:
Firewall policy grabs traffic from the client based on IP address,
and
forces it to our proxy through the wccp tunnel.
"based on IP address" is very bad. Working TPROXY traffic coming out of
squid will have the client IP address.
Manipulation of the traffic MUST use measures other than IP to
filter/route the traffic if both streams are possibly handled. The
easiest ways are to use interface name or machine MAC/EUI address on the
firewall and router. Packet MARKs, TOS or VPN marks are also available,
but more complex to handle.
Okay - though I thought our wccp tunnel was taking care of that. The
firewall rule that grabs the machine's IP traffic only does so on the
interface facing the client. Once it's been grabbed, it's getting sent down
the gre tunnel.
Okay. Good.
The following error crops up after about a minute of launching squid,
and
repeats every 10 sec:
Unknown record type in WCCPv2 Packet (6)
Is this error meaningful?
Nope. There is a patch to silence it here:
http://bugs.squid-cache.org/show_bug.cgi?id=3122
Amos Jeffries-2 wrote:
This is NAT interception, not TPROXY interception.
The two are not compatible. NAT being obsoleted by TPROXY. Remove this
rule.
Okay - I removed the rule, but there are still some other issues (it's still
not working).
So are the ip rules in mangle table all that is needed here?
Yes.
Amos Jeffries-2 wrote:
Since you have a mixup with NAT/TPROXY earlier also check that your
http_port 3129 line only has the "tproxy" flag on it.
Double checked this - it was not misconfigured.
Should we be seeing traffic on the lo interface when it's all working
correctly? The packet count on lo is very low, and doesn't change when
trying to proxy the traffic.
Okay, try adding the special route table to eth0 as well. If that still
fails try adding it to wccp0.
I'd like to know the results here. It works on lo for some but seems
not everyone, though I have not yet had concrete confirmation that it
matters.
Also - it looks like the tunnel is sending the traffic to the computer
running squid (wccp rx = 3.7 KB, but tx = o), but it's not getting anything
back from it to send to the client.
looks that way yes.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.11
Beta testers wanted for 3.2.0.5
