Search squid archive

IPv6 TPROXY and ICMP Messages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

I've been slowly trying to get this fixed for a few years now... I had my system setup to use Squid + TPROXY using IPv6, and it was working great.


However, a couple of years ago, it simply stopped working, and I’ve been trying to figure out why ever since.


When I try to use IPv6+TPROXY+Squid, most sites simply “hang” and never load. (TPROXY+IPv4 works fine)


I'm running Debian Sid, Shorewall6 5.0.15.6, and Squid 3.5.23. My ISP provides native IPv6 (Comcast).


I have Squid configured to accept TPROXY on port 3129, and configured clients on port 3128.


The best description (and command to reproduce the error) comes from test-IPv6.com (They suggest a curl command at http://test-ipv6.com/faq_pmtud.html')


Non-TPROXY connections work fine: Disabling TPROXY, or manually configuring the host to use a proxy @ proxy-hostname:3128 are both fine.


When I use TPROXY, there are issues with path MTU detection from the internet to my clients.


When I try the test URL to test-ipv6.com from a client inside the network, and check the packet dump using the following:


$ sudo tcpdump '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp port 80)' 


I see messages along the lines of:


<timestamp> IP6 {remote addr} > {my IPv6 addr}: ICMP6, packet too big, MTU 1280, length 1240


Otherwise, the connection is silent - the curl command doesn’t succeed. (It has no problems succeeding if I set http_proxy, or disable TPROXY).


Is it an issue with my firewall, is there an issue in Linux TPROXY support, is it Squid? I’m not sure.


“shorewall6 show | grep -i icmp” shows the expected allow for ICMP (I’m showing only the type2 “packet too big” — but there are the rest suggested in RFC4890)


    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */


I’m fairly sure that the firewall is configured to pass the ICMPv6 messages from any interface to any interface - Clients inside the network are definitely seeing “packet too big” messages.


So is there something in Squid which could be causing my path MTU issues? Is there anything i can do to eliminate Squid as a source of error?


THanks.

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux