The detection of an IPV6 available DST can
be determined by DNS and external ACL helper.
It will “slow” down the first couple bytes
of the connection but can be much more reliable then the basic
“dst” acl.
The basic test would be something like:
nslookup -type=aaaa www.squid-cache.org
-timeout=10 |grep -v '#53'|grep Address:|wc -l
if the wc -l gt 0 then try to use IPV6.
I believe it’s pretty simple and the main
issue is that if a service advertises unreachable IPV6
address.
It can be either because of network
misconfiguration or FW or misconfigured DNS.
I have seen all of the above happen in
production services in the last year.
I can write a helper for this if required.
Eliezer
----
Eliezer Croitoru
Tech Support
Mobile: +972-5-28704261
Email: ngtech1ltd@xxxxxxxxx
Zoom: Coming soon
The dst ACL type accepts the special
value of "ipv4". You can use that and the "!" operator to
split traffic.
However, please be aware dst is not
very reliable until *after* the outgoing connection has
been created, and we are still finding some access checks
that do not use it correctly. YMMV.
-------- Original message --------
From: "Walter H."
Date: Tue, 12 Jan 2021, 03:19
Hello,
is there a way, that I can do something like
if ( dst is IPv4 ) go direct
if ( dst is IPv6 ) use parent proxy xxx
The reason for my question, I'm using a IPv6-in-IPv4
tunnel,
and it would make sense to forward all traffic going to
IPv6 to squid
running on tunnel end;
Thanks,
Walter
