Re: AW: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only)

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 03 Nov 2009 21:09:41 +1300

Moser, Stefan (SIDB) wrote:
> Amos, Henrik,
>
> "http_access allow to_ipv6 !to_ipv6" did work, squid now seems to work as required and can access both single (IPv4 or IPv6) and dual-stack (IPv4 and IPv6) destinations.
>
> I´m going to play with the configuration within the next days and post a summary of my findings, this may be evolved by the community into a guideline for early IPv6 adaptors of squid (although, as you already have written, some more discussion seems to be necessary).
>
>
> Thanks for your help so far!
>
>
> Stefan
>

Thanks for testing.

I'm going to add a small hack to Squid over the next few days to get
around the need for this extra config hack and a few other problems with
the dst ACL.

If you would like to do some more testing that will be of immediate
benefit...

  a few people have reported Squid-3.1 failing to drop back to IPv4 and
just returning "connection timeout" or "unable to connect" error pages.

I'm fairly suspicious that it has something to do with the various
timeout settings being too short for forwarding+failover operations. Any
more testing in this area to deny or confirm and narrow things down to
which setting(s) would be a great help.

Amos

> -----Ursprüngliche Nachricht-----
> Von: Amos Jeffries [mailto:squid3_at_treenet.co.nz]
> Gesendet: Freitag, 30. Oktober 2009 01:34
> An: Moser, Stefan (SIDB)
> Cc: squid-users_at_squid-cache.org
> Betreff: Re: [squid-users] Problem with IPv6 config when destination is dual-stacked (but everything works when destination is IPv4 or IPv6 only)
>
> Moser, Stefan (SIDB) wrote:
>> Hi,
>>
>> we are testing with squid, latest beta, in a dual-stack
>> configuration:
>>
>> squid is running on SLES 11. Server has 1 interface card only,
>> configured with an IPv4 and IPv6 address, both running on standard
>> 3128 port. Server has true, native IPv4 and IPv6 internet
>> connectivity (no IPv6 tunnel broker, etc.). I have applied "IPv6
>> magic ACLs" as described in
>> http://www.squid-cache.org/Doc/config/tcp_outgoing_address. Client
>> (latest Internet Explorer and Firefox) talks to squid via IPv4 and
>> IPv6 transport (that means, I enter an IPv4- or IPv6- address in
>> browser´s connection settings).
>>
>>
>> Now, what DOES work, is the following:
>>
>> 1. IPv4 transport from browser to squid, squid can access an IPv4
>> only internet site (site has an A record only in DNS) 2. IPv4
>> transport from browser to squid, squid accesses an IPv6 only internet
>> site (site has an AAAA record only in DNS) 3. IPv6 transport from
>> browser to squid, squid accesses an IPv4 only internet site (site has
>> an A record only in DNS) 4. IPv6 transport from browser to squid,
>> squid accesses an IPv6 only internet site (site has an AAAA record
>> only in DNS)
>>
>> So far, so good, this IPv4 / IPv6 bridging obviously works.
>>
>> Now, what does NOT work, is:
>>
>> 1. IPv4 transport from browser to squid, squid CANNOT access an
>> IPv4/IPv6 internet site (that means, a site that has both A and AAAA
>> in DNS and that is reachable via IPv6 and IPv4) 2. IPv6 transport
>> from browser to squid, squid CANNOT access an IPv4/IPv6 internet site
>> (that means, a site that has both A and AAAA in DNS and that is
>> reachable via IPv6 and IPv4)
>>
>> The cache log says (true IPv4 address removed for privacy reasons):
>>
>> 2009/10/28 15:59:46| commBind: Cannot bind socket FD 10 to <IPv4
>> address from my providers range>: (22) Invalid argument 2009/10/28
>> 15:59:46| WARNING: Reset of FD 10 for <IPv4 address from my providers
>> range>:failed to bind: (22) Invalid argument
>>
>>
>> Has everybody encountered the same problem?
>
> Yes. The magic is not complete and has a point of failure.
>
> FWIW, crossover works perfectly for me without tcp_outgoing_addr.
>
> tcp_outgoing_addr is a "fast" category access control and cannot do the
> dst lookup on its own. The destination IP address needs to be forced by
> something earlier (http_access) for the magic to work.
>
> I'm working on a few ways to fix this. But for now try adding
> "http_access allow to_ipv6 !to_ipv6" to your config.
>
> Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE7 or 3.0.STABLE20
   Current Beta Squid 3.1.0.14
Received on Tue Nov 03 2009 - 08:10:00 MST

This archive was generated by hypermail 2.2.0 : Tue Nov 03 2009 - 12:00:02 MST