IP_FREEBIND or IP_TRANSPARENT support?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

IP_FREEBIND or IP_TRANSPARENT support?

xpro6000
If one were to assign a whole /64 block of IPv6 IPs to a NIC on Linux then they would use the "ip route add local" method instead of adding each IP in the /etc/network/interfaces file.

From the testing I have done the IPs that were assigned with the "ip route add local" don't work with Squid and the main reason for this is because Squid does not use IP_FREEBIND or IP_TRANSPARENT option on the socket connection.

You can read more about it here



Is there any option in the config file that enables this option?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IP_FREEBIND or IP_TRANSPARENT support?

Eliezer Croitoru
On what OS?(since it does supports it)
But if you just need a NAT proxy then it's another story.

Eliezer

----
http://ngtech.co.il/lmgtfy/
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]


From: squid-users [mailto:[hidden email]] On Behalf Of xpro6000
Sent: Monday, October 2, 2017 21:44
To: [hidden email]
Subject: [squid-users] IP_FREEBIND or IP_TRANSPARENT support?

If one were to assign a whole /64 block of IPv6 IPs to a NIC on Linux then they would use the "ip route add local" method instead of adding each IP in the /etc/network/interfaces file.

From the testing I have done the IPs that were assigned with the "ip route add local" don't work with Squid and the main reason for this is because Squid does not use IP_FREEBIND or IP_TRANSPARENT option on the socket connection.

You can read more about it here

https://serverfault.com/a/591435/141509


Is there any option in the config file that enables this option?

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IP_FREEBIND or IP_TRANSPARENT support?

Amos Jeffries
Administrator
In reply to this post by xpro6000
On 03/10/17 07:44, xpro6000 wrote:
> If one were to assign a whole /64 block of IPv6 IPs to a NIC on Linux
> then they would use the "ip route add local" method instead of adding
> each IP in the /etc/network/interfaces file.
>
>  From the testing I have done the IPs that were assigned with the "ip
> route add local" don't work with Squid and the main reason for this is
> because Squid does not use IP_FREEBIND or IP_TRANSPARENT option on the
> socket connection.


Any machine can be setup to *route* traffic (ip route add ...). That is
a very different proposition to assigning those IPs as belonging to that
machine (ip addr add ...).

IP_TRANSPARENT is the spoofing part of the TPROXYv4 feature and is used
by Squid when TPROXY is setup.


>
> You can read more about it here
>
> https://serverfault.com/a/591435/141509
>

That whole SF entry is all kinds of mixed up. It is basically saying
that to "assign a whole range" one has to *spoof* the IPs in that range.
Which is a very wrong thing to do.

The list of 'ip addr add' settings in the original interfaces file is
correct for what the person was wanting (and you?), though I'm not sure
if there is another place to do them. I do the same but in a trigger
script called from the interfaces file instead of listing them all in
that file directly.

>
> Is there any option in the config file that enables this option?
>

Not for Squid.

Squid prefers the OS to select the IP which is used, though for a small
number of IPs you can use tcp_outgoing_addr to tell the OS that any
specific one of the set *assigned* to the machine should be used on
server connections.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IP_FREEBIND or IP_TRANSPARENT support?

Eliezer Croitoru
I have just started reading the SF post the 10 time.
I really didn’t understood what was the requirement and what or why the FREEBIND was offered.

And Amos, in intercept\transparent mode there is no way to select the outgoing addresses but not for a tproxy setup.
Also I do not think that squid should handle a /64 for outgoing traffic based on non-automated\non-coded solution.

If tproxy does the job then why use a specific outgoing ip?
If it's for NAT then I can offer a "simple" solution to this whole thing but it involves haproxy proxy protocol.

We can use a tproxy listener\proxy\loadbalancer that will forward a "src" and a "destination" ip:port pair into a proxy protocol aware port.
Then the proxy aware protocol port will open a tproxy connection based on the source IP and whatever destination it will choose based on regular squid logic.
The LB proxy can loadbalance traffic over several "http_port ip:port ...options" to avoid the limit of ip::port->ip:port on lo.
The example would be something like:
http_port 127.0.0.2:13128
http_port 127.0.0.3:13128
http_port 127.0.0.4:13128
...

And the LB proxy will bind automatically(the OS choice..) the right ip:port that will be used for the connection between the LB proxy to the squid ip:port.

It will require from squid to support two things:
- To be able to parse and interpret PROXY protocol V2
- To be able to spoof the outgoing ip address using tproxy based on the PROXY protocol V2 supplied source address

What do you think Amos?
If there is some interest in such a thing then it would be pretty simple to craft.

Eliezer

----
Eliezer Croitoru
Linux System Administrator
Mobile: +972-5-28704261
Email: [hidden email]



-----Original Message-----
From: squid-users [mailto:[hidden email]] On Behalf Of Amos Jeffries
Sent: Tuesday, October 3, 2017 05:19
To: [hidden email]
Subject: Re: [squid-users] IP_FREEBIND or IP_TRANSPARENT support?

On 03/10/17 07:44, xpro6000 wrote:
> If one were to assign a whole /64 block of IPv6 IPs to a NIC on Linux
> then they would use the "ip route add local" method instead of adding
> each IP in the /etc/network/interfaces file.
>
>  From the testing I have done the IPs that were assigned with the "ip
> route add local" don't work with Squid and the main reason for this is
> because Squid does not use IP_FREEBIND or IP_TRANSPARENT option on the
> socket connection.


Any machine can be setup to *route* traffic (ip route add ...). That is
a very different proposition to assigning those IPs as belonging to that
machine (ip addr add ...).

IP_TRANSPARENT is the spoofing part of the TPROXYv4 feature and is used
by Squid when TPROXY is setup.


>
> You can read more about it here
>
> https://serverfault.com/a/591435/141509
>

That whole SF entry is all kinds of mixed up. It is basically saying
that to "assign a whole range" one has to *spoof* the IPs in that range.
Which is a very wrong thing to do.

The list of 'ip addr add' settings in the original interfaces file is
correct for what the person was wanting (and you?), though I'm not sure
if there is another place to do them. I do the same but in a trigger
script called from the interfaces file instead of listing them all in
that file directly.

>
> Is there any option in the config file that enables this option?
>

Not for Squid.

Squid prefers the OS to select the IP which is used, though for a small
number of IPs you can use tcp_outgoing_addr to tell the OS that any
specific one of the set *assigned* to the machine should be used on
server connections.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users