IPv6 TPROXY and ICMP Messages

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

IPv6 TPROXY and ICMP Messages

Troy Telford

I've been slowly trying to get this fixed for a few years now... I had my system setup to use Squid + TPROXY using IPv6, and it was working great.


However, a couple of years ago, it simply stopped working, and I’ve been trying to figure out why ever since.


When I try to use IPv6+TPROXY+Squid, most sites simply “hang” and never load. (TPROXY+IPv4 works fine)


I'm running Debian Sid, Shorewall6 5.0.15.6, and Squid 3.5.23. My ISP provides native IPv6 (Comcast).


I have Squid configured to accept TPROXY on port 3129, and configured clients on port 3128.


The best description (and command to reproduce the error) comes from test-IPv6.com (They suggest a curl command at http://test-ipv6.com/faq_pmtud.html')


Non-TPROXY connections work fine: Disabling TPROXY, or manually configuring the host to use a proxy @ proxy-hostname:3128 are both fine.


When I use TPROXY, there are issues with path MTU detection from the internet to my clients.


When I try the test URL to test-ipv6.com from a client inside the network, and check the packet dump using the following:


$ sudo tcpdump '(ip6 and icmp6 and ip6[40] = 2) or (ip6 and tcp port 80)' 


I see messages along the lines of:


<timestamp> IP6 {remote addr} > {my IPv6 addr}: ICMP6, packet too big, MTU 1280, length 1240


Otherwise, the connection is silent - the curl command doesn’t succeed. (It has no problems succeeding if I set http_proxy, or disable TPROXY).


Is it an issue with my firewall, is there an issue in Linux TPROXY support, is it Squid? I’m not sure.


“shorewall6 show | grep -i icmp” shows the expected allow for ICMP (I’m showing only the type2 “packet too big” — but there are the rest suggested in RFC4890)


    0     0 ACCEPT     icmpv6    *      *       ::/0                 ::/0                 ipv6-icmptype 2 /* Needed ICMP types (RFC4890) */


I’m fairly sure that the firewall is configured to pass the ICMPv6 messages from any interface to any interface - Clients inside the network are definitely seeing “packet too big” messages.


So is there something in Squid which could be causing my path MTU issues? Is there anything i can do to eliminate Squid as a source of error?


THanks.


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: IPv6 TPROXY and ICMP Messages

Amos Jeffries
Administrator
On 30/09/17 10:56, Troy Telford wrote:
> I’m fairly sure that the firewall is configured to pass the ICMPv6
> messages from any interface to any interface - Clients inside the
> network are definitely seeing “packet too big” messages.
>
>
> So is there something in Squid which could be causing my path MTU
> issues? Is there anything i can do to eliminate Squid as a source of error?
>

Squid just schedules data for TCP to deliver and lets the OS handle the
details. Sounds to me like your TCP stack is not handling those ICMP MTU
responses correctly.

IIRC the kernel versions 2.6.32-2.6.36 were found to have issues with
their ICMP. But those got resolved.

Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users