REDIRECT and IPv6

REDIRECT and IPv6

[squid3]

Greetings,

Pardon if this is a dumb question. But I have searched the web, and the
source code for a solution to this one and have reached a brick wall.

I'm upgrading a user-space proxy (squid3) which has in the past done
transparent connections under IPv4-only using SO_ORIGINAL_DST.

The Firewall/router uses iptables and REDIRECT port 80 outbound to port
81. All is fine and dandy when squid listens on 0.0.0.0:81.

With the new code I have to use an IPv6 socket ( [::]:81 ) as the
receiver. With that getsockopt(..., SO_ORIGINAL_DST, ...) always returns
err "92 Protocol not supported." regardless of the IP-level parameters
passed in.

NOTE: All traffic for testing so far has been from IPv4 clients to what
they think is an IPv4 server, but with a dual-enabled middleman. The
'middleman' Software is iptables 1.3.6 on Debian 2.6.21-2-486 (unstable),
squid3 built with g++ 4.1.3.

Can anyone point me in the right direction for a solution that will work?
Ideally one that is protocol-independant, but anything is welcome even an
'upgrade to X'.

Amos Jeffries
Squid3 Development Team

Re: REDIRECT and IPv6

[Patrick McHardy]

squid3@treenet.co.nz wrote:
> Greetings,
> 
> Pardon if this is a dumb question. But I have searched the web, and the
> source code for a solution to this one and have reached a brick wall.
> 
> I'm upgrading a user-space proxy (squid3) which has in the past done
> transparent connections under IPv4-only using SO_ORIGINAL_DST.
> 
> The Firewall/router uses iptables and REDIRECT port 80 outbound to port
> 81. All is fine and dandy when squid listens on 0.0.0.0:81.
> 
> With the new code I have to use an IPv6 socket ( [::]:81 ) as the
> receiver. With that getsockopt(..., SO_ORIGINAL_DST, ...) always returns
> err "92 Protocol not supported." regardless of the IP-level parameters
> passed in.
> 
> NOTE: All traffic for testing so far has been from IPv4 clients to what
> they think is an IPv4 server, but with a dual-enabled middleman. The
> 'middleman' Software is iptables 1.3.6 on Debian 2.6.21-2-486 (unstable),
> squid3 built with g++ 4.1.3.


You're right, nf_conntrack_ipv4 only registeres SO_ORIGINAL_DST for
AF_INET, changing that should make it work I believe. I feel like
I'm missing something though ..

Re: REDIRECT and IPv6

[YOSHIFUJI Hideaki / 吉藤英明]

In article <469F280B.3070900@trash.net> (at Thu, 19 Jul 2007 10:59:55 +0200), Patrick McHardy <kaber@trash.net> says:

> You're right, nf_conntrack_ipv4 only registeres SO_ORIGINAL_DST for
> AF_INET, changing that should make it work I believe. I feel like
> I'm missing something though ..

BTW, the name of the socket option is rather bogus.
It should be named IP_xxx, not SO_xxx because
it is in IP level, not in socket level...

--yoshfuji

Re: REDIRECT and IPv6

[Yasuyuki KOZAKAI]

From: Patrick McHardy <kaber@trash.net>
Date: Thu, 19 Jul 2007 10:59:55 +0200

> squid3@treenet.co.nz wrote:
> > Greetings,
> > 
> > Pardon if this is a dumb question. But I have searched the web, and the
> > source code for a solution to this one and have reached a brick wall.
> > 
> > I'm upgrading a user-space proxy (squid3) which has in the past done
> > transparent connections under IPv4-only using SO_ORIGINAL_DST.
> > 
> > The Firewall/router uses iptables and REDIRECT port 80 outbound to port
> > 81. All is fine and dandy when squid listens on 0.0.0.0:81.
> > 
> > With the new code I have to use an IPv6 socket ( [::]:81 ) as the
> > receiver. With that getsockopt(..., SO_ORIGINAL_DST, ...) always returns
> > err "92 Protocol not supported." regardless of the IP-level parameters
> > passed in.
> > 
> > NOTE: All traffic for testing so far has been from IPv4 clients to what
> > they think is an IPv4 server, but with a dual-enabled middleman. The
> > 'middleman' Software is iptables 1.3.6 on Debian 2.6.21-2-486 (unstable),
> > squid3 built with g++ 4.1.3.
> 
> 
> You're right, nf_conntrack_ipv4 only registeres SO_ORIGINAL_DST for
> AF_INET, changing that should make it work I believe. I feel like
> I'm missing something though ..

I wrote getorigdst() for IPv6 at once but threw away it
because of no IPv6 NAT :) I hope that new tproxy will support IPv6 in future.

-- Yasuyuki Kozakai

Re: REDIRECT and IPv6

[Patrick McHardy]

YOSHIFUJI Hideaki / 吉藤英明

Re: REDIRECT and IPv6

[Amos Jeffries]

Yasuyuki KOZAKAI wrote:
> From: Patrick McHardy <kaber@trash.net>
> Date: Thu, 19 Jul 2007 10:59:55 +0200
> 
>> squid3@treenet.co.nz wrote:
>>> Greetings,
>>>
>>> Pardon if this is a dumb question. But I have searched the web, and the
>>> source code for a solution to this one and have reached a brick wall.
>>>
>>> I'm upgrading a user-space proxy (squid3) which has in the past done
>>> transparent connections under IPv4-only using SO_ORIGINAL_DST.
>>>
>>> The Firewall/router uses iptables and REDIRECT port 80 outbound to port
>>> 81. All is fine and dandy when squid listens on 0.0.0.0:81.
>>>
>>> With the new code I have to use an IPv6 socket ( [::]:81 ) as the
>>> receiver. With that getsockopt(..., SO_ORIGINAL_DST, ...) always returns
>>> err "92 Protocol not supported." regardless of the IP-level parameters
>>> passed in.
>>>
>>> NOTE: All traffic for testing so far has been from IPv4 clients to what
>>> they think is an IPv4 server, but with a dual-enabled middleman. The
>>> 'middleman' Software is iptables 1.3.6 on Debian 2.6.21-2-486 (unstable),
>>> squid3 built with g++ 4.1.3.
>>
>> You're right, nf_conntrack_ipv4 only registeres SO_ORIGINAL_DST for
>> AF_INET, changing that should make it work I believe. I feel like
>> I'm missing something though ..
> 
> I wrote getorigdst() for IPv6 at once but threw away it
> because of no IPv6 NAT :) I hope that new tproxy will support IPv6 in future.
> 
> -- Yasuyuki Kozakai


Thanks for everything people.

Well, obviously the REDIRECT is working despite no IPv6 NAT.
What sort of a timeframe should I expect before this case is working?

Amos