--------------------- PatchSet 5190 Date: 2007/08/08 05:46:29 Author: amosjeffries Branch: squid3-ipv6 Tag: (none) Log: Document tcp_outgoing_address voodoo needed to use explicit outbound addressing under dual-protocol conditions. Members: NOTES-IPv6:1.1.2.53->1.1.2.54 src/cf.data.pre:1.68.2.23->1.68.2.24 Index: squid3/NOTES-IPv6 =================================================================== RCS file: /cvsroot/squid-sf//squid3/Attic/NOTES-IPv6,v retrieving revision 1.1.2.53 retrieving revision 1.1.2.54 diff -u -r1.1.2.53 -r1.1.2.54 --- squid3/NOTES-IPv6 7 Aug 2007 23:25:10 -0000 1.1.2.53 +++ squid3/NOTES-IPv6 8 Aug 2007 05:46:29 -0000 1.1.2.54 @@ -1,4 +1,4 @@ -$Id: NOTES-IPv6,v 1.1.2.53 2007/08/07 23:25:10 amosjeffries Exp $ +$Id: NOTES-IPv6,v 1.1.2.54 2007/08/08 05:46:29 amosjeffries Exp $ NP: Any problems with this version of squid please contact squid3@treenet.co.nz for assistance. @@ -19,7 +19,7 @@ bothered by the localhost vagaries. It will enable logics to map all localhost traffic through ::1 unless an IPv4-only link is required. - --with-ipv4-mapped option is provided for semi-dual OS that do not do accept raw IPv4 + --with-ipv4-mapped option is provided for OS that do not do accept raw IPv4 addresses to IPv6 sockets, but require the client to do all the v4-mapping itself. This is now considered unsafe by the industry and breaks protocol-independance. It is not intended to be used unless absolutely necessary. @@ -29,7 +29,8 @@ Specify a specific tcp_outgoing_address and the clients who match its ACL are limited to the IPv4 or IPv6 network that address belongs to. They are not permitted over the - IPv4-IPv6 boundary. + IPv4-IPv6 boundary. Some ACL voodoo (detailed in squid.conf) can however be applied to + explicitly route the IPv6/v4 -bound traffic out an appropriate interface. WCCP is not available. Index: squid3/src/cf.data.pre =================================================================== RCS file: /cvsroot/squid-sf//squid3/src/cf.data.pre,v retrieving revision 1.68.2.23 retrieving revision 1.68.2.24 diff -u -r1.68.2.23 -r1.68.2.24 --- squid3/src/cf.data.pre 4 Aug 2007 00:20:50 -0000 1.68.2.23 +++ squid3/src/cf.data.pre 8 Aug 2007 05:46:29 -0000 1.68.2.24 @@ -1,6 +1,6 @@ # -# $Id: cf.data.pre,v 1.68.2.23 2007/08/04 00:20:50 amosjeffries Exp $ +# $Id: cf.data.pre,v 1.68.2.24 2007/08/08 05:46:29 amosjeffries Exp $ # # SQUID Web Proxy Cache http://www.squid-cache.org/ # ---------------------------------------------------------- @@ -2911,6 +2911,28 @@ Processing proceeds in the order specified, and stops at first fully matching line. + + IPv6 Magic: + + Squid is built with a capability of bridging the IPv4 and IPv6 internets. + tcp_outgoing_address as exampled above breaks this bridging by forcing + all outbound traffic through a certain IPv4 which may be on the wrong + side of the IPv4/IPv6 boundary. + + To operate with tcp_outgoing_address and keep the bridging benefits + an additional ACL needs to be used which ensures the IPv6-bound traffic + is never forced or permitted out the IPv4 interface. + + acl ipv6 dst 2000::/3 + tcp_outgoing_address 2002::c001 good_service_get ipv6 + tcp_outgoing_address 10.0.0.2 good_service_get !ipv6 + + tcp_outgoing_address 2002::beef normal_service_get ipv6 + tcp_outgoing_address 10.0.0.1 normal_service_net !ipv6 + + tcp_outgoing_address 2002::1 ipv6 + tcp_outgoing_address 10.0.0.3 !ipv6 + DOC_END NAME: reply_header_max_size