www/squid: tcp_outgoing_address binds to wrong interface
Nick Rogers
ncrogers at gmail.com
Tue Jun 30 21:36:09 UTC 2015
On Tue, Jun 30, 2015 at 11:54 AM, Dimitry Andric <dim at freebsd.org> wrote:
> On 30 Jun 2015, at 18:48, Nick Rogers <ncrogers at gmail.com> wrote:
> ...
> > I am experiencing an issue with squid 3.5.5 and FreeBSD 10.1 where
> > tcp_outgoing_address correctly rewrites the source address of outgoing
> > packets, but fails to bind the socket to the correct interface.
>
> How do you arrive at this conclusion? In the rest of your mail I see no
> squid configuration for this, e.g. you would have to use:
>
> http_port 10.8.8.10:3129
>
> to explicitly bind to the first address on em1. You can add multiple
> http_port settings to bind to multiple addresses.
>
The http_port directive is for the address/port squid listens on for
incoming client connections to the proxy, not what it uses to initiate
outbound HTTP connections. The tcp_outgoing_address directive is what
controls the source IP of outbound requests to web servers.
>
> > I've been
> > using this kind of setup/configuration for quite some time (since the
> squid
> > 2.7 days), so I believe something between FreeBSD 9.x and 10.1 has broken
> > this behavior. FWIW squid 3.3.3 on FreeBSD 9.x behaves correctly with the
> > same config. My understanding is that squid merely changes the source
> > address as a hint to the kernel routing stack, which makes me believe the
> > problem lies outside of squid. I've already sought out help from the
> > squid-users mailing list and been told the same thing.
> ...
> > root# netstat -rn | grep default
> >
> > default 192.168.92.2 UGS em0
>
> Do you have a route for 10.8.8.10 and similar? Those should point to
> em1, obviously. If there is no specific route, those packets will
> simply go to the default gateway.
>
10.8.8.10 is an alias configured on em1.
root# ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:a3:33:7f
inet 10.8.8.10 netmask 0xffffff00 broadcast 10.8.8.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
root# netstat -rn | grep em1
10.8.8.0/24 link#1 U em1
Is that not sufficient for the kernel to know that packets with a source IP
of 10.8.8.10 should egress em1, which has 10.8.8.10 configured via
ifconfig? If I using ping -S the packets go out the correct interface
(e.g., ping -S 10.8.8.10 10.8.8.250).
>
> -Dimitry
>
>
More information about the freebsd-ports
mailing list