From owner-freebsd-ports@freebsd.org  Tue Jun 30 21:36:09 2015
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id C4FE599116A
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue, 30 Jun 2015 21:36:09 +0000 (UTC)
 (envelope-from ncrogers@gmail.com)
Received: from mail-yk0-x22c.google.com (mail-yk0-x22c.google.com
 [IPv6:2607:f8b0:4002:c07::22c])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id 8E00B1D52;
 Tue, 30 Jun 2015 21:36:09 +0000 (UTC)
 (envelope-from ncrogers@gmail.com)
Received: by ykdr198 with SMTP id r198so21767672ykd.3;
 Tue, 30 Jun 2015 14:36:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=hIObVYh2Va2QkKcO3qgdn9Y9cpW1qskj8Z6+1XVdI1s=;
 b=XRKEYVeeGM+sK/sezIOHPS2rFjbXkkXQu1S/IGPpwzCbJA+ElIF6W0qaawGtsReYzc
 QEFWhT+jIgivrMMsKnz4tHm9HxASKBxBKP3ZYAsLi3qtmnQZNJX15jn8n0q09NCGQ8ie
 Fl7JSeRGjr9QeEeVmbnIhXAoHCF07gvM6Ez/evL7rsBKD0FYFWDSI/9pkmr7dUTAu3c8
 4Tn73l/PmURHlHzARJUwjUbS2h7PPrCPJCvc87uB6RwONneYOfveXe68h7sjK/jzN4Al
 Z8uh07jXd6gWZrkgkv3pUmBbkFbumVSGuVlXzdX3bJgV9skMqOW/GXK4hniUhu01Yzmn
 6KZw==
MIME-Version: 1.0
X-Received: by 10.129.49.214 with SMTP id x205mr17463294ywx.47.1435700167937; 
 Tue, 30 Jun 2015 14:36:07 -0700 (PDT)
Received: by 10.37.203.211 with HTTP; Tue, 30 Jun 2015 14:36:07 -0700 (PDT)
In-Reply-To: <10633AE6-097E-4F08-AEA0-8E78632F2BCD@FreeBSD.org>
References: <CAKOb=YbDvJXETVdZFxVnZ=x+DqCCtRer91WHBKDBP_Qh=1JX+g@mail.gmail.com>
 <10633AE6-097E-4F08-AEA0-8E78632F2BCD@FreeBSD.org>
Date: Tue, 30 Jun 2015 14:36:07 -0700
Message-ID: <CAKOb=Ya8prkcy-kqCqDYkiMi=2f95Z2bojc14nGg_o+XcwnQZQ@mail.gmail.com>
Subject: Re: www/squid: tcp_outgoing_address binds to wrong interface
From: Nick Rogers <ncrogers@gmail.com>
To: Dimitry Andric <dim@freebsd.org>
Cc: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 21:36:09 -0000

On Tue, Jun 30, 2015 at 11:54 AM, Dimitry Andric <dim@freebsd.org> wrote:

> On 30 Jun 2015, at 18:48, Nick Rogers <ncrogers@gmail.com> wrote:
> ...
> > I am experiencing an issue with squid 3.5.5 and FreeBSD 10.1 where
> > tcp_outgoing_address correctly rewrites the source address of outgoing
> > packets, but fails to bind the socket to the correct interface.
>
> How do you arrive at this conclusion?  In the rest of your mail I see no
> squid configuration for this, e.g. you would have to use:
>
> http_port 10.8.8.10:3129
>
> to explicitly bind to the first address on em1.  You can add multiple
> http_port settings to bind to multiple addresses.
>

The http_port directive is for the address/port squid listens on for
incoming client connections to the proxy, not what it uses to initiate
outbound HTTP connections. The tcp_outgoing_address directive is what
controls the source IP of outbound requests to web servers.


>
> > I've been
> > using this kind of setup/configuration for quite some time (since the
> squid
> > 2.7 days), so I believe something between FreeBSD 9.x and 10.1 has broken
> > this behavior. FWIW squid 3.3.3 on FreeBSD 9.x behaves correctly with the
> > same config. My understanding is that squid merely changes the source
> > address as a hint to the kernel routing stack, which makes me believe the
> > problem lies outside of squid. I've already sought out help from the
> > squid-users mailing list and been told the same thing.
> ...
> > root# netstat -rn | grep default
> >
> > default            192.168.92.2       UGS         em0
>
> Do you have a route for 10.8.8.10 and similar?  Those should point to
> em1, obviously.  If there is no specific route, those packets will
> simply go to the default gateway.
>

10.8.8.10 is an alias configured on em1.

root# ifconfig em1
em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
mtu 1500
options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
ether 00:0c:29:a3:33:7f
inet 10.8.8.10 netmask 0xffffff00 broadcast 10.8.8.255
nd6 options=9<PERFORMNUD,IFDISABLED>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
root# netstat -rn | grep em1
10.8.8.0/24        link#1             U           em1

Is that not sufficient for the kernel to know that packets with a source IP
of 10.8.8.10 should egress em1, which has 10.8.8.10 configured via
ifconfig? If I using ping -S the packets go out the correct interface
(e.g., ping -S 10.8.8.10 10.8.8.250).



>
> -Dimitry
>
>