Date: Tue, 30 Jun 2015 15:08:58 -0700 From: Nick Rogers <ncrogers@gmail.com> To: Dimitry Andric <dim@freebsd.org> Cc: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org> Subject: Re: www/squid: tcp_outgoing_address binds to wrong interface Message-ID: <CAKOb=YY8gOt9JhdGOX7chK_t8vj9VPb123Lshvsiiz38OfDoUA@mail.gmail.com> In-Reply-To: <CAKOb=Ya8prkcy-kqCqDYkiMi=2f95Z2bojc14nGg_o%2BXcwnQZQ@mail.gmail.com> References: <CAKOb=YbDvJXETVdZFxVnZ=x%2BDqCCtRer91WHBKDBP_Qh=1JX%2Bg@mail.gmail.com> <10633AE6-097E-4F08-AEA0-8E78632F2BCD@FreeBSD.org> <CAKOb=Ya8prkcy-kqCqDYkiMi=2f95Z2bojc14nGg_o%2BXcwnQZQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 30, 2015 at 2:36 PM, Nick Rogers <ncrogers@gmail.com> wrote: > > > On Tue, Jun 30, 2015 at 11:54 AM, Dimitry Andric <dim@freebsd.org> wrote: > >> On 30 Jun 2015, at 18:48, Nick Rogers <ncrogers@gmail.com> wrote: >> ... >> > I am experiencing an issue with squid 3.5.5 and FreeBSD 10.1 where >> > tcp_outgoing_address correctly rewrites the source address of outgoing >> > packets, but fails to bind the socket to the correct interface. >> >> How do you arrive at this conclusion? In the rest of your mail I see no >> squid configuration for this, e.g. you would have to use: >> >> http_port 10.8.8.10:3129 >> >> to explicitly bind to the first address on em1. You can add multiple >> http_port settings to bind to multiple addresses. >> > > The http_port directive is for the address/port squid listens on for > incoming client connections to the proxy, not what it uses to initiate > outbound HTTP connections. The tcp_outgoing_address directive is what > controls the source IP of outbound requests to web servers. > > >> >> > I've been >> > using this kind of setup/configuration for quite some time (since the >> squid >> > 2.7 days), so I believe something between FreeBSD 9.x and 10.1 has >> broken >> > this behavior. FWIW squid 3.3.3 on FreeBSD 9.x behaves correctly with >> the >> > same config. My understanding is that squid merely changes the source >> > address as a hint to the kernel routing stack, which makes me believe >> the >> > problem lies outside of squid. I've already sought out help from the >> > squid-users mailing list and been told the same thing. >> ... >> > root# netstat -rn | grep default >> > >> > default 192.168.92.2 UGS em0 >> >> Do you have a route for 10.8.8.10 and similar? Those should point to >> em1, obviously. If there is no specific route, those packets will >> simply go to the default gateway. >> > > 10.8.8.10 is an alias configured on em1. > > root# ifconfig em1 > em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0 > mtu 1500 > options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM> > ether 00:0c:29:a3:33:7f > inet 10.8.8.10 netmask 0xffffff00 broadcast 10.8.8.255 > nd6 options=9<PERFORMNUD,IFDISABLED> > media: Ethernet autoselect (1000baseT <full-duplex>) > status: active > root# netstat -rn | grep em1 > 10.8.8.0/24 link#1 U em1 > > Is that not sufficient for the kernel to know that packets with a source > IP of 10.8.8.10 should egress em1, which has 10.8.8.10 configured via > ifconfig? If I using ping -S the packets go out the correct interface > (e.g., ping -S 10.8.8.10 10.8.8.250). > > I believe I understand your point now... There is no way to specify a route based on the source IP of the packet, thus it will always egress the default route interface even though the desired source IP is configured on a different interface. I suppose I can handle the source-based routing with PF. Thank you. > >> >> -Dimitry >> >> >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAKOb=YY8gOt9JhdGOX7chK_t8vj9VPb123Lshvsiiz38OfDoUA>