From owner-freebsd-ports@freebsd.org  Tue Jun 30 22:09:00 2015
Return-Path: <owner-freebsd-ports@freebsd.org>
Delivered-To: freebsd-ports@mailman.ysv.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 by mailman.ysv.freebsd.org (Postfix) with ESMTP id 28ACD991752
 for <freebsd-ports@mailman.ysv.freebsd.org>;
 Tue, 30 Jun 2015 22:09:00 +0000 (UTC)
 (envelope-from ncrogers@gmail.com)
Received: from mail-yk0-x232.google.com (mail-yk0-x232.google.com
 [IPv6:2607:f8b0:4002:c07::232])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (verified OK))
 by mx1.freebsd.org (Postfix) with ESMTPS id D0E4F1F45;
 Tue, 30 Jun 2015 22:08:59 +0000 (UTC)
 (envelope-from ncrogers@gmail.com)
Received: by ykdr198 with SMTP id r198so22494070ykd.3;
 Tue, 30 Jun 2015 15:08:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=mime-version:in-reply-to:references:date:message-id:subject:from:to
 :cc:content-type;
 bh=ds0cvZp6h+N7aMRnth3XrNnDNc/PWoB0IO+0nPw7rXQ=;
 b=ZtmkUQbsGaUxGWZRs5lANt2ArWGjKqwY63h1V+kRPE5ZAIq20N7GRi96UtEczLM7fB
 RA42Zm1Ol4A9iEPn/HCpN69Wx+425VJmzmman7BTF0cozRXZEv9+LWqal14EcIJcrSOr
 spILQM/32i8avTpeSZwWB/FU9ircsXA3NyAzUuEoT9F+akmScwt1NYj4WCL9VGJoapfS
 AgjVh+aNBDAfFV5vtGyUazpf0PF7HjkdO6M82xkebQnMoqxEmZ4xqk7Wzvj4yeD1WULM
 C1/NKI6sL29Tx8Sxt7bdzajF7pcHzFOb6GZyzAL+hCaQkb8r3pmC0Rd/H7yRNmM5h+Jg
 Zpiw==
MIME-Version: 1.0
X-Received: by 10.170.44.79 with SMTP id 76mr28199535ykm.11.1435702138679;
 Tue, 30 Jun 2015 15:08:58 -0700 (PDT)
Received: by 10.37.203.211 with HTTP; Tue, 30 Jun 2015 15:08:58 -0700 (PDT)
In-Reply-To: <CAKOb=Ya8prkcy-kqCqDYkiMi=2f95Z2bojc14nGg_o+XcwnQZQ@mail.gmail.com>
References: <CAKOb=YbDvJXETVdZFxVnZ=x+DqCCtRer91WHBKDBP_Qh=1JX+g@mail.gmail.com>
 <10633AE6-097E-4F08-AEA0-8E78632F2BCD@FreeBSD.org>
 <CAKOb=Ya8prkcy-kqCqDYkiMi=2f95Z2bojc14nGg_o+XcwnQZQ@mail.gmail.com>
Date: Tue, 30 Jun 2015 15:08:58 -0700
Message-ID: <CAKOb=YY8gOt9JhdGOX7chK_t8vj9VPb123Lshvsiiz38OfDoUA@mail.gmail.com>
Subject: Re: www/squid: tcp_outgoing_address binds to wrong interface
From: Nick Rogers <ncrogers@gmail.com>
To: Dimitry Andric <dim@freebsd.org>
Cc: "freebsd-ports@freebsd.org" <freebsd-ports@freebsd.org>
Content-Type: text/plain; charset=UTF-8
X-Content-Filtered-By: Mailman/MimeDel 2.1.20
X-BeenThere: freebsd-ports@freebsd.org
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Porting software to FreeBSD <freebsd-ports.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-ports/>
List-Post: <mailto:freebsd-ports@freebsd.org>
List-Help: <mailto:freebsd-ports-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-ports>,
 <mailto:freebsd-ports-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 30 Jun 2015 22:09:00 -0000

On Tue, Jun 30, 2015 at 2:36 PM, Nick Rogers <ncrogers@gmail.com> wrote:

>
>
> On Tue, Jun 30, 2015 at 11:54 AM, Dimitry Andric <dim@freebsd.org> wrote:
>
>> On 30 Jun 2015, at 18:48, Nick Rogers <ncrogers@gmail.com> wrote:
>> ...
>> > I am experiencing an issue with squid 3.5.5 and FreeBSD 10.1 where
>> > tcp_outgoing_address correctly rewrites the source address of outgoing
>> > packets, but fails to bind the socket to the correct interface.
>>
>> How do you arrive at this conclusion?  In the rest of your mail I see no
>> squid configuration for this, e.g. you would have to use:
>>
>> http_port 10.8.8.10:3129
>>
>> to explicitly bind to the first address on em1.  You can add multiple
>> http_port settings to bind to multiple addresses.
>>
>
> The http_port directive is for the address/port squid listens on for
> incoming client connections to the proxy, not what it uses to initiate
> outbound HTTP connections. The tcp_outgoing_address directive is what
> controls the source IP of outbound requests to web servers.
>
>
>>
>> > I've been
>> > using this kind of setup/configuration for quite some time (since the
>> squid
>> > 2.7 days), so I believe something between FreeBSD 9.x and 10.1 has
>> broken
>> > this behavior. FWIW squid 3.3.3 on FreeBSD 9.x behaves correctly with
>> the
>> > same config. My understanding is that squid merely changes the source
>> > address as a hint to the kernel routing stack, which makes me believe
>> the
>> > problem lies outside of squid. I've already sought out help from the
>> > squid-users mailing list and been told the same thing.
>> ...
>> > root# netstat -rn | grep default
>> >
>> > default            192.168.92.2       UGS         em0
>>
>> Do you have a route for 10.8.8.10 and similar?  Those should point to
>> em1, obviously.  If there is no specific route, those packets will
>> simply go to the default gateway.
>>
>
> 10.8.8.10 is an alias configured on em1.
>
> root# ifconfig em1
> em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> metric 0
> mtu 1500
> options=9b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM>
> ether 00:0c:29:a3:33:7f
> inet 10.8.8.10 netmask 0xffffff00 broadcast 10.8.8.255
> nd6 options=9<PERFORMNUD,IFDISABLED>
> media: Ethernet autoselect (1000baseT <full-duplex>)
> status: active
> root# netstat -rn | grep em1
> 10.8.8.0/24        link#1             U           em1
>
> Is that not sufficient for the kernel to know that packets with a source
> IP of 10.8.8.10 should egress em1, which has 10.8.8.10 configured via
> ifconfig? If I using ping -S the packets go out the correct interface
> (e.g., ping -S 10.8.8.10 10.8.8.250).
>
> I believe I understand your point now... There is no way to specify a
route based on the source IP of the packet, thus it will always egress the
default route interface even though the desired source IP is configured on
a different interface. I suppose I can handle the source-based routing with
PF. Thank you.


>
>>
>> -Dimitry
>>
>>
>