Re: [squid-users] Transparent proxy with squid+netfilter

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 24 Jul 2001 23:51:23 +0200

TCP uses ICMP for path MTU discovery and some other functions. path MTU
discovery being the most important. Failure to route ICMP packets the
same direction as the rest of the TCP session will cause TCP to hang,
and finally time out under certain conditions.

Most routers (including Linux) cannot track ICMP packets belonging to a
TCP session properly in plain route maps, causing these functions to
fail.

If you use Linux iptables NAT, then ICMP packets are automatically
tracked as part of the NAT TCP session, and will thus get routed
correctly.

For transparent proxies you can work around the lack of ICMP support in
route maps by disabling path MTU discovery for the proxy interface
pointing towards your clients.

--
Henrik Nordstrom
Squid Hacker
Andrea Glorioso wrote:
> 
> >>>>> "hn" == Henrik Nordstrom <hno@hem.passagen.se> writes:
> 
>     hn> Hmm.. thinking a bit more on the routing issues.. it is
>     hn> probably safer to use NAT as you do and accept that some
>     hn> clients will fail. Doing a proper routing setup is non-trivial
>     hn> unless you patch iptables with connection mark capabilities to
>     hn> also catch related ICMP traffic.
> 
> Could you elaborate on the problem posed by ICMP traffic?
> 
> Bye,
> 
> Andrea Glorioso
Received on Tue Jul 24 2001 - 16:10:10 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:01:18 MST