[c-nsp] Cisco WCCP and Squid on Linux
Mark Tinka
mtinka at africaonline.co.sz
Tue Jun 28 06:31:54 EDT 2005
On Tuesday 28 June 2005 12:22, Reuben Farrelly wrote:
Cheers!
Mark.
> On 28/06/2005 9:30 p.m., Mark Tinka wrote:
> > On Monday 27 June 2005 13:20, Reuben Farrelly wrote:
> >> It does from kernel 2.6.10 onwards. It's actually
> >> easier to do it with the ip_gre module if the
> >> kernel supports it (I've used both - using the
> >> built in ip_gre module means you never have to
> >> rebuild ip_wccp every time your kernel changes).
> >
> > Oh really? I tried using the ip_gre module before
> > with a gre0 interface, but that didn't seem to work.
>
> Yeah, you would have needed to patch it if running
> 2.6.5. But no longer - see
>
> http://www.ussg.iu.edu/hypermail/linux/kernel/0409.1/2
>396.html
>
> or of course post 2.6.10 versions of
> linux-2.6/net/ipv4/ip_gre.c
>
> > I'd be happy to use the ip_gre module, as, like you
> > say, updating the kernel would mean I'm free from
> > having to recompile the ip_wccp module; and since
> > it's built correctly in the kernel, it's more likely
> > work off the bat than ip_wccp would.
>
> Certainly. Compiling external modules is a pain and
> can be a source of problems..
>
> > My current kernel version is 2.6.5, so I don't think
> > ip_gre will satisfy me. I'll soon be upgrading my OS
> > and will be running 2.6.11; I trust that will have
> > the support you mention.
>
> Yes it will.
>
> > Do you have an implementation schedule? Like
> > firewall rules for GRE, interface configurations,
> > kernel patches if necessary, Squid configurations
> > e.t.c., and any other gotchas?
>
> Not really, I've got the most basic setup with my
> squid box on the same subnet as clients. Pretty
> simple really, no firewall rules for GRE or
> restrictions on router talking to squid. No kernel or
> squid patches required either. I'm using
> squid-2.5STABLE10 but there haven't been changes to
> WCCP for ages in squid. It works so I'm very very
> careful to only change one thing at a time and retest
> it. Of recent times living on the bleeding edge, it
> has been IOS bugs which has broken things - see
> CSCsb10663, CSCeh76239 and CSCeg45426. <plug> If
> anyone wants to progress my reproduceable bug
> CSCsb10663 along, that would be great - as it busts
> WCCP on all late 12.3T and 12.4/12.4T releases
> (including some scenarios with no NAT, despite the
> note). </plug>
>
> Be mindful if your squid box has multiple interfaces,
> of which IP address is being seen by the router for
> WCCP. eg if your router is seeing 192.168.1.1 as the
> squid box WCCP source address, and your squid box is
> sending out HTTP requests out 192.168.1.2, the router
> probably won't automagically bypass traffic sourced
> from 192.168.1.2 as it has no way of knowing that this
> is the same box. In that case either carefully write
> an ACL, or bind squid and wccp to only one address.
>
> Some useful reference information:
>
> http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13
> (hopefully you've already read this)
>
> --------
> interface config on fedora/redhat:
>
> [root at tornado linux-2.6]# cat
> /etc/sysconfig/network-scripts/ifcfg-gre0 DEVICE=gre0
> BOOTPROTO=static
> IPADDR=172.16.1.6
> NETMASK=255.255.255.252
> ONBOOT=yes
> IPV6INIT=no
>
> <I don't have a corresponding 172.16.1.5 address
> anywhere on my network>
>
> ---------
>
> We should probably move this off-list to the
> squid-users mailing list
> (http://www.squid-cache.org/mailing-lists.html) as
> this is really where it belongs.
>
> reuben
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 827 bytes
Desc: not available
Url : https://puck.nether.net/pipermail/cisco-nsp/attachments/20050628/a80fbc81/attachment.bin
More information about the cisco-nsp
mailing list