[c-nsp] Cisco WCCP and Squid on Linux
Reuben Farrelly
reuben-cisco-nsp at reub.net
Tue Jun 28 06:22:39 EDT 2005
On 28/06/2005 9:30 p.m., Mark Tinka wrote:
> On Monday 27 June 2005 13:20, Reuben Farrelly wrote:
>
>> It does from kernel 2.6.10 onwards. It's actually
>> easier to do it with the ip_gre module if the kernel
>> supports it (I've used both - using the built in
>> ip_gre module means you never have to rebuild ip_wccp
>> every time your kernel changes).
>
> Oh really? I tried using the ip_gre module before with a
> gre0 interface, but that didn't seem to work.
Yeah, you would have needed to patch it if running 2.6.5. But no longer - see
http://www.ussg.iu.edu/hypermail/linux/kernel/0409.1/2396.html
or of course post 2.6.10 versions of linux-2.6/net/ipv4/ip_gre.c
> I'd be happy to use the ip_gre module, as, like you say,
> updating the kernel would mean I'm free from having to
> recompile the ip_wccp module; and since it's built
> correctly in the kernel, it's more likely work off the
> bat than ip_wccp would.
Certainly. Compiling external modules is a pain and can be a source of problems..
> My current kernel version is 2.6.5, so I don't think
> ip_gre will satisfy me. I'll soon be upgrading my OS and
> will be running 2.6.11; I trust that will have the
> support you mention.
Yes it will.
> Do you have an implementation schedule? Like firewall
> rules for GRE, interface configurations, kernel patches
> if necessary, Squid configurations e.t.c., and any other
> gotchas?
Not really, I've got the most basic setup with my squid box on the same subnet
as clients. Pretty simple really, no firewall rules for GRE or restrictions
on router talking to squid. No kernel or squid patches required either. I'm
using squid-2.5STABLE10 but there haven't been changes to WCCP for ages in
squid. It works so I'm very very careful to only change one thing at a time
and retest it. Of recent times living on the bleeding edge, it has been IOS
bugs which has broken things - see CSCsb10663, CSCeh76239 and CSCeg45426.
<plug> If anyone wants to progress my reproduceable bug CSCsb10663 along, that
would be great - as it busts WCCP on all late 12.3T and 12.4/12.4T releases
(including some scenarios with no NAT, despite the note). </plug>
Be mindful if your squid box has multiple interfaces, of which IP address is
being seen by the router for WCCP. eg if your router is seeing 192.168.1.1 as
the squid box WCCP source address, and your squid box is sending out HTTP
requests out 192.168.1.2, the router probably won't automagically bypass
traffic sourced from 192.168.1.2 as it has no way of knowing that this is the
same box. In that case either carefully write an ACL, or bind squid and wccp
to only one address.
Some useful reference information:
http://www.squid-cache.org/Doc/FAQ/FAQ-17.html#ss17.13 (hopefully you've
already read this)
--------
interface config on fedora/redhat:
[root at tornado linux-2.6]# cat /etc/sysconfig/network-scripts/ifcfg-gre0
DEVICE=gre0
BOOTPROTO=static
IPADDR=172.16.1.6
NETMASK=255.255.255.252
ONBOOT=yes
IPV6INIT=no
<I don't have a corresponding 172.16.1.5 address anywhere on my network>
---------
We should probably move this off-list to the squid-users mailing list
(http://www.squid-cache.org/mailing-lists.html) as this is really where it
belongs.
reuben
More information about the cisco-nsp
mailing list