Hi!
Currently my goal is to make squid + wccp configuration working
out-of-the box. Ideally - without any extra modules.
I suspect that to be accepted into mainline implementation of it must
be as clean as possible :)
Currently, most wccp configurations are working with this module:
http://www.squid-cache.org/WCCP-support/Linux/ip_wccp.c
For things to work we need to get stream of packets redirected from
router, as standard non-encapsulated packets, and feed it into ip
filter.
The problem is router-side wccp algorithm. Instead of doing simple gre
encapsulation, wccp does the following:
1. Change protocol from ETH_P_IP (0x0800) to 0x883E
2. if it is wccp2, then add 4 bytes of flags
So, on receiver side, we need to do reverse thing.
Module I mentioned earlier inspects all GRE protocol packets, checking
bytes where proto value of it's payload (e.g. encapsulated packet)
reside, and if it's 0x883E, then it strips gre header, strips wccp2
flags (if exist), and requeue packets on any suitable interface (if I
understood that skb->dst = NULL correctly).
This works, actually, but (a) we cannot control local-remote of gre
tunnel, (b) we cannot determine is that packet from router or from
network itself and (c) when we have 2 or more routers turned to
different ip's on one host it is complete mess.
When we, instead of using this module, properly configuring gre tunnel
between host and router, we starting getting packets with proto 0x883E
and probably (for wccp2) 4 extra bytes after proto field. Of course
this traffic is useless.
I am thinking about making decapsulated AND reconstructed (wrt proto
and wccp2 flags) packets appear on gre tunnel interface. This goal can
be implemented by following approaches:
1. Hack ip_gre.c. Add some sysctl to it, or maybe add possibility to
set specific flags on individual interfaces. When flag is set - ip_gre
rx routine parses wccp packets and converts it to acceptable ip.
2. Write module, with 0x883E protocol handler inside. That rx routine
should replace 0x883E with P_IP, check and strip v2 flags, and requeue
packet on interface where it arrived first.
This can be complemented with some settable flag specifying on which
interfaces it should do that translation.
What do you think? Which way I should do?
P.S. IIRC approach (1) is implemented inf FreeBSD.
--
Paul P 'Stingray' Komkoff Jr // http://stingr.net/key <- my pgp key
This message represents the official view of the voices in my head
On Thu, 24 Jun 2004, Paul P Komkoff Jr wrote:
> Currently my goal is to make squid + wccp configuration working
> out-of-the box. Ideally - without any extra modules.
This is possible with WCCPv2 using direct routing avoiding the need of
GRE/WCCP tunneling. WCCPv2 patches do exists for Squid-2.5, but may be a
little hard to find.. (no official maintainer of the WCCPv2 support for
Squid at the moment)
> Currently, most wccp configurations are working with this module:
> http://www.squid-cache.org/WCCP-support/Linux/ip_wccp.c
Please note that this module is by no means clean, and lacks a lot in
security.
There is also a WCCP patch available to the GRE driver. This approach
provides a little more security but is also more complex to set up for the
same reasons and is not used very much..
http://www.swelltech.com/pengies/joe/patches/linux-2.4.8-ip_gre.patch
The GRE patch is very simplistic and would do good of being properly
implemented and integrated with the "ip tunnel" command for
configuration of the GRE protocol (normal GRE / WCCPv1 / WCCPv2 /
whatever...).
> What do you think? Which way I should do?
I think approach 1 (decapsulation within GRE) is most suitable. It also
provides an adequate level of control on security and permissions which
may be hard to accomplish if separating the two.
Regards
Henrik Nordstr?m
aka [email protected] and current maintainer of the Squid ip_wccp.c
module