Re: [squid-users] Squid 6.2 with WCCP

[ngtech1ltd]

Thanks,

So an enterprise level Cisco.
The main issue is the upgrades for these...
Anyone knows if the newest Cisco devices still works with WCCP?

Eliezer

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, September 12, 2023 8:20 AM
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 6.2 with WCCP

On 11/09/23 20:16, ngtech1ltd wrote:
> Hey,
> 
> What is required for testing the wccp code?


At minimum a Router or Switch with WCCPv2, plus separate machines for 
client and proxy.

Ideally;
  * at least two router/switch to test the changed code handling 
multiple routers.
  * ability to test both Mask and GRE assignment methods.
  * ability to test a mix of the capability and security settings in WCCPv2.


> I can try to get a Cisco device for a basic testing.
> Is there a specific bug report we can follow on this issue or maybe we should 
> follow on the PR?
> 

Test results in the PR please.

Cheers
Amos


> Eliezer
> 
> -Original Message-
> From: Amos Jeffries
> Sent: Tuesday, August 22, 2023 15:16
> 
> On 22/08/23 01:34, Alex Rousskov wrote:
>> On 8/21/23 05:06, Callum Haywood wrote:
>>>
>>> Does anyone understand what is causing these errors? Are there any
>>> known issues or patches in progress?
>>
>> A few years ago, several serious problems were discovered in WCCP code,
>> including security vulnerabilities:
>>
>> https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
>>
>> Some of the WCCP bugs were fixed without testing; developers fixing
>> those bugs could not easily test WCCP. Some of the old WCCP bugs
>> remained and some of the new fixes were buggy.
>>
>> Today, WCCP code remains problematic. If your customers rely on WCCP,
>> consider investing into revamping that neglected and buggy feature.
>>
> 
> This PR <https://github.com/squid-cache/squid/pull/970> has some
> progress towards a fix of those. See the latest comment (currently Sept
> 2022) for issues that still need to be resolved before that PR is ready
> for merge attempt.
> 
> The major issue remains the ability to test.
> 
> HTH
> Amos
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users
> 
> ___
> squid-users mailing list
> squid-users@lists.squid-cache.org
> https://lists.squid-cache.org/listinfo/squid-users
___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6.2 with WCCP

[Amos Jeffries]

On 11/09/23 20:16, ngtech1ltd wrote:

Hey,

What is required for testing the wccp code?



At minimum a Router or Switch with WCCPv2, plus separate machines for 
client and proxy.


Ideally;
 * at least two router/switch to test the changed code handling 
multiple routers.

 * ability to test both Mask and GRE assignment methods.
 * ability to test a mix of the capability and security settings in WCCPv2.



I can try to get a Cisco device for a basic testing.
Is there a specific bug report we can follow on this issue or maybe we should 
follow on the PR?



Test results in the PR please.

Cheers
Amos



Eliezer

-Original Message-
From: Amos Jeffries
Sent: Tuesday, August 22, 2023 15:16

On 22/08/23 01:34, Alex Rousskov wrote:

On 8/21/23 05:06, Callum Haywood wrote:


Does anyone understand what is causing these errors? Are there any
known issues or patches in progress?


A few years ago, several serious problems were discovered in WCCP code,
including security vulnerabilities:

https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82

Some of the WCCP bugs were fixed without testing; developers fixing
those bugs could not easily test WCCP. Some of the old WCCP bugs
remained and some of the new fixes were buggy.

Today, WCCP code remains problematic. If your customers rely on WCCP,
consider investing into revamping that neglected and buggy feature.



This PR  has some
progress towards a fix of those. See the latest comment (currently Sept
2022) for issues that still need to be resolved before that PR is ready
for merge attempt.

The major issue remains the ability to test.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6.2 with WCCP

[ngtech1ltd]

Hey,

What is required for testing the wccp code?
I can try to get a Cisco device for a basic testing.
Is there a specific bug report we can follow on this issue or maybe we should 
follow on the PR?

Eliezer

-Original Message-
From: squid-users  On Behalf Of Amos 
Jeffries
Sent: Tuesday, August 22, 2023 15:16
To: squid-users@lists.squid-cache.org
Subject: Re: [squid-users] Squid 6.2 with WCCP

On 22/08/23 01:34, Alex Rousskov wrote:
> On 8/21/23 05:06, Callum Haywood wrote:
>> 
>> Does anyone understand what is causing these errors? Are there any 
>> known issues or patches in progress?
> 
> A few years ago, several serious problems were discovered in WCCP code, 
> including security vulnerabilities:
> 
> https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82
> 
> Some of the WCCP bugs were fixed without testing; developers fixing 
> those bugs could not easily test WCCP. Some of the old WCCP bugs 
> remained and some of the new fixes were buggy.
> 
> Today, WCCP code remains problematic. If your customers rely on WCCP, 
> consider investing into revamping that neglected and buggy feature.
> 

This PR <https://github.com/squid-cache/squid/pull/970> has some 
progress towards a fix of those. See the latest comment (currently Sept 
2022) for issues that still need to be resolved before that PR is ready 
for merge attempt.

The major issue remains the ability to test.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

___
squid-users mailing list
squid-users@lists.squid-cache.org
https://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6.2 with WCCP

[Amos Jeffries]

On 22/08/23 01:34, Alex Rousskov wrote:

On 8/21/23 05:06, Callum Haywood wrote:


Does anyone understand what is causing these errors? Are there any 
known issues or patches in progress?


A few years ago, several serious problems were discovered in WCCP code, 
including security vulnerabilities:


https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82

Some of the WCCP bugs were fixed without testing; developers fixing 
those bugs could not easily test WCCP. Some of the old WCCP bugs 
remained and some of the new fixes were buggy.


Today, WCCP code remains problematic. If your customers rely on WCCP, 
consider investing into revamping that neglected and buggy feature.




This PR  has some 
progress towards a fix of those. See the latest comment (currently Sept 
2022) for issues that still need to be resolved before that PR is ready 
for merge attempt.


The major issue remains the ability to test.

HTH
Amos
___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

Re: [squid-users] Squid 6.2 with WCCP

[Alex Rousskov]

On 8/21/23 05:06, Callum Haywood wrote:

We are currently testing Squid 6.2 with WCCP. Running on Ubuntu 20.04.6 
LTS with a GRE tunnel to a Cisco 2821.


We are seeing the following errors in the logs:

2023/08/18 10:13:02| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
     exception location: wccp2.cc(1254) wccp2HandleUdp


I have built Squid 4.15 on the same host and using the same config the 
Cisco is able to see Squid, send traffic, and there are no WCCP errors 
in the logs.


I have done a diff between the wccp2.cc source in 4.15 and 6.2 and see 
that there are quite a few changes. In the release notes I see "WCCP: 
Validate packets better".


FWIW, that change is present in Squid v4.17 as well.


Does anyone understand what is causing these errors? Are there any known 
issues or patches in progress?


A few years ago, several serious problems were discovered in WCCP code, 
including security vulnerabilities:


https://github.com/squid-cache/squid/security/advisories/GHSA-rgf3-9v3p-qp82

Some of the WCCP bugs were fixed without testing; developers fixing 
those bugs could not easily test WCCP. Some of the old WCCP bugs 
remained and some of the new fixes were buggy.


Today, WCCP code remains problematic. If your customers rely on WCCP, 
consider investing into revamping that neglected and buggy feature.



Current Squid v4-v6 releases appear to be missing the following WCCP fix 
in master/v7 (but it will probably not address the "duplicate security 
definition" issue you are facing):


https://github.com/squid-cache/squid/commit/478eba2a3392c46b12cd5abf433ac4442d7515b7


HTH,

Alex.

___
squid-users mailing list
squid-users@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users

[squid-users] Squid 6.2 with WCCP

[Callum Haywood]

Hi,

We are currently testing Squid 6.2 with WCCP. Running on Ubuntu 20.04.6 LTS 
with a GRE tunnel to a Cisco 2821.

We are seeing the following errors in the logs:

2023/08/18 10:13:02| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:12| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:22| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:27| ERROR: Ignoring WCCPv2 message: check failed: WCCP packet 
type unsupported
exception location: wccp2.cc(1226) wccp2HandleUdp
2023/08/18 10:13:32| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:42| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp

The squid config is attached (it is only used in a controlled test lab), as 
well as the complete log.

I have built Squid 4.15 on the same host and using the same config the Cisco is 
able to see Squid, send traffic, and there are no WCCP errors in the logs.

I have done a diff between the wccp2.cc source in 4.15 and 6.2 and see that 
there are quite a few changes. In the release notes I see "WCCP: Validate 
packets better".

Does anyone understand what is causing these errors? Are there any known issues 
or patches in progress?

Thanks
Callum



squid_wccp_minimal.conf
Description: squid_wccp_minimal.conf
2023/08/18 10:13:01| Processing Configuration File: 
/usr/local/squid/etc/squid.conf (depth 0)
2023/08/18 10:13:01| Created PID file (/usr/local/squid/var/run/squid.pid)
2023/08/18 10:13:01| Set Current Directory to /usr/local/squid/var/cache/squid
2023/08/18 10:13:01| Starting Squid Cache version 6.2 for x86_64-pc-linux-gnu...
2023/08/18 10:13:01| Service Name: squid
2023/08/18 10:13:01| Process ID 2826
2023/08/18 10:13:01| Process Roles: master worker
2023/08/18 10:13:01| With 1024 file descriptors available
2023/08/18 10:13:01| Initializing IP Cache...
2023/08/18 10:13:01| DNS IPv6 socket created at [::], FD 8
2023/08/18 10:13:01| DNS IPv4 socket created at 0.0.0.0, FD 9
2023/08/18 10:13:01| Adding nameserver 127.0.0.53 from /etc/resolv.conf
2023/08/18 10:13:01| Adding domain coventry from /etc/resolv.conf
2023/08/18 10:13:01| Adding domain tst.coventry from /etc/resolv.conf
2023/08/18 10:13:01| Adding domain demo.appliansys.com from /etc/resolv.conf
2023/08/18 10:13:01| Adding domain tst from /etc/resolv.conf
2023/08/18 10:13:01| Logfile: opening log 
daemon:/usr/local/squid/var/logs/access.log
2023/08/18 10:13:01| Logfile Daemon: opening log 
/usr/local/squid/var/logs/access.log
2023/08/18 10:13:01| Local cache digest enabled; rebuild/rewrite every 
3600/3600 sec
2023/08/18 10:13:01| Store logging disabled
2023/08/18 10:13:01| Swap maxSize 0 + 262144 KB, estimated 20164 objects
2023/08/18 10:13:01| Target number of buckets: 1008
2023/08/18 10:13:01| Using 8192 Store buckets
2023/08/18 10:13:01| Max Mem  size: 262144 KB
2023/08/18 10:13:01| Max Swap size: 0 KB
2023/08/18 10:13:01| Using Least Load store dir selection
2023/08/18 10:13:01| Set Current Directory to /usr/local/squid/var/cache/squid
2023/08/18 10:13:01| Finished loading MIME types and icons.
2023/08/18 10:13:01.734| 80,2| wccp.cc(114) wccpConnectionOpen: WCCPv1 disabled.
2023/08/18 10:13:01| Accepting WCCPv2 messages on port 2048, FD 12.
2023/08/18 10:13:01| Initialising all WCCPv2 lists
2023/08/18 10:13:01| HTCP Disabled.
2023/08/18 10:13:01| Squid plugin modules loaded: 0
2023/08/18 10:13:01| Adaptation support is off.
2023/08/18 10:13:01| Accepting HTTP Socket connections at conn4 local=[::]:3128 
remote=[::] FD 13 flags=9
listening port: 3128
2023/08/18 10:13:02| storeLateRelease: released 0 objects
2023/08/18 10:13:01| Accepting HTTP Socket connections at conn4 local=[::]:3128 
remote=[::] FD 13 flags=9
listening port: 3128
2023/08/18 10:13:02| storeLateRelease: released 0 objects
2023/08/18 10:13:02| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:12| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:22| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:27| ERROR: Ignoring WCCPv2 message: check failed: WCCP packet 
type unsupported
exception location: wccp2.cc(1226) wccp2HandleUdp
2023/08/18 10:13:32| ERROR: Ignoring WCCPv2 message: check failed: duplicate 
security definition
exception location: wccp2.cc(1254) wccp2HandleUdp
2023/08/18 10:13:42| ERROR: Ignoring WCCPv