This diff allows us to set net.inet.gre.wccp sysctl to 2, in which
case gre(4) will skip the WCCPv2 redirect header, allowing us to
handle the packet in the same way as WCCPv1.
Squid knows how to set up the WCCPv2 session with the Cisco and
handles transparent HTTP proxying, use PF divert the traffic into
Squid's intercept port (or with relayd, use 'forward to destination')
Tested on amd64 with a Cisco ASA 5520.
More magic (perhaps in PF) would be needed to actually interpret
the redirect header and fully handle the WCCPv2 protocol.
Index: share/man/man4/gre.4
===================================================================
RCS file: /cvs/src/share/man/man4/gre.4,v
retrieving revision 1.39
diff -u -p -u -r1.39 gre.4
--- share/man/man4/gre.4 19 Oct 2013 16:53:15 -0000 1.39
+++ share/man/man4/gre.4 20 Dec 2014 11:56:25 -0000
@@ -54,7 +54,10 @@ variables respectively in
.It Va net.inet.gre.allow
Allow GRE packets in and out of the system.
.It Va net.inet.gre.wccp
-Allow WCCPv1-style GRE packets into the system (depends on the above).
+Set to 1 to allow WCCPv1-style GRE packets into the system,
+set to 2 to handle the the packets as WCCPv2-style GRE, truncating
+the redirect header.
+This variable depends on the above.
.It Va net.inet.mobileip.allow
Allow MobileIP packets in and out of the system.
.El
@@ -235,8 +238,8 @@ The kernel must be set to forward datagr
option to
.Xr sysctl 8 .
.Pp
-The GRE interface will accept WCCPv1-style GRE encapsulated packets
-from a Cisco router.
+The GRE interface will accept WCCPv1-style or WWCPv2-style GRE
+encapsulated packets from a Cisco router.
Some magic with the packet filter configuration
and a caching proxy like squid are needed to do anything useful with
these packets.
@@ -292,6 +295,5 @@ these packets.
.Sh BUGS
GRE RFC not yet fully implemented (no GRE options).
.Pp
-For the WCCP GRE encapsulated packets we can only reliably accept
-WCCPv1 format; WCCPv2 formatted packets add another header which will
-skew the decode, and results are not defined (i.e. don't do WCCPv2).
+For WCCPv2 GRE encapsulated packets we don't handle the redirect
+header, but simply skip it.
Index: sys/netinet/ip_gre.c
===================================================================
RCS file: /cvs/src/sys/netinet/ip_gre.c,v
retrieving revision 1.52
diff -u -p -u -r1.52 ip_gre.c
--- sys/netinet/ip_gre.c 19 Dec 2014 17:14:40 -0000 1.52
+++ sys/netinet/ip_gre.c 20 Dec 2014 11:56:25 -0000
@@ -145,14 +145,22 @@ gre_input2(struct mbuf *m, int hlen, u_c
* GRE tunnel is precisely a IP-in-GRE tunnel that
differs
* only in its protocol number. At least, it works
for me.
*
- * The Internet Draft can be found if you look for
+ * The Internet Drafts can be found if you look for
+ * the following:
* draft-forster-wrec-wccp-v1-00.txt
+ * draft-wilson-wrec-wccp-v2-01.txt
*
* So yes, we're doing a fall-through (unless, of
course,
* net.inet.gre.wccp is 0).
*/
if (!gre_wccp)
return (0);
+ /*
+ * For WCCPv2, additionally skip the 4 byte
+ * redirect header.
+ */
+ if (gre_wccp == 2)
+ hlen += 4;
case ETHERTYPE_IP: /* shouldn't need a schednetisr(), as */
ifq = &ipintrq; /* we are in ip_input */
af = AF_INET;
