Hi, all. After squid 3.1 ate all of my memory, i installed squid 3.2 (which also ate all of my memory, but this is an another story). It seems, in squid 3.2 tproxy is not work right. squid reply to my request, but count of packets too small for normal workflow. If i connect directly to squid (to normal mode 3128 port), all work fine. How can i debug this problem? My config (3.2.8): acl localnet src 10.0.0.0/8 # RFC1918 possible internal network acl localnet src 172.16.0.0/12 # RFC1918 possible internal network acl localnet src 192.168.0.0/16 # RFC1918 possible internal network acl localnet src fc00::/7 # RFC 4193 local private network range acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow localhost manager http_access deny manager http_access allow localnet http_access allow localhost http_access allow all http_port 3128 http_port 3129 tproxy access_log none coredump_dir /usr/local/var/cache/squid url_rewrite_program /usr/bin/squidGuard -c /etc/squidguard/squidGuard.conf url_rewrite_children 30 startup=5 idle=10 concurrency=0 refresh_pattern ^ftp: 1440 20% 10080 refresh_pattern ^gopher: 1440 0% 1440 refresh_pattern -i (/cgi-bin/|\?) 0 0% 0 refresh_pattern . 0 20% 4320 cache_effective_user proxy iptables-save: # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013 *raw :PREROUTING ACCEPT [7824875024:8401335411812] :OUTPUT ACCEPT [3675157306:6129226492352] COMMIT # Completed on Wed Mar 6 15:41:59 2013 # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013 *mangle :PREROUTING ACCEPT [6770135987:6702261415787] :INPUT ACCEPT [4838725878:6108754481433] :FORWARD ACCEPT [2985099037:2292524666165] :OUTPUT ACCEPT [3675156676:6129226454540] :POSTROUTING ACCEPT [6660255713:8421751120705] :tproxied - [0:0] -A PREROUTING -p tcp -m socket --transparent -j tproxied -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3129 --on-ip 0.0.0.0 --tproxy-mark 0x1/0xffffffff -A tproxied -j MARK --set-xmark 0x1/0xffffffff -A tproxied -j ACCEPT COMMIT # Completed on Wed Mar 6 15:41:59 2013 # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013 *nat :PREROUTING ACCEPT [166764142:12594892291] :INPUT ACCEPT [88382392:5321491245] :OUTPUT ACCEPT [54669707:3295422034] :POSTROUTING ACCEPT [132896164:10559090386] COMMIT # Completed on Wed Mar 6 15:41:59 2013 # Generated by iptables-save v1.4.14 on Wed Mar 6 15:41:59 2013 *filter :INPUT ACCEPT [14588788:12990241586] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [12967278:12836984550] :block_ip - [0:0] :fail2ban-ssh - [0:0] -A INPUT -p tcp -m multiport --dports 22 -j fail2ban-ssh -A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3128 -j ACCEPT -A INPUT -s 10.232.0.0/16 -p tcp -m tcp --dport 3129 -j ACCEPT -A INPUT -p tcp -m tcp --dport 3129 -j DROP -A FORWARD -o eth0 -j block_ip -A fail2ban-ssh -j RETURN COMMIT # Completed on Wed Mar 6 15:41:59 2013 ip rule: 0: from all lookup local 30000: from all fwmark 0x1 lookup tproxy 32766: from all lookup main 32767: from all lookup default ip rou show table tproxy: local default dev lo scope host This configuration works fine with squid 3.1.
