On 03/15/2014 05:11 PM, Amos Jeffries wrote:
On 15/03/2014 6:46 p.m., Amm wrote:
I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet.
http://www.squid-cache.org/Doc/config/qos_flows/
Squid default action is to pass the netfilter MARK value from client
through to the server. All you should need to do is *omit*
tcp_outgoing_mark directives from changing it to something else.
Amos
Oh that's great, thanks, I did not know this.
However, I tried this but somehow I am not able to get it working
Please let me know what could be wrong.
First I thought it may be because netfilter-conntrack-devel was not
installed. So I installed the same.
Then I recompiled squid with these:
--with-netfilter-conntrack and --with-libcap
configure: ZPH QOS enabled: yes
configure: QOS netfilter mark preservation enabled: yes
...
checking for operational libcap2 headers... yes
configure: libcap support enabled: yes
configure: libcap2 headers are ok: yes
...
configure: Linux Netfilter support requested: yes
configure: Linux Netfilter Conntrack support requested: yes
checking for library containing nfct_query... -lnetfilter_conntrack
(4-5 more lines with header check with answer yes)
Installed new squid and restarted squid.
Ran following iptables command for debugging:
# CMD 1- mark all packets coming from 192.168.1.45
$ iptables -t mangle -I PREROUTING -s 192.168.1.45 -j MARK --set-mark 0x112
# CMD 2 - count packets/bytes going OUT on port 80 and marked 0x112
$ iptables -t mangle -I POSTROUTING -m mark --mark 0x112 -p tcp --dport 80
# CMD 3 - NAT settings (intercept)
$ iptables -t nat -nvL
Chain PREROUTING (policy ACCEPT 22610 packets, 2251K bytes)
pkts bytes target prot opt in out source
destination
347 21371 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128
Some settings in /etc/squid/squid.conf:
http_port 3128 intercept
# log for nfmark logging
logformat nfmark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt %>nfmark %<nfmark
access_log daemon:/var/log/squid/access.log squid all
access_log daemon:/var/log/squid/nfmark.log nfmark all
(Do I need to put anything else in squid.conf for marking?)
(There is no tcp_outgoing_mark)
Now I accessed Google from 192.168.1.45
$ tail /var/log/squid/nfmark.log
1394891128.585 403 192.168.1.45 TCP_MISS/200 21137 GET
http://www.google.co.in/?xxx - HIER_DIRECT/173.194.36.56 text/html 0x0 0x0
1394891128.793 92 192.168.1.45 TCP_MISS/304 393 GET
http://www.google.co.in/images/srpr/mlogo2x_3.png -
HIER_DIRECT/173.194.36.56 - 0x0 0x0
1394891128.851 115 192.168.1.45 TCP_MISS/304 393 GET
http://www.google.co.in/images/logo_mobile_srp_3.png -
HIER_DIRECT/173.194.36.56 - 0x0 0x0
nfmark in and out both are logged as 0x0 whereas I was expecting atleast
one of them to be 0x112
$ iptables -t mangle -nvL PREROUTING
Chain PREROUTING (policy ACCEPT 1590 packets, 604K bytes)
pkts bytes target prot opt in out source
destination
135 22042 MARK all -- * * 192.168.1.45
0.0.0.0/0 MARK set 0x112
$ iptables -t mangle -nvL POSTROUTING
Chain POSTROUTING (policy ACCEPT 1653 packets, 372K bytes)
pkts bytes target prot opt in out source
destination
0 0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x112 multiport dports 80,443
PREROUTING shows 135 packets MARKed as 0x112 but POSTROUTING shows no
packets marked.
What could be wrong?
Thanks in advance.
Amm
