On 13/10/18 5:13 AM, morteza omidian wrote: > > Tank you, I see it now. > It does not help me, I want to have an acl to select traffic (HTTP > traffic that comes from client to squid) that have a specific packet > mark and then send them out with another mark. like this: > In iptables-mangle-PREROUTING: > > iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1 > > In Squid Configuration: > acl MARKED_PACKETS nfmark 1 > tcp_outgoing_mark 1 MARKED_PACKETS > > Is that possible or not? What you ask for is not possible. What you are trying to do *is* possible ... > I want this kind of marks because I need to determine source interface > of packets after they go out of squid! Two things: 1) the rules you have above *do not* do what you say you are wanting. The iptables rule marks *everything* on every interface with 0x1. Overwriting whatever Squid would set. 2) MARK is the wrong iptables feature to be using. It only marks a *single* packet per rule/table evaluation and is not accessible to any software higher up the network stack than iptables itself. What you should be using is -j CONNMARK. Once a CONNMARK is set on a connection it is copied by iptables to each following packet on that same connection. It is also available to layer-4 software like Squid which have *nothing* to do with individual packets. The clientside_mark ACL in Squid matches these values and does exactly what you are wanting. Think of thing this way: MARK - stays within nftables/iptables. CONNMARK - stays within the machine. Can go to other software within the same machine. TOS - goes to other machines, and possibly networks. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
