tanx again.
Ok, if I want to know connmark of packets and connection in squid and then select them with an ACL inside of squid and then again mark them with "tcp_outgoing_mark", is that possible??
In this page i don't see what you said!
The ACL that be configured only match with clients source ip addresses or domain and ..., not connmark!
On Saturday, October 13, 2018, 5:47:49 AM GMT+3:30, Amos Jeffries <squid3@xxxxxxxxxxxxx> wrote:
On 13/10/18 5:13 AM, morteza omidian wrote:
>
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
>
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
>
> Is that possible or not?
What you ask for is not possible.
What you are trying to do *is* possible ...
> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!
Two things:
1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.
2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.
What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.
The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.
Think of thing this way:
MARK - stays within nftables/iptables.
CONNMARK - stays within the machine. Can go to other software within
the same machine.
TOS - goes to other machines, and possibly networks.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
>
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
>
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
>
> Is that possible or not?
What you ask for is not possible.
What you are trying to do *is* possible ...
> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!
Two things:
1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.
2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.
What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.
The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.
Think of thing this way:
MARK - stays within nftables/iptables.
CONNMARK - stays within the machine. Can go to other software within
the same machine.
TOS - goes to other machines, and possibly networks.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
