Search squid archive

iptables CONNMARK with squid

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



I have the following setup:

squid -v
Squid Cache: Version 4.8
Service Name: squid
201909121340

This binary uses OpenSSL 1.0.2k-fips  26 Jan 2017. For legal restrictions on distribution see https://www.openssl.org/source/license.html

configure options:  '--enable-ssl-crtd' '--enable-build-info=201909121340' '--disable-arch-native' '--with-large-files' '--enable-wccpv2' '--enable-delay-pools' '--enable-icap-client' '--with-openssl' '--enable-ssl' '--enable-ltdl-convenience' '--enable-linux-netfilter' '--enable-auth' '--with-libcap' '--with-default-user=squid' '--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid' '--with-swapdir=/var/spool/squid'

squid.conf
     qos_flows mark

iptables
     target     prot opt in     out     source               destination
     CONNMARK   tcp  --  interface2  *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 CONNMARK xset 0x6b0000/0x7fff0000

DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0            tcp dpt:443 mark match 0x6b0000 to:IP:9443

ip rule show
     204:    from all fwmark 0x6b0000/0x7fff0000 lookup 107

ip route show table 107
     10.0.0.0/8 dev interface2 scope link
     127.0.0.1 dev lo scope link
     172.16.0.0/12 dev interface2 scope link
      192.168.0.0/16 dev interface2 scope link

I do see the packet in squid log which appears to have the mark

2020/05/26 17:22:20.557 kid3| 28,3| Eui48.cc(516) lookup: id=0x17b20b4 192.168.128.2 NOT found

2020/05/26 17:22:20.557 kid3| 17,3| QosConfig.cc(148) getNfmarkCallback: 0x6b0000


2020/05/26 17:22:20.557 kid3| 51,3| fd.cc(198) fd_open: fd_open() FD 26 HTTP Request
2020/05/26 17:22:20.557 kid3| 5,5| TcpAcceptor.cc(301) acceptOne: Listener: local=localIP remote=[::] FD 23 flags=33 ac
cepted new connection local=websiteIP remote=192.168.128.2:59769 FD 26 flags=33 handler Subscription: 0xee7580*1

It doesn't seem to preserve the mark when making the request to the server.

I have two questions

Is it better to use tproxy versus dnat when trying to preserve the mark? 

It also appears even though I mark the packet and have a separate routing table the packet never seems to make it to squid unless I have a route for the source address in the main table, is there a way to make squid use the second routing table?

Thanks,


_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users

[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux