[squid-users] Mark outgoing connection mark same as client side mark

[Amos Jeffries]

On 11/05/2016 8:19 p.m., Deniz Eren wrote:
> Hi,
> 
> In my system I am using netfilter marks to shape traffic(SNAT, QoS,
> etc.) however when I redirect traffic to Squid using Tproxy I lose the
> mark value(obviously).

Not obvious at all. The MARK vaue is available to Squid, and if
configured to look it up Squid should be doing so.

> I saw configuration directive qos_flow but it's
> only applicable for incoming connections( some website -> squid ->
> client PC), what I need is the opposite one I want to pass mark of
> outgoing connections( client PC -> squid -> some website ). I want to
> mark packet in mangle PREROUTING and then redirect packet to TPROXY
> and after packets coming out of squid I want to use the same mark in
> mangle OUTPUT or POSTROUTING chains. Is there a way to do that?
> 

tcp_outgoing_mark or qos_flows mark.

The problem you will find however is that HTTP is both stateless and
multiplexing. One incoming request may generate zero or several outgoing
requests. The outbound connection may also be shared by several requests
with differnet incoming connection MARK values.

So you need to design your system not to rely on an outbound connection
existing, and to handle MARK being changed mid-connection.

Amos