[squid-users] Fwd: Mark outgoing connection mark same as client side mark

Deniz Eren denizlist at denizeren.net
Wed May 11 12:21:11 UTC 2016 

> On 11/05/2016 8:19 p.m., Deniz Eren wrote:
>> Hi,
>>
>> In my system I am using netfilter marks to shape traffic(SNAT, QoS,
>> etc.) however when I redirect traffic to Squid using Tproxy I lose the
>> mark value(obviously).
>
> Not obvious at all. The MARK vaue is available to Squid, and if
> configured to look it up Squid should be doing so.
>
By saying obviously I meant that if squid doesn't mark the packet its
not available in OUTPUT chain.

>> I saw configuration directive qos_flow but it's
>> only applicable for incoming connections( some website -> squid ->
>> client PC), what I need is the opposite one I want to pass mark of
>> outgoing connections( client PC -> squid -> some website ). I want to
>> mark packet in mangle PREROUTING and then redirect packet to TPROXY
>> and after packets coming out of squid I want to use the same mark in
>> mangle OUTPUT or POSTROUTING chains. Is there a way to do that?
>>
>
> tcp_outgoing_mark or qos_flows mark.
http://www.squid-cache.org/Doc/config/qos_flows/
"to mark outgoing connections to the client, based on where the reply
was sourced."
>From here I understand that marking process is like this:
Web Site -> |  -> mark -> squid -> mark -> | -> Client PC
And in my tests I saw this behavior, the opposite did not work. Is the
opposite one possible:
ClientPC -> |  -> mark -> squid -> mark -> | -> Web Site

>
> The problem you will find however is that HTTP is both stateless and
> multiplexing. One incoming request may generate zero or several outgoing
> requests. The outbound connection may also be shared by several requests
> with differnet incoming connection MARK values.
Do you mean two sources A,B going both to C can share same outgoing
connection? Is there a way to change this behavior?

>
> So you need to design your system not to rely on an outbound connection
> existing, and to handle MARK being changed mid-connection.
>

> Amos
>
> _______________________________________________
> squid-users mailing list
> squid-users at lists.squid-cache.org
> http://lists.squid-cache.org/listinfo/squid-users

More information about the squid-users mailing list