[squid-users] squid and iptables
morteza omidian
morteza1131 at yahoo.com
Sat Oct 13 05:08:26 UTC 2018
tanx again.Ok, if I want to know connmark of packets and connection in squid and then select them with an ACL inside of squid and then again mark them with "tcp_outgoing_mark", is that possible??
In this page i don't see what you said!The ACL that be configured only match with clients source ip addresses or domain and ..., not connmark!
On Saturday, October 13, 2018, 5:47:49 AM GMT+3:30, Amos Jeffries <squid3 at treenet.co.nz> wrote:
On 13/10/18 5:13 AM, morteza omidian wrote:
>
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
>
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
>
> Is that possible or not?
What you ask for is not possible.
What you are trying to do *is* possible ...
> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!
Two things:
1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.
2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.
What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.
The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.
Think of thing this way:
MARK - stays within nftables/iptables.
CONNMARK - stays within the machine. Can go to other software within
the same machine.
TOS - goes to other machines, and possibly networks.
Amos
_______________________________________________
squid-users mailing list
squid-users at lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-users
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20181013/13f1327f/attachment.html>
More information about the squid-users
mailing list