[squid-users] iptables CONNMARK with squid

Ryan Le ryanlele264 at gmail.com
Tue May 26 21:59:31 UTC 2020 

I have the following setup:

squid -v
Squid Cache: Version 4.8
Service Name: squid
201909121340

This binary uses OpenSSL 1.0.2k-fips  26 Jan 2017. For legal restrictions
on distribution see https://www.openssl.org/source/license.html

configure options:  '--enable-ssl-crtd' '--enable-build-info=201909121340'
'--disable-arch-native' '--with-large-files' '--enable-wccpv2'
'--enable-delay-pools' '--enable-icap-client' '--with-openssl'
'--enable-ssl' '--enable-ltdl-convenience' '--enable-linux-netfilter'
'--enable-auth' '--with-libcap' '--with-default-user=squid'
'--sysconfdir=/etc/squid' '--with-logdir=/var/log/squid'
'--with-swapdir=/var/spool/squid'

squid.conf
     qos_flows mark

iptables
     target     prot opt in     out     source               destination
     CONNMARK   tcp  --  interface2  *       0.0.0.0/0            0.0.0.0/0
           tcp dpt:443 CONNMARK xset 0x6b0000/0x7fff0000

DNAT       tcp  --  *      *       0.0.0.0/0            0.0.0.0/0
 tcp dpt:443 mark match 0x6b0000 to:IP:9443

ip rule show
     204:    from all fwmark 0x6b0000/0x7fff0000 lookup 107

ip route show table 107
     10.0.0.0/8 dev interface2 scope link
     127.0.0.1 dev lo scope link
     172.16.0.0/12 dev interface2 scope link
      192.168.0.0/16 dev interface2 scope link

I do see the packet in squid log which appears to have the mark

2020/05/26 17:22:20.557 kid3| 28,3| Eui48.cc(516) lookup: id=0x17b20b4
192.168.128.2 NOT found

2020/05/26 17:22:20.557 kid3| 17,3| QosConfig.cc(148) getNfmarkCallback:
0x6b0000


2020/05/26 17:22:20.557 kid3| 51,3| fd.cc(198) fd_open: fd_open() FD 26
HTTP Request
2020/05/26 17:22:20.557 kid3| 5,5| TcpAcceptor.cc(301) acceptOne: Listener:
local=localIP remote=[::] FD 23 flags=33 ac
cepted new connection local=websiteIP remote=192.168.128.2:59769 FD 26
flags=33 handler Subscription: 0xee7580*1

It doesn't seem to preserve the mark when making the request to the server.

I have two questions

Is it better to use tproxy versus dnat when trying to preserve the mark?

It also appears even though I mark the packet and have a separate routing
table the packet never seems to make it to squid unless I have a route for
the source address in the main table, is there a way to make squid use the
second routing table?

Thanks,
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-users/attachments/20200526/4949580e/attachment.html>

More information about the squid-users mailing list