<html><head></head><body><div class="ydpe265b750yahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div id="ydpe265b750yiv0571450082"><div><div class="ydpe265b750yiv0571450082ydp8c8e88aeyahoo-style-wrap" style="font-family:Helvetica Neue, Helvetica, Arial, sans-serif;font-size:16px;"><div></div>
<div>tanx again.</div><div>Ok, if I want to know connmark of packets and connection in squid and then select them with an ACL inside of squid and then again mark them with "<span>tcp_outgoing_mark</span>", is that possible??</div><div> <br clear="none"></div><div>In <a href="http://www.squid-cache.org/Doc/config/clientside_mark/">this page</a> i don't see what you said!</div><div>The ACL that be configured only match with clients source ip addresses or domain and ..., not connmark!</div><div><br clear="none"></div>
</div></div></div></div><div class="yiv0571450082yqt5395990750" id="yiv0571450082yqt01300"><div class="yiv0571450082yahoo_quoted" id="yiv0571450082yahoo_quoted_9672806010">
<div style="font-family:'Helvetica Neue', Helvetica, Arial, sans-serif;font-size:13px;color:#26282a;">
<div>
On Saturday, October 13, 2018, 5:47:49 AM GMT+3:30, Amos Jeffries <squid3@treenet.co.nz> wrote:
</div>
<div><br clear="none"></div>
<div><br clear="none"></div>
<div><div dir="ltr">On 13/10/18 5:13 AM, morteza omidian wrote:<br clear="none">> <br clear="none">> Tank you, I see it now.<br clear="none">> It does not help me, I want to have an acl to select traffic (HTTP<br clear="none">> traffic that comes from client to squid) that have a specific packet<br clear="none">> mark and then send them out with another mark. like this:<br clear="none">> In iptables-mangle-PREROUTING: <br clear="none">> <br clear="none">> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1<br clear="none">> <br clear="none">> In Squid Configuration:<br clear="none">> acl MARKED_PACKETS nfmark 1<br clear="none">> tcp_outgoing_mark 1 MARKED_PACKETS<br clear="none">> <br clear="none">> Is that possible or not?<br clear="none"><br clear="none"><br clear="none">What you ask for is not possible.<br clear="none"><br clear="none">What you are trying to do *is* possible ...<br clear="none"><br clear="none"><br clear="none">> I want this kind of marks because I need to determine source interface<br clear="none">> of packets after they go out of squid!<br clear="none"><br clear="none">Two things:<br clear="none"><br clear="none"> 1) the rules you have above *do not* do what you say you are wanting.<br clear="none">The iptables rule marks *everything* on every interface with 0x1.<br clear="none">Overwriting whatever Squid would set.<br clear="none"><br clear="none"><br clear="none"> 2) MARK is the wrong iptables feature to be using. It only marks a<br clear="none">*single* packet per rule/table evaluation and is not accessible to any<br clear="none">software higher up the network stack than iptables itself.<br clear="none"><br clear="none"><br clear="none">What you should be using is -j CONNMARK. Once a CONNMARK is set on a<br clear="none">connection it is copied by iptables to each following packet on that<br clear="none">same connection. It is also available to layer-4 software like Squid<br clear="none">which have *nothing* to do with individual packets.<br clear="none"><br clear="none">The clientside_mark ACL in Squid matches these values and does exactly<br clear="none">what you are wanting.<br clear="none"><br clear="none"><br clear="none"><br clear="none">Think of thing this way:<br clear="none"><br clear="none"> MARK - stays within nftables/iptables.<br clear="none"><br clear="none"> CONNMARK - stays within the machine. Can go to other software within<br clear="none">the same machine.<br clear="none"><br clear="none"> TOS - goes to other machines, and possibly networks.<div class="yiv0571450082yqt1893407520" id="yiv0571450082yqtfd95480"><br clear="none"><br clear="none"><br clear="none">Amos<br clear="none">_______________________________________________<br clear="none">squid-users mailing list<br clear="none"><a rel="nofollow" shape="rect" ymailto="mailto:squid-users@lists.squid-cache.org" target="_blank" href="mailto:squid-users@lists.squid-cache.org">squid-users@lists.squid-cache.org</a><br clear="none"><a rel="nofollow" shape="rect" target="_blank" href="http://lists.squid-cache.org/listinfo/squid-users">http://lists.squid-cache.org/listinfo/squid-users</a><br clear="none"></div></div></div>
</div>
</div></div></body></html>