[squid-users] squid and iptables
Amos Jeffries
squid3 at treenet.co.nz
Sat Oct 13 02:17:26 UTC 2018
On 13/10/18 5:13 AM, morteza omidian wrote:
>
> Tank you, I see it now.
> It does not help me, I want to have an acl to select traffic (HTTP
> traffic that comes from client to squid) that have a specific packet
> mark and then send them out with another mark. like this:
> In iptables-mangle-PREROUTING:
>
> iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
>
> In Squid Configuration:
> acl MARKED_PACKETS nfmark 1
> tcp_outgoing_mark 1 MARKED_PACKETS
>
> Is that possible or not?
What you ask for is not possible.
What you are trying to do *is* possible ...
> I want this kind of marks because I need to determine source interface
> of packets after they go out of squid!
Two things:
1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.
2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.
What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.
The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.
Think of thing this way:
MARK - stays within nftables/iptables.
CONNMARK - stays within the machine. Can go to other software within
the same machine.
TOS - goes to other machines, and possibly networks.
Amos
More information about the squid-users
mailing list