Re: [squid-users] not working tproxy in squid 3.2

From: Oleg <lego12239_at_yandex.ru>
Date: Mon, 1 Apr 2013 10:40:04 +0400

On Wed, Mar 20, 2013 at 11:35:21AM +0200, Eliezer Croitoru wrote:
> On 3/19/2013 9:24 PM, Oleg wrote:
> >On Tue, Mar 19, 2013 at 08:49:25PM +0200, Eliezer Croitoru wrote:
> >>Hey Oleg,
> >>
> >>I want to understand couple things about the situation.
> >>what is the problem? a memory leak?
> >
> > 1 problem - memory leak;
> > 2 problem - tproxy doesn't work in squid 3.2.
> >
> I can think of a way you can configure squid to do cause them both.

  I think this is a bug in a software, if we can do memory leak and crash
with bad config.

> >>How do you see the memory leak? and where?
> >
> > I just start squid, start top and wait about a hour when squid grow from
> >40MB to 800MB and kernel kills it.
> >
> >>The memory leak you are talking about is in a case of tproxy usage only?
> >
> > It's hard to say. I was run squid 3.2, with no working tproxy (as i wrote),
> >but with normal proxy on 3128 tcp port and it eat my memory too. So, tproxy
> >is configured, but not used.
> >
> >>what is the load of the proxy cache?
> >>do you use it for filtering or just plain cache?
> >
> > Only for filtering.
> >
> >>on what environment?
> >
> > What do mean under environment?
> >
> ISP? OFFICE? HOME? ELSE...

  ISP

> >>the more details you can give on the scenario and point with your
> >>finger on the problem I will be happy to assist us finding the
> >>culprit.
> >>
> >>What linux distro are you using?
> >
> > Debian 6 and also tried debian 7.
> My opinion is that you dont need to test on 7 or do special tests
> but it helped us to understand the nature of the problem.
>
> Try to not use the filtering helper by using only defaults and tproxy.
> and also try to use this script with trpoxy on port 3129 and
> http_port 127.0.0.1:3128
>
> ##start of script
> #!/bin/sh -x
> echo "loading modules requierd for the tproxy"
> modprobe ip_tables
> modprobe xt_tcpudp
> modprobe nf_tproxy_core
> modprobe xt_mark
> modprobe xt_MARK

FATAL: Module xt_MARK not found.

> modprobe xt_TPROXY
> modprobe xt_socket
> modprobe nf_conntrack_ipv4
> sysctl net.netfilter.nf_conntrack_acct
> sysctl net.netfilter.nf_conntrack_acct=1
> ip route flush table 100
> ip rule del fwmark 1 lookup 100
> ip rule add fwmark 1 lookup 100
> ip -f inet route add local default dev lo table 100
>
> echo "flushing any exiting rules"
> iptables -t mangle -F
> iptables -t mangle -X DIVERT
>
> echo "creating rules"
> iptables -t mangle -N DIVERT
> iptables -t mangle -A DIVERT -j MARK --set-mark 1
> iptables -t mangle -A DIVERT -j ACCEPT
>
> iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
> iptables -t mangle -A PREROUTING -s ___LAN____ -p tcp -m tcp --dport
> 80 -j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
> ##end of script
>
>
> --
> Eliezer Croitoru
>
Received on Mon Apr 01 2013 - 06:40:20 MDT

This archive was generated by hypermail 2.2.0 : Mon Apr 01 2013 - 12:00:07 MDT