Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?

On 03/15/2014 05:11 PM, Amos Jeffries wrote:

> On 15/03/2014 6:46 p.m., Amm wrote:
>> I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet.

> http://www.squid-cache.org/Doc/config/qos_flows/
>
> Squid default action is to pass the netfilter MARK value from client
> through to the server. All you should need to do is *omit*
> tcp_outgoing_mark directives from changing it to something else.
>
> Amos

Oh that's great, thanks, I did not know this.

However, I tried this but somehow I am not able to get it working

Please let me know what could be wrong.

First I thought it may be because netfilter-conntrack-devel was not
installed. So I installed the same.

Then I recompiled squid with these:
--with-netfilter-conntrack and --with-libcap

configure: ZPH QOS enabled: yes
configure: QOS netfilter mark preservation enabled: yes
...
checking for operational libcap2 headers... yes
configure: libcap support enabled: yes
configure: libcap2 headers are ok: yes
...
configure: Linux Netfilter support requested: yes
configure: Linux Netfilter Conntrack support requested: yes
checking for library containing nfct_query... -lnetfilter_conntrack
(4-5 more lines with header check with answer yes)

Installed new squid and restarted squid.

Ran following iptables command for debugging:

# CMD 1- mark all packets coming from 192.168.1.45
$ iptables -t mangle -I PREROUTING -s 192.168.1.45 -j MARK --set-mark 0x112

# CMD 2 - count packets/bytes going OUT on port 80 and marked 0x112
$ iptables -t mangle -I POSTROUTING -m mark --mark 0x112 -p tcp --dport 80

# CMD 3 - NAT settings (intercept)
$ iptables -t nat -nvL

Chain PREROUTING (policy ACCEPT 22610 packets, 2251K bytes)
  pkts bytes target prot opt in out source
destination
   347 21371 REDIRECT tcp -- eth0 * 0.0.0.0/0
0.0.0.0/0 tcp dpt:80 redir ports 3128

Some settings in /etc/squid/squid.conf:

http_port 3128 intercept

# log for nfmark logging
logformat nfmark %ts.%03tu %6tr %>a %Ss/%03>Hs %<st %rm %ru %[un %Sh/%<a
%mt %>nfmark %<nfmark

access_log daemon:/var/log/squid/access.log squid all
access_log daemon:/var/log/squid/nfmark.log nfmark all

(Do I need to put anything else in squid.conf for marking?)
(There is no tcp_outgoing_mark)

Now I accessed Google from 192.168.1.45

$ tail /var/log/squid/nfmark.log

1394891128.585 403 192.168.1.45 TCP_MISS/200 21137 GET
http://www.google.co.in/?xxx - HIER_DIRECT/173.194.36.56 text/html 0x0 0x0
1394891128.793 92 192.168.1.45 TCP_MISS/304 393 GET
http://www.google.co.in/images/srpr/mlogo2x_3.png -
HIER_DIRECT/173.194.36.56 - 0x0 0x0
1394891128.851 115 192.168.1.45 TCP_MISS/304 393 GET
http://www.google.co.in/images/logo_mobile_srp_3.png -
HIER_DIRECT/173.194.36.56 - 0x0 0x0

nfmark in and out both are logged as 0x0 whereas I was expecting atleast
one of them to be 0x112

$ iptables -t mangle -nvL PREROUTING

Chain PREROUTING (policy ACCEPT 1590 packets, 604K bytes)
  pkts bytes target prot opt in out source
destination
   135 22042 MARK all -- * * 192.168.1.45
0.0.0.0/0 MARK set 0x112

$ iptables -t mangle -nvL POSTROUTING

Chain POSTROUTING (policy ACCEPT 1653 packets, 372K bytes)
  pkts bytes target prot opt in out source
destination
     0 0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 mark match 0x112 multiport dports 80,443

PREROUTING shows 135 packets MARKed as 0x112 but POSTROUTING shows no
packets marked.

What could be wrong?

Thanks in advance.

Amm
Received on Sat Mar 15 2014 - 14:33:26 MDT