Discussion:
[squid-users] squid and iptables
morteza omidian
2018-10-12 14:41:44 UTC
Permalink
HiI asked my question before.It seems that anybody can not answer it!!
As you know, we can mark packets when they go out of squid with "tcp_outgoing_mark", this mark is based on Source IP or Source MAC of client, but i want to mark them based on mark of input packet, something like this:
In iptables > mangle > PREROUTING: 
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 MARKED_PACKETS


Is that possible? How can i solve my problem??
Tanx
Antony Stone
2018-10-12 15:07:22 UTC
Permalink
Post by morteza omidian
HiI asked my question before.It seems that anybody can not answer it!!
Did you miss the response from Amos?

http://lists.squid-cache.org/pipermail/squid-users/2018-October/019389.html
Post by morteza omidian
As you know, we can mark packets when they go out of squid with
"tcp_outgoing_mark", this mark is based on Source IP or Source MAC of
client, but i want to mark them based on mark of input packet, something
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 MARKED_PACKETS
Is that possible? How can i solve my problem??
Tanx
PS: Please do not set "Reply-to" on list emails.

Thanks,


Antony.
--
Schrödinger's rule of data integrity: the condition of any backup is unknown
until a restore is attempted.

Please reply to the list;
please *don't* CC me.
morteza omidian
2018-10-12 16:13:06 UTC
Permalink
Tank you, I see it now.It does not help me, I want to have an acl to select traffic (HTTP traffic that comes from client to squid) that have a specific packet mark and then send them out with another mark. like this:In iptables-mangle-PREROUTING: 
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 MARKED_PACKETS

Is that possible or not?I want this kind of marks because I need to determine source interface of packets after they go out of squid!
Post by morteza omidian
HiI asked my question before.It seems that anybody can not answer it!!
Did you miss the response from Amos?

http://lists.squid-cache.org/pipermail/squid-users/2018-October/019389.html
Post by morteza omidian
As you know, we can mark packets when they go out of squid with
"tcp_outgoing_mark", this mark is based on Source IP or Source MAC of
client, but i want to mark them based on mark of input packet, something
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
In Squid Configuration:acl MARKED_PACKETS nfmark 1tcp_outgoing_mark 1 MARKED_PACKETS
Is that possible? How can i solve my problem??
Tanx
PS: Please do not set "Reply-to" on list emails.

Thanks,


Antony.
--
Schrödinger's rule of data integrity: the condition of any backup is unknown
until a restore is attempted.

                                                  Please reply to the list;
                                                        please *don't* CC me.
Amos Jeffries
2018-10-13 02:17:26 UTC
Permalink
Post by morteza omidian
Tank you, I see it now.
It does not help me, I want to have an acl to select traffic (HTTP
traffic that comes from client to squid) that have a specific packet
In iptables-mangle-PREROUTING: 
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
acl MARKED_PACKETS nfmark 1
tcp_outgoing_mark 1 MARKED_PACKETS
Is that possible or not?
What you ask for is not possible.

What you are trying to do *is* possible ...
Post by morteza omidian
I want this kind of marks because I need to determine source interface
of packets after they go out of squid!
Two things:

1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.


2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.


What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.

The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.



Think of thing this way:

MARK - stays within nftables/iptables.

CONNMARK - stays within the machine. Can go to other software within
the same machine.

TOS - goes to other machines, and possibly networks.


Amos
morteza omidian
2018-10-13 05:08:26 UTC
Permalink
tanx again.Ok, if I want to know connmark of packets and connection in squid and then select them with an ACL inside of squid  and then again mark them with "tcp_outgoing_mark", is that possible??
In this page i don't see what you said!The ACL that be configured only match with clients source ip addresses or domain and ..., not connmark!
Post by morteza omidian
Tank you, I see it now.
It does not help me, I want to have an acl to select traffic (HTTP
traffic that comes from client to squid) that have a specific packet
In iptables-mangle-PREROUTING: 
iptables -t mangle -A PREROUTING -p tcp --dport 80 -j MARK --set-mark 1
acl MARKED_PACKETS nfmark 1
tcp_outgoing_mark 1 MARKED_PACKETS
Is that possible or not?
What you ask for is not possible.

What you are trying to do *is* possible ...
Post by morteza omidian
I want this kind of marks because I need to determine source interface
of packets after they go out of squid!
Two things:

1) the rules you have above *do not* do what you say you are wanting.
The iptables rule marks *everything* on every interface with 0x1.
Overwriting whatever Squid would set.


2) MARK is the wrong iptables feature to be using. It only marks a
*single* packet per rule/table evaluation and is not accessible to any
software higher up the network stack than iptables itself.


What you should be using is -j CONNMARK. Once a CONNMARK is set on a
connection it is copied by iptables to each following packet on that
same connection. It is also available to layer-4 software like Squid
which have *nothing* to do with individual packets.

The clientside_mark ACL in Squid matches these values and does exactly
what you are wanting.



Think of thing this way:

MARK - stays within nftables/iptables.

CONNMARK - stays within the machine. Can go to other software within
the same machine.

TOS - goes to other machines, and possibly networks.


Amos
Amos Jeffries
2018-10-13 06:33:14 UTC
Permalink
Post by morteza omidian
tanx again.
Ok, if I want to know connmark of packets and connection in squid and
then select them with an ACL inside of squid  and then again mark them
with "tcp_outgoing_mark", is that possible??
Yes.
Post by morteza omidian
In this page <http://www.squid-cache.org/Doc/config/clientside_mark/> i
don't see what you said!
The ACL that be configured only match with clients source ip addresses
or domain and ..., not connmark!
That is a directive for marking inbound / client connections from the
Squid end - after they have been received.

To fetch an existing mark placed by iptables is an "acl" line. ACL types
are all documented in here:
<http://www.squid-cache.org/Doc/config/acl/>

Amos
morteza omidian
2018-10-13 08:06:27 UTC
Permalink
Cat I Keep Connection marks when I use Tproxy??!
Is "acl aclname clientside_mark mark[/mask]" directive only works on squid4 and up??Can i use it in squid3?Is only way to installing squid4 download the source code??
Tank You
Post by morteza omidian
tanx again.
Ok, if I want to know connmark of packets and connection in squid and
then select them with an ACL inside of squid  and then again mark them
with "tcp_outgoing_mark", is that possible??
Yes.
Post by morteza omidian
In this page <http://www.squid-cache.org/Doc/config/clientside_mark/> i
don't see what you said!
The ACL that be configured only match with clients source ip addresses
or domain and ..., not connmark!
That is a directive for marking inbound / client connections from the
Squid end - after they have been received.

To fetch an existing mark placed by iptables is an "acl" line. ACL types
are all documented in here:
<http://www.squid-cache.org/Doc/config/acl/>

Amos

Continue reading on narkive:
Loading...