Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
Hi So documentation is right but placement of the statement is possibly wrong. Its not highlighted right infront. i.e qos_flows applies only for packets from server to client(squid) NOT from client to server. Is it possible to do reverse too? Or atleast have an acl where I can check incoming MARK on packet? So then I can make use of tcp_outgoing_mark. I just noticed that there was same discussion done in list previously as well (in 2013), here is the link: http://www.squid-cache.org/mail-archive/squid-users/201303/0421.html Yes, I'm still really interested to implement this. I got as far as doing some investigation a few weeks back. It seems *most* of the groundwork is there. I think there is space to store the incoming client connection mark, there are facilities to set the outgoing upstream mark (to an acl value). What is needed is: - code to connect the two, ie set a default outgoing mark - some thought on handling connection pipelining and re-use. At present squid maintains a pool of connections say to an upstream proxy, these now need to be selected not just because they are idle, but also because they have the correct connection mark set. This looks do-able, but slightly more tricky Ed W
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On Thu, 2014-03-27 at 10:26 +, Ed W wrote: Yes, I'm still really interested to implement this. I got as far as doing some investigation a few weeks back. Thanks for looking into it. I'd like to sort it myself, but don't have the time at the moment. In the meantime, I'll aim to submit a patch to update the documentation! Andy
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On 03/16/2014 03:02 AM, Andrew Beverley wrote: I used (and created) the patch to get the value from the remote server. However, I can't remember whether it does it the other way as well (at the time I thought I'd written the documentation so clearly, but coming back to it now it's not clear...) From memory, however, you do need to configure qos_flows to *something*, to trigger its operation. I think you can simply state qos_flows mark. Yes it needs qos_flows mark, without specifying qos_flows, its not working. But ... My question however was to pass on mark from client side to server side. i.e. reverse of what above paragraph says. As above, it's primarily server to client. Get that working first so you know everything is in order, and then try it the other way. ... it works only from server to client. If I CONNMARK server (to squid) packet, I can see it appearing in log. If I CONNMARK client (to server) packet its not showing in LOG. Let me know what you find out and I will update the documentation! (I don't have time to look through the source code right now) So documentation is right but placement of the statement is possibly wrong. Its not highlighted right infront. i.e qos_flows applies only for packets from server to client(squid) NOT from client to server. Is it possible to do reverse too? Or atleast have an acl where I can check incoming MARK on packet? So then I can make use of tcp_outgoing_mark. I just noticed that there was same discussion done in list previously as well (in 2013), here is the link: http://www.squid-cache.org/mail-archive/squid-users/201303/0421.html Regards Amm
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On 15/03/2014 6:46 p.m., Amm wrote: Hello, I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet. There is option tcp_outgoing_mark with which I can mark packets. But there is no ACL option to check incoming mark. If there is already a way to do this then please guide. No patch is needed to preserve the netfilter mark, which will work with all variants of netfilter. http://www.squid-cache.org/Doc/config/qos_flows/ Squid default action is to pass the netfilter MARK value from client through to the server. All you should need to do is *omit* tcp_outgoing_mark directives from changing it to something else. Amos
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On 03/15/2014 05:11 PM, Amos Jeffries wrote: On 15/03/2014 6:46 p.m., Amm wrote: I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet. http://www.squid-cache.org/Doc/config/qos_flows/ Squid default action is to pass the netfilter MARK value from client through to the server. All you should need to do is *omit* tcp_outgoing_mark directives from changing it to something else. Amos Oh that's great, thanks, I did not know this. However, I tried this but somehow I am not able to get it working Please let me know what could be wrong. First I thought it may be because netfilter-conntrack-devel was not installed. So I installed the same. Then I recompiled squid with these: --with-netfilter-conntrack and --with-libcap configure: ZPH QOS enabled: yes configure: QOS netfilter mark preservation enabled: yes ... checking for operational libcap2 headers... yes configure: libcap support enabled: yes configure: libcap2 headers are ok: yes ... configure: Linux Netfilter support requested: yes configure: Linux Netfilter Conntrack support requested: yes checking for library containing nfct_query... -lnetfilter_conntrack (4-5 more lines with header check with answer yes) Installed new squid and restarted squid. Ran following iptables command for debugging: # CMD 1- mark all packets coming from 192.168.1.45 $ iptables -t mangle -I PREROUTING -s 192.168.1.45 -j MARK --set-mark 0x112 # CMD 2 - count packets/bytes going OUT on port 80 and marked 0x112 $ iptables -t mangle -I POSTROUTING -m mark --mark 0x112 -p tcp --dport 80 # CMD 3 - NAT settings (intercept) $ iptables -t nat -nvL Chain PREROUTING (policy ACCEPT 22610 packets, 2251K bytes) pkts bytes target prot opt in out source destination 347 21371 REDIRECT tcp -- eth0 * 0.0.0.0/0 0.0.0.0/0tcp dpt:80 redir ports 3128 Some settings in /etc/squid/squid.conf: http_port 3128 intercept # log for nfmark logging logformat nfmark %ts.%03tu %6tr %a %Ss/%03Hs %st %rm %ru %[un %Sh/%a %mt %nfmark %nfmark access_log daemon:/var/log/squid/access.log squid all access_log daemon:/var/log/squid/nfmark.log nfmark all (Do I need to put anything else in squid.conf for marking?) (There is no tcp_outgoing_mark) Now I accessed Google from 192.168.1.45 $ tail /var/log/squid/nfmark.log 1394891128.585403 192.168.1.45 TCP_MISS/200 21137 GET http://www.google.co.in/?xxx - HIER_DIRECT/173.194.36.56 text/html 0x0 0x0 1394891128.793 92 192.168.1.45 TCP_MISS/304 393 GET http://www.google.co.in/images/srpr/mlogo2x_3.png - HIER_DIRECT/173.194.36.56 - 0x0 0x0 1394891128.851115 192.168.1.45 TCP_MISS/304 393 GET http://www.google.co.in/images/logo_mobile_srp_3.png - HIER_DIRECT/173.194.36.56 - 0x0 0x0 nfmark in and out both are logged as 0x0 whereas I was expecting atleast one of them to be 0x112 $ iptables -t mangle -nvL PREROUTING Chain PREROUTING (policy ACCEPT 1590 packets, 604K bytes) pkts bytes target prot opt in out source destination 135 22042 MARK all -- * * 192.168.1.45 0.0.0.0/0MARK set 0x112 $ iptables -t mangle -nvL POSTROUTING Chain POSTROUTING (policy ACCEPT 1653 packets, 372K bytes) pkts bytes target prot opt in out source destination 0 0tcp -- * * 0.0.0.0/0 0.0.0.0/0mark match 0x112 multiport dports 80,443 PREROUTING shows 135 packets MARKed as 0x112 but POSTROUTING shows no packets marked. What could be wrong? Thanks in advance. Amm
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On 03/15/2014 08:03 PM, Amm wrote: On 03/15/2014 05:11 PM, Amos Jeffries wrote: On 15/03/2014 6:46 p.m., Amm wrote: I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet. http://www.squid-cache.org/Doc/config/qos_flows/ Squid default action is to pass the netfilter MARK value from client through to the server. All you should need to do is *omit* tcp_outgoing_mark directives from changing it to something else. Amos Oh that's great, thanks, I did not know this. However, I tried this but somehow I am not able to get it working Please let me know what could be wrong. Ok I read further on that link itself, somewhere it says: disable-preserve-miss This option disables the preservation of the TOS or netfilter mark. By default, the existing TOS or netfilter mark value of the response coming from the remote server will be retained and masked with miss-mark. NOTE: in the case of a netfilter mark, the mark must be set on the connection (using the CONNMARK target) not on the packet (MARK target). First, it says to use CONNMARK and not MARK. I tried with CONNMARK as well but it did not work. Second, it says its for response coming from the remote server. My question however was to pass on mark from client side to server side. i.e. reverse of what above paragraph says. (But your earlier reply said client to server - so there is confusion) Any idea? Regards Amm
Re: [squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
On Sat, 2014-03-15 at 21:13 +0530, Amm wrote: Ok I read further on that link itself, somewhere it says: disable-preserve-miss This option disables the preservation of the TOS or netfilter mark. By default, the existing TOS or netfilter mark value of the response coming from the remote server will be retained and masked with miss-mark. NOTE: in the case of a netfilter mark, the mark must be set on the connection (using the CONNMARK target) not on the packet (MARK target). First, it says to use CONNMARK and not MARK. I tried with CONNMARK as well but it did not work. Yes, you definitely need to use CONNMARK, not MARK. Second, it says its for response coming from the remote server. I used (and created) the patch to get the value from the remote server. However, I can't remember whether it does it the other way as well (at the time I thought I'd written the documentation so clearly, but coming back to it now it's not clear...) From memory, however, you do need to configure qos_flows to *something*, to trigger its operation. I think you can simply state qos_flows mark. My question however was to pass on mark from client side to server side. i.e. reverse of what above paragraph says. As above, it's primarily server to client. Get that working first so you know everything is in order, and then try it the other way. Let me know what you find out and I will update the documentation! (I don't have time to look through the source code right now) Andy
[squid-users] Is it possible to mark tcp_outgoing_mark (server side) with SAME MARK as incoming packet (client side)?
Hello, I would like to mark outgoing packet (on server side) with SAME MARK as on incoming (NATed or CONNECTed) packet. There is option tcp_outgoing_mark with which I can mark packets. But there is no ACL option to check incoming mark. If there is already a way to do this then please guide. Otherwise I would like to suggest: Option 1) --- Syntax: tcp_outgoing_mark SAMEMARK [!]aclname where SAMEMARK is special (literal) word where acl matching are applied same mark as on incoming packet. For e.g I can do: tcp_outgoing_mark SAMEMARK all And all packets will be applied same mark as incoming packet mark. Option 2) --- Have an acl: Syntax: acl aclname nfmark mark-value Then I can do something like this: acl mark101 nfmark 0x101 tcp_outgoing_mark 0x101 mark101 If both above options can be combined then it would be even better. Thanks in advance, Amm.