From: "KOVACS Krisztian" <hidden@sch.bme.hu>
Could you try if applying the attached patch on top of 4.0.3 helps you with SNAT? (The patch is completely untested but at the moment I can't do any testing.)
I have got more conclusive testing results now after doing further isolation of the problem :- 1. The packet path for SNAT works now. 2. The packet path without SNAT has problem working together with 'mangle' table OUTPUT chain ( maybe also with other chains in the mangle table as well). It happens that I have iptables command which mark the packets on the OUTPUT chain, then squid will fail to work. If I flush the entire OUTPUT chain in the mangle table, then squid will work. However I am doing policy routing, I hope to use the fwmark to route the packets accordingly. I guess it is because tproxy is sharing the mark values with all other packet mark and as soon as something else is making a mark, it will mess up tproxy ? Regards