[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13

Laszlo Attila Toth panther at balabit.hu
Thu Dec 6 08:53:53 CET 2007

Ming-Ching Tiew írta:
> From: "KOVACS Krisztian" <hidden at sch.bme.hu>
>> Could you try if applying the attached patch on top of 4.0.3 helps you
>> with SNAT? (The patch is completely untested but at the moment I can't do
>> any testing.)
> I have got more conclusive testing results now after doing 
> further isolation of the problem :-
> 1. The packet path for SNAT works now.
> 2. The packet path without SNAT has problem working together 
>     with 'mangle' table OUTPUT chain ( maybe also with other chains
>     in the mangle table as well). 
>     It happens that I have iptables command which mark the packets 
>     on the OUTPUT chain, then squid will fail to work. If I flush the 
>     entire OUTPUT chain in the mangle table, then squid will work.
>     However I am doing policy routing, I hope to use the fwmark
>     to route the packets accordingly.
>     I guess it is because tproxy is sharing the mark values with all  
>     other packet mark and as soon as something else is making a mark, 
>     it will mess up tproxy ? 

In 4.0.3 the fwmark is not used by tproxy, another value is used for it:

With the tproxy match it should work, currently I don't see what can be 
the problem. The policy/fwmark usage is propably independent from it.


More information about the tproxy mailing list