[tproxy] tproxy4, kernel 2.6.22 and squid-2.6.stable13
Laszlo Attila Toth
panther at balabit.hu
Thu Dec 6 08:53:53 CET 2007
Ming-Ching Tiew írta:
> From: "KOVACS Krisztian" <hidden at sch.bme.hu>
>> Could you try if applying the attached patch on top of 4.0.3 helps you
>> with SNAT? (The patch is completely untested but at the moment I can't do
>> any testing.)
>>
>
> I have got more conclusive testing results now after doing
> further isolation of the problem :-
>
> 1. The packet path for SNAT works now.
>
> 2. The packet path without SNAT has problem working together
> with 'mangle' table OUTPUT chain ( maybe also with other chains
> in the mangle table as well).
>
> It happens that I have iptables command which mark the packets
> on the OUTPUT chain, then squid will fail to work. If I flush the
> entire OUTPUT chain in the mangle table, then squid will work.
>
> However I am doing policy routing, I hope to use the fwmark
> to route the packets accordingly.
>
> I guess it is because tproxy is sharing the mark values with all
> other packet mark and as soon as something else is making a mark,
> it will mess up tproxy ?
>
In 4.0.3 the fwmark is not used by tproxy, another value is used for it:
sk_buff.tproxy
With the tproxy match it should work, currently I don't see what can be
the problem. The policy/fwmark usage is propably independent from it.
--
Panther
More information about the tproxy
mailing list