[tproxy] TPROXY but without bridging?

admin at abp.pl admin at abp.pl
Tue Apr 1 22:16:44 CEST 2008


Hello Ming-Ching

Dnia So Marca 29 2008, 15:30, Ming-Ching Tiew napisał(a):
(...)
> Well among all things you have at least gotten to patch
> the  2.6.25-rc7 kernel.  Good ! That's a big  step better than
> just ***STARE*** at the patch and refuse to use use it and
> then start asking all sorts of question about where is the
> correct patch !
>

Sorry, I thought that clients traffic to squid will be DNATed. Now I know,
that with new tproxy it is better to use more inteligent solution. Packets
CONNMARKing and change routing tables with "ip rule" and fwmark.Like
Henrik Nordstrom said on router0 and routers a,b,c.. iptables -t mangle
entires marks http traffic and redirect routing to squid machine.

Now squid (patched with
tproxy-squid-2.6-STABLE18.20080304-110716-1204625236.patch) cacheing flow
but with IP address of Squid ( not clients).

Laszlo Attila Toth told that problem is with squid patch.

So now we need to ask who is able to fix tproxy-4.1 patch to squid 2.6?
I'm right, am I?

Regards,
Tomasz

PS Sorry for my english.

>
> Until you have become an advance user, may I know
> what is stopping you to make the squid box a bridge ?

I don't want to have next server between routers. I'm fighting wth DoS
attacks (viruses, ect..) and I'm afraid that processor on squid machine
may not handle thousands interupts generated during attacks.

Beter for me is standalone and more resistant server.

On my router0 during "attack" on top I have sometimes over 80-90% of
ksoftirqd/0 (I have Intel pci-e 82572EI and 82573V cards).

Regards,
Tomasz

PS. Sorry for my english



More information about the tproxy mailing list