Re: [squid-users] Squid 3.1.6, zph, shorewall, and tc on debian 5.0 (lenny)

Jason wrote:
> Everyone,
>
> I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with

NP: please use the correct version numbering: 3.1.0.6.
there will probably be a 3.1.6 at some point in the future and hopefully
this problem will not apply to those users, best not to add confusion.

> zph options enabled. I don't peer with any other caches, so all peering
> stuff is disabled in my build. I did not compile a kernel with the zph
> patches, because, as I understand, that is only necessary if I want to
> preserve zph marks between caches. Plus, there is no zph patch for
> the kernel version I am running.

Right.

>
> With shorewall redirect rules, squid is operating as a transparent
> intercepting proxy just fine. I do not use tproxy - this is a NAT setup.
>
> I can not get the zph functions to work.
>
> Here are my config options:
>
> squid.conf
> ...
> qos_flows local-hit=0x30
> ...
>
> shorewall tcstart:
> #root htb
> tc qdisc add dev eth1 root handle 1: htb default 1
>
> #default htb
> tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
> ceil 64kbps
>
> #squid htb
> tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
>
> tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
> ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
>
> #I tried this for squid too
> #tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
> ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
>
> The shorewall tcrules are all commented out right now, so it is not
> applying
> any filtering.
>
> I have about one week to finish off this server for production... Help?
>
>
> Jason Wallace
>

So what are the packet traces showing you about events?

Also, its much easier for most of us to read the real firewall rules.
what does "iptables -L && iptables -t nat -L" show hapening?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
   Current Beta Squid 3.1.0.6