Re: [squid-users] Squid 3.1.0.6, zph, shorewall, and tc on debian 5.0 (lenny)

From: Jason <jason_at_azii.net>
Date: Thu, 09 Apr 2009 09:37:16 -0700

Amos Jeffries wrote:
> Jason wrote:
>> Jason wrote:
>>> Amos,
>>>
>>> Thanks for answering.
>>>
>>> Amos Jeffries wrote:
>>>> Jason wrote:
>>>>> Everyone,
>>>>>
>>>>> I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
>>>>
>>>> NP: please use the correct version numbering: 3.1.0.6.
>>>> there will probably be a 3.1.6 at some point in the future and
>>>> hopefully this problem will not apply to those users, best not to
>>>> add confusion.
>>> My mistake. This is for 3.1.0.6. My apologies to the squid community.
>>>>
>>>>> zph options enabled. I don't peer with any other caches, so all
>>>>> peering
>>>>> stuff is disabled in my build. I did not compile a kernel with
>>>>> the zph
>>>>> patches, because, as I understand, that is only necessary if I
>>>>> want to
>>>>> preserve zph marks between caches. Plus, there is no zph patch for
>>>>> the kernel version I am running.
>>>>
>>>> Right.
>>>>
>>>>>
>>>>> With shorewall redirect rules, squid is operating as a transparent
>>>>> intercepting proxy just fine. I do not use tproxy - this is a NAT
>>>>> setup.
>>>>>
>>>>> I can not get the zph functions to work.
>>>>>
>>>>> Here are my config options:
>>>>>
>>>>> squid.conf
>>>>> ...
>>>>> qos_flows local-hit=0x30
>>>>> ...
>>>>>
>>>>> shorewall tcstart:
>>>>> #root htb
>>>>> tc qdisc add dev eth1 root handle 1: htb default 1
>>>>>
>>>>> #default htb
>>>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
>>>>> ceil 64kbps
>>>>>
>>>>> #squid htb
>>>>> tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
>>>>>
>>>>> tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>>>> ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
>>>>>
>>>>> #I tried this for squid too
>>>>> #tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>>>> ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
>>>>>
>>>>> The shorewall tcrules are all commented out right now, so it is
>>>>> not applying
>>>>> any filtering.
>>>>>
>>>>> I have about one week to finish off this server for production...
>>>>> Help?
>>>>>
>>>>>
>>>>> Jason Wallace
>>>>>
>>>>
>>>> So what are the packet traces showing you about events?
>>>>
>>>> Also, its much easier for most of us to read the real firewall
>>>> rules. what does "iptables -L && iptables -t nat -L" show hapening?
>>>>
>>>> Amos
>>>
>>> iptables -L && iptables -t nat -L yields the following. I will try
>>> to packet trace this afternoon.
>> I have researched what a packet trace could mean. Do you want to see
>> what wireshark says on a client computer when I try to retrieve
>> something that should come from the cache?
>>
>
> I can't see the tos handling in iptables, maybe we needed -v option on
> the list, or shorewall may have placed it elsewhere.
>
> I just thought, check your config for tcp_outgoing_tos, which is
> likely to replace any qos_flow specifics with the blanket TOS. I'm
> going to have to fix that clash up someday.
>
> Amos

UPDATE:

When I issue
'tc filter show dev eth1'
it returns:

filter parent 1: protocol ip pref 1 u32
filter parent 1: protocol ip pref 1 u32 fh 800: ht divisor 1
filter parent 1: protocol ip pref 1 u32 fh 800::800 order 2048 key ht
800 bkt 0 flowid 1:7
  match 00060000/00ff0000 at 8
  match 00880430/ffffffff at 20

When I issue
tc -s filter
it returns nothing

So, I THINK the filters are there.

The tc qdisc and classes are there:

tc -s qdisc
qdisc pfifo_fast 0: dev eth0 root bands 3 priomap 1 2 2 2 1 2 0 0 1 1 1
1 1 1 1 1
 Sent 90646920 bytes 669638 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
qdisc htb 1: dev eth1 root r2q 10 default 1 direct_packets_stat 0
 Sent 338313859 bytes 340611 pkt (dropped 0, overlimits 491133 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0

tc -s class show dev eth1
class htb 1:1 root prio 0 rate 512000bit ceil 512000bit burst 1599b
cburst 1599b
 Sent 338315321 bytes 340622 pkt (dropped 0, overlimits 0 requeues 0)
 rate 4904bit 6pps backlog 0b 0p requeues 0
 lended: 340622 borrowed: 0 giants: 0
 tokens: 22706 ctokens: 22706

class htb 1:2 root prio 0 rate 512000bit ceil 512000bit burst 1599b
cburst 1599b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 24414 ctokens: 24414

class htb 1:7 root prio 0 rate 1000Kbit ceil 1000Kbit burst 1600b cburst
1600b
 Sent 0 bytes 0 pkt (dropped 0, overlimits 0 requeues 0)
 rate 0bit 0pps backlog 0b 0p requeues 0
 lended: 0 borrowed: 0 giants: 0
 tokens: 12500 ctokens: 12500

But the 1:7 class is empty - so nothing reaches it....

Here is the iptables output with -v. I didn't see any tc stuff there
(I'm not sure exactly what to look for).

iptables -L -v && iptables -t nat -L -v
Chain INPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
 7357 864K eth0_in all -- eth0 any anywhere anywhere
 8623 745K eth1_in all -- eth1 any anywhere anywhere
    0 0 ACCEPT all -- lo any anywhere anywhere
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:INPUT:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain FORWARD (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
 326K 329M eth0_fwd all -- eth0 any anywhere anywhere
 259K 33M eth1_fwd all -- eth1 any anywhere anywhere
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:FORWARD:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain OUTPUT (policy DROP 0 packets, 0 bytes)
 pkts bytes target prot opt in out source
destination
 3781 250K eth0_out all -- any eth0 anywhere anywhere
 6153 954K eth1_out all -- any eth1 anywhere anywhere
    0 0 ACCEPT all -- any lo anywhere anywhere
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT all -- any any anywhere anywhere

Chain Drop (7 references)
 pkts bytes target prot opt in out source
destination
    0 0 reject tcp -- any any anywhere
anywhere tcp dpt:auth
 3620 395K dropBcast all -- any any anywhere anywhere
    0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
    0 0 ACCEPT icmp -- any any anywhere
anywhere icmp time-exceeded
    2 80 dropInvalid all -- any any anywhere
anywhere
    0 0 DROP udp -- any any anywhere
anywhere multiport dports loc-srv,microsoft-ds
    0 0 DROP udp -- any any anywhere
anywhere udp dpts:netbios-ns:netbios-ssn
    0 0 DROP udp -- any any anywhere
anywhere udp spt:netbios-ns dpts:1024:65535
    0 0 DROP tcp -- any any anywhere
anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
    0 0 DROP udp -- any any anywhere
anywhere udp dpt:1900
    0 0 dropNotSyn tcp -- any any anywhere
anywhere
    0 0 DROP udp -- any any anywhere
anywhere udp spt:domain

Chain Reject (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 reject tcp -- any any anywhere
anywhere tcp dpt:auth
    0 0 dropBcast all -- any any anywhere anywhere
    0 0 ACCEPT icmp -- any any anywhere
anywhere icmp fragmentation-needed
    0 0 ACCEPT icmp -- any any anywhere
anywhere icmp time-exceeded
    0 0 dropInvalid all -- any any anywhere
anywhere
    0 0 reject udp -- any any anywhere
anywhere multiport dports loc-srv,microsoft-ds
    0 0 reject udp -- any any anywhere
anywhere udp dpts:netbios-ns:netbios-ssn
    0 0 reject udp -- any any anywhere
anywhere udp spt:netbios-ns dpts:1024:65535
    0 0 reject tcp -- any any anywhere
anywhere multiport dports loc-srv,netbios-ssn,microsoft-ds
    0 0 DROP udp -- any any anywhere
anywhere udp dpt:1900
    0 0 dropNotSyn tcp -- any any anywhere
anywhere
    0 0 DROP udp -- any any anywhere
anywhere udp spt:domain

Chain all2fw (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2fw:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain all2loc (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2loc:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain all2net (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:all2net:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain blacklog (7 references)
 pkts bytes target prot opt in out source
destination
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:blacklst:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain blacklst (4 references)
 pkts bytes target prot opt in out source
destination
    0 0 blacklog all -- any any x.x.x.x/14 anywhere
    0 0 blacklog all -- any any x.x.x.x anywhere
    0 0 blacklog all -- any any www.true.com anywhere
    0 0 blacklog all -- any any
x.x.x.x-static.reverse.softlayer.com anywhere
    0 0 blacklog all -- any any x.x.x.x anywhere
    0 0 blacklog all -- any any x.x.x.x anywhere
    0 0 blacklog all -- any any crl2.entrust.net anywhere

Chain dropBcast (2 references)
 pkts bytes target prot opt in out source
destination
 3618 395K DROP all -- any any anywhere
anywhere ADDRTYPE match dst-type BROADCAST
    0 0 DROP all -- any any anywhere
BASE-ADDRESS.MCAST.NET/4

Chain dropInvalid (2 references)
 pkts bytes target prot opt in out source
destination
    2 80 DROP all -- any any anywhere
anywhere state INVALID

Chain dropNotSyn (2 references)
 pkts bytes target prot opt in out source
destination
    0 0 DROP tcp -- any any anywhere
anywhere tcp flags:!FIN,SYN,RST,ACK/SYN

Chain dynamic (4 references)
 pkts bytes target prot opt in out source
destination

Chain eth0_fwd (1 references)
 pkts bytes target prot opt in out source
destination
 326K 329M dynamic all -- any any anywhere anywhere
 326K 329M blacklst all -- any any anywhere anywhere
    0 0 smurfs all -- any any anywhere
anywhere state INVALID,NEW
 326K 329M tcpflags tcp -- any any anywhere anywhere
 326K 329M net2loc all -- any eth1 anywhere anywhere

Chain eth0_in (1 references)
 pkts bytes target prot opt in out source
destination
 7357 864K dynamic all -- any any anywhere anywhere
 7357 864K blacklst all -- any any anywhere anywhere
 3620 395K smurfs all -- any any anywhere
anywhere state INVALID,NEW
    2 80 tcpflags tcp -- any any anywhere anywhere
 7357 864K net2fw all -- any any anywhere anywhere

Chain eth0_out (1 references)
 pkts bytes target prot opt in out source
destination
 3781 250K fw2net all -- any any anywhere anywhere

Chain eth1_fwd (1 references)
 pkts bytes target prot opt in out source
destination
 259K 33M dynamic all -- any any anywhere anywhere
 259K 33M blacklst all -- any any anywhere anywhere
18509 936K smurfs all -- any any anywhere
anywhere state INVALID,NEW
 259K 33M tcpflags tcp -- any any anywhere anywhere
 259K 33M loc2net all -- any eth0 anywhere anywhere

Chain eth1_in (1 references)
 pkts bytes target prot opt in out source
destination
 8623 745K dynamic all -- any any anywhere anywhere
 8623 745K blacklst all -- any any anywhere anywhere
 7195 642K smurfs all -- any any anywhere
anywhere state INVALID,NEW
 1244 83675 tcpflags tcp -- any any anywhere anywhere
 8623 745K loc2fw all -- any any anywhere anywhere

Chain eth1_out (1 references)
 pkts bytes target prot opt in out source
destination
 6153 954K fw2loc all -- any any anywhere anywhere

Chain fw2loc (1 references)
 pkts bytes target prot opt in out source
destination
 6153 954K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT all -- any any anywhere anywhere

Chain fw2net (1 references)
 pkts bytes target prot opt in out source
destination
   27 4947 ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
 3754 245K ACCEPT all -- any any anywhere anywhere

Chain loc2fw (1 references)
 pkts bytes target prot opt in out source
destination
 1428 103K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- any any x.x.x.x
anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
 7195 642K ACCEPT all -- any any anywhere anywhere

Chain loc2net (1 references)
 pkts bytes target prot opt in out source
destination
 240K 32M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- any any x.x.x.x
anywhere multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
18509 936K ACCEPT all -- any any anywhere anywhere

Chain logdrop (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:logdrop:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain logflags (5 references)
 pkts bytes target prot opt in out source
destination
    0 0 LOG all -- any any anywhere
anywhere LOG level info ip-options prefix
`Shorewall:logflags:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain logreject (0 references)
 pkts bytes target prot opt in out source
destination
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:logreject:REJECT:'
    0 0 reject all -- any any anywhere anywhere

Chain net2fw (1 references)
 pkts bytes target prot opt in out source
destination
 3737 469K ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT icmp -- any any anywhere
anywhere icmp echo-request
 3620 395K Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:net2fw:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain net2loc (1 references)
 pkts bytes target prot opt in out source
destination
 326K 329M ACCEPT all -- any any anywhere
anywhere state RELATED,ESTABLISHED
    0 0 ACCEPT tcp -- any any anywhere
x.x.x.x multiport dports smtp,www,pop3,imap2,https,imaps,pop3s
    0 0 Drop all -- any any anywhere anywhere
    0 0 LOG all -- any any anywhere
anywhere LOG level warning prefix `Shorewall:net2loc:DROP:'
    0 0 DROP all -- any any anywhere anywhere

Chain reject (7 references)
 pkts bytes target prot opt in out source
destination
    0 0 DROP all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST
    0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere
    0 0 DROP igmp -- any any anywhere anywhere
    0 0 REJECT tcp -- any any anywhere
anywhere reject-with tcp-reset
    0 0 REJECT udp -- any any anywhere
anywhere reject-with icmp-port-unreachable
    0 0 REJECT icmp -- any any anywhere
anywhere reject-with icmp-host-unreachable
    0 0 REJECT all -- any any anywhere
anywhere reject-with icmp-host-prohibited

Chain shorewall (0 references)
 pkts bytes target prot opt in out source
destination

Chain smurfs (4 references)
 pkts bytes target prot opt in out source
destination
    5 2144 RETURN all -- any any default anywhere
    0 0 LOG all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST LOG level info
prefix `Shorewall:smurfs:DROP:'
    0 0 DROP all -- any any anywhere
anywhere ADDRTYPE match src-type BROADCAST
    0 0 LOG all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere LOG level info prefix `Shorewall:smurfs:DROP:'
    0 0 DROP all -- any any BASE-ADDRESS.MCAST.NET/4
anywhere

Chain tcpflags (4 references)
 pkts bytes target prot opt in out source
destination
    0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/FIN,PSH,URG
    0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN,RST,PSH,ACK,URG/NONE
    0 0 logflags tcp -- any any anywhere
anywhere tcp flags:SYN,RST/SYN,RST
    0 0 logflags tcp -- any any anywhere
anywhere tcp flags:FIN,SYN/FIN,SYN
    0 0 logflags tcp -- any any anywhere
anywhere tcp spt:0 flags:FIN,SYN,RST,ACK/SYN
Chain PREROUTING (policy ACCEPT 27586 packets, 1820K bytes)
 pkts bytes target prot opt in out source
destination
 3618 395K net_dnat all -- eth0 any anywhere anywhere

Chain POSTROUTING (policy ACCEPT 3752 packets, 245K bytes)
 pkts bytes target prot opt in out source
destination
21951 1158K eth0_masq all -- any eth0 anywhere anywhere

Chain OUTPUT (policy ACCEPT 3752 packets, 245K bytes)
 pkts bytes target prot opt in out source
destination

Chain eth0_masq (1 references)
 pkts bytes target prot opt in out source
destination
18199 914K MASQUERADE all -- any any x.x.x.x/24 anywhere

Chain net_dnat (1 references)
 pkts bytes target prot opt in out source
destination
    0 0 DNAT tcp -- any any anywhere
anywhere multiport dports
smtp,www,pop3,imap2,https,imaps,pop3s to:x.x.x.x
Received on Thu Apr 09 2009 - 16:37:26 MDT

This archive was generated by hypermail 2.2.0 : Fri Apr 10 2009 - 12:00:02 MDT