Re: [squid-users] not working tproxy in squid 3.2 from Eliezer Croitoru on 2013-03-20 (squid-users)

From: Eliezer Croitoru <eliezer_at_ngtech.co.il>
Date: Wed, 20 Mar 2013 11:35:21 +0200

On 3/19/2013 9:24 PM, Oleg wrote:
> On Tue, Mar 19, 2013 at 08:49:25PM +0200, Eliezer Croitoru wrote:
>> Hey Oleg,
>>
>> I want to understand couple things about the situation.
>> what is the problem? a memory leak?
>
> 1 problem - memory leak;
> 2 problem - tproxy doesn't work in squid 3.2.
>
I can think of a way you can configure squid to do cause them both.

>> How do you see the memory leak? and where?
>
> I just start squid, start top and wait about a hour when squid grow from
> 40MB to 800MB and kernel kills it.
>
>> The memory leak you are talking about is in a case of tproxy usage only?
>
> It's hard to say. I was run squid 3.2, with no working tproxy (as i wrote),
> but with normal proxy on 3128 tcp port and it eat my memory too. So, tproxy
> is configured, but not used.
>
>> what is the load of the proxy cache?
>> do you use it for filtering or just plain cache?
>
> Only for filtering.
>
>> on what environment?
>
> What do mean under environment?
>
ISP? OFFICE? HOME? ELSE...

>> the more details you can give on the scenario and point with your
>> finger on the problem I will be happy to assist us finding the
>> culprit.
>>
>> What linux distro are you using?
>
> Debian 6 and also tried debian 7.
My opinion is that you dont need to test on 7 or do special tests but it
helped us to understand the nature of the problem.

Try to not use the filtering helper by using only defaults and tproxy.
and also try to use this script with trpoxy on port 3129 and http_port
127.0.0.1:3128

##start of script
#!/bin/sh -x
echo "loading modules requierd for the tproxy"
modprobe ip_tables
modprobe xt_tcpudp
modprobe nf_tproxy_core
modprobe xt_mark
modprobe xt_MARK
modprobe xt_TPROXY
modprobe xt_socket
modprobe nf_conntrack_ipv4
sysctl net.netfilter.nf_conntrack_acct
sysctl net.netfilter.nf_conntrack_acct=1
ip route flush table 100
ip rule del fwmark 1 lookup 100
ip rule add fwmark 1 lookup 100
ip -f inet route add local default dev lo table 100

echo "flushing any exiting rules"
iptables -t mangle -F
iptables -t mangle -X DIVERT

echo "creating rules"
iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT

iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -s ___LAN____ -p tcp -m tcp --dport 80
-j TPROXY --on-port 3129 --tproxy-mark 0x1/0x1
##end of script

-- 
Eliezer Croitoru

Received on Wed Mar 20 2013 - 09:36:08 MDT

This archive was generated by hypermail 2.2.0 : Wed Mar 20 2013 - 12:00:06 MDT