Re: [squid-users] not working tproxy in squid 3.2

On Tue, Apr 02, 2013 at 12:52:58AM +1300, Amos Jeffries wrote:
> On 1/04/2013 7:40 p.m., Oleg wrote:
> In your case with kernel limits of 800MB per-process this config
> will guarantee it gets killed quickly. No memory leak required:
>
> cache_mem 900 MB
>
> From your config I see Squid is using its default 256 MB of
> cache_mem. So you should expect to see at least 300MB of Squid RAM
> usage normally.

  I'm ready for 300MB, but i'm not ready for 800MB.

> The difference between 6 and 7 is the kernel version. Some Kernels
> are known to have TPROXY bugs.
> Also, the Debian kernels had non-working TPROXY for many releases
> after the apparently identical upstream kernel version was working
> very well. This affects Debian 6 for certain I'm not sure about 7.

  This is not an issue for us - we use a custom 3.2.38 kernel.

> >>modprobe xt_MARK
> >FATAL: Module xt_MARK not found.
>
> I would guess this is related to the problem.
>
> Theory: without MARK support in the kernel the TPROXY connections
> are looping through Squid until the active connection state consumes
> 800MB and gets killed.
> Can you verify that at all?

  What kernel config option is responsible for this?

# grep MARK /boot/config-3.2.38-my
CONFIG_NETWORK_SECMARK=y
CONFIG_NF_CONNTRACK_MARK=y
CONFIG_NF_CONNTRACK_SECMARK=y
CONFIG_NETFILTER_XT_MARK=m
CONFIG_NETFILTER_XT_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNMARK=m
CONFIG_NETFILTER_XT_TARGET_CONNSECMARK=m
CONFIG_NETFILTER_XT_TARGET_MARK=m
CONFIG_NETFILTER_XT_TARGET_SECMARK=m
CONFIG_NETFILTER_XT_MATCH_CONNMARK=m
CONFIG_NETFILTER_XT_MATCH_MARK=m
CONFIG_NET_SCH_DSMARK=m
CONFIG_CLS_U32_MARK=y

Now, we stay at squid 3.1.20 from Debian 7. And, as before, we see tcp
packets, but client browser doesn't open any site (may be packets are broken?)

tcpdump of one http request (10.232.194.5 - client):

16:12:57.971120 IP 10.232.194.5.3733 > 87.251.132.181.80: Flags [S], seq 1252681145, win 65535, options [mss 1348,nop,nop,sackOK], length 0
16:12:57.971165 IP 87.251.132.181.80 > 10.232.194.5.3733: Flags [S.], seq 2610504694, ack 1252681146, win 14600, options [mss 1460,nop,nop,sackOK], length 0
16:12:57.971569 IP 10.232.194.5.3734 > 87.251.132.181.80: Flags [S], seq 3247035523, win 65535, options [mss 1348,nop,nop,sackOK], length 0
16:12:57.971608 IP 87.251.132.181.80 > 10.232.194.5.3734: Flags [S.], seq 901187601, ack 3247035524, win 14600, options [mss 1460,nop,nop,sackOK], length 0
16:12:57.973064 IP 10.232.194.5.3733 > 87.251.132.181.80: Flags [.], ack 1, win 65535, length 0
16:12:57.973195 IP 87.251.132.181.80 > 10.232.194.5.3733: Flags [F.], seq 1, ack 1, win 14600, length 0
16:12:57.973379 IP 10.232.194.5.3734 > 87.251.132.181.80: Flags [.], ack 1, win 65535, length 0
16:12:57.973458 IP 87.251.132.181.80 > 10.232.194.5.3734: Flags [F.], seq 1, ack 1, win 14600, length 0
16:12:57.975361 IP 10.232.194.5.3733 > 87.251.132.181.80: Flags [P.], seq 1:301, ack 1, win 65535, length 300
16:12:57.975388 IP 87.251.132.181.80 > 10.232.194.5.3733: Flags [R], seq 2610504695, win 0, length 0
16:12:57.975396 IP 10.232.194.5.3733 > 87.251.132.181.80: Flags [.], ack 2, win 65535, length 0
16:12:57.975409 IP 87.251.132.181.80 > 10.232.194.5.3733: Flags [R], seq 2610504696, win 0, length 0
16:12:57.975612 IP 10.232.194.5.3734 > 87.251.132.181.80: Flags [.], ack 2, win 65535, length 0
16:12:57.977060 IP 10.232.194.5.3734 > 87.251.132.181.80: Flags [F.], seq 1, ack 2, win 65535, length 0
16:12:57.977085 IP 87.251.132.181.80 > 10.232.194.5.3734: Flags [.], ack 2, win 14600, length 0
16:12:58.004864 IP 10.232.194.5.3735 > 87.251.132.181.80: Flags [S], seq 641201190, win 65535, options [mss 1348,nop,nop,sackOK], length 0
16:12:58.004897 IP 87.251.132.181.80 > 10.232.194.5.3735: Flags [S.], seq 2722793776, ack 641201191, win 14600, options [mss 1460,nop,nop,sackOK], length 0
16:12:58.014947 IP 10.232.194.5.3735 > 87.251.132.181.80: Flags [.], ack 1, win 65535, length 0
16:12:58.015059 IP 87.251.132.181.80 > 10.232.194.5.3735: Flags [F.], seq 1, ack 1, win 14600, length 0
16:12:58.016445 IP 10.232.194.5.3735 > 87.251.132.181.80: Flags [.], ack 2, win 65535, length 0
16:12:58.196105 IP 10.232.194.5.3735 > 87.251.132.181.80: Flags [P.], seq 1:301, ack 2, win 65535, length 300
16:12:58.196133 IP 87.251.132.181.80 > 10.232.194.5.3735: Flags [R], seq 2722793778, win 0, length 0
Received on Thu Apr 11 2013 - 10:18:25 MDT