On 15/12/2013 4:58 a.m., Matthew Goff wrote:
> Hi Amos,
>
> First, sorry for the double post -- my email seemed to be having
> issues yesterday.
>
> As to my issue: What steps can I do to try and validate that this is
> Squid or not? When I remove the following iptables entry and bypass
> Squid I can capture tcpdump traffic on the proxy machine and see no
> TCP reassemblies. Leaving the rules in place and passing traffic
> through Squid begins to show TCP reassemblies again and my application
> no longer works.
>
> -A PREROUTING -p tcp -m tcp --dport 80 -j TPROXY --on-port 3128
> --on-ip 0.0.0.0 --tproxy-mark 0x1/0x1
> -A DIVERT -j MARK --set-xmark 0x1/0xffffffff
>
The order of those rules is extremely sensitive. The DIVERT (which
handles both from-Squid and from-server packets) is required before the
TPROXY (which catches packets into Squid).
> I've been using my setup for a few years without issue and have never
> had an application fail to work prior to this. However when the
> application fails when routing traffic through Squid yet works when I
> bypass Squid, I'm not sure what else to blame or where else to look.
What do you mean by re-assemblies exactly...
* fragmented packets being assembled is required when there is a service
reading those packets as I/O. Optional for a router simply passing them on?
* packets ACK not being received from server and re-sent by Squid
machine TCP stack?
* packets being received from client multiple times?
Amos
Received on Sun Dec 15 2013 - 03:33:21 MST
This archive was generated by hypermail 2.2.0 : Mon Dec 16 2013 - 12:00:06 MST