Squid marking QOS and matching marks with linux iptables problem !

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Squid marking QOS and matching marks with linux iptables problem !

Ahmad Alzaeem
Hello Folks ,

Im trying to mark outgoing squid request based on Mark linux matching .

I added to squid conf :

qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT

But on iptables there is no match with the mark 0xd7


Im testing  marking with squid and matching with iptables  but its not matching , always statistics = 0 on linux iptables  That mean  its not matched .

Squid version is 4.8
Also squid was complied with '--enable-zph-qos’ flag

So not sure if I need specific config for squid .

Following :

https://wiki.squid-cache.org/Features/QualityOfService

Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need Layer 3 DSP , Linux mark rule based .


i even tried to match traffic by mark and connmark and both did not help .

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd4 -j ACCEPT


So both rules above was not able to pickup squid marking .

Any helping Team on this case ?


Thank you
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Ahmad Alzaeem
Hello Folks , any one in the mailing list can help me on the case ?

Thanks


> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <[hidden email]> wrote:
>
> Hello Folks ,
>
> Im trying to mark outgoing squid request based on Mark linux matching .
>
> I added to squid conf :
>
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
>
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
>
> But on iptables there is no match with the mark 0xd7
>
>
> Im testing  marking with squid and matching with iptables  but its not matching , always statistics = 0 on linux iptables  That mean  its not matched .
>
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag
>
> So not sure if I need specific config for squid .
>
> Following :
>
> https://wiki.squid-cache.org/Features/QualityOfService
>
> Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need Layer 3 DSP , Linux mark rule based .
>
>
> i even tried to match traffic by mark and connmark and both did not help .
>
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
>
>
> So both rules above was not able to pickup squid marking .
>
> Any helping Team on this case ?
>
>
> Thank you

_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Eliezer Croitoru-3
In reply to this post by Ahmad Alzaeem

What OS?

 

Sent from Mail for Windows 10

 

From: [hidden email]
Sent: Saturday, May 23, 2020 11:40 PM
To: [hidden email]
Subject: Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !

 

Hello Folks , any one in the mailing list can help me on the case ?

 

Thanks

 

 

> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <[hidden email]> wrote:

>

> Hello Folks ,

>

> Im trying to mark outgoing squid request based on Mark linux matching .

>

> I added to squid conf :

>

> qos_flows mark local-hit=0xd7

> qos_flows mark local-miss=0xd7

>

> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT

>

> But on iptables there is no match with the mark 0xd7

>

>

> Im testing  marking with squid and matching with iptables  but its not matching , always statistics = 0 on linux iptables  That mean  its not matched .

>

> Squid version is 4.8

> Also squid was complied with '--enable-zph-qos’ flag

>

> So not sure if I need specific config for squid .

>

> Following :

>

> https://wiki.squid-cache.org/Features/QualityOfService

>

> Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need Layer 3 DSP , Linux mark rule based .

>

>

> i even tried to match traffic by mark and connmark and both did not help .

>

> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT

> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT

>

>

> So both rules above was not able to pickup squid marking .

>

> Any helping Team on this case ?

>

>

> Thank you

 

_______________________________________________

squid-users mailing list

[hidden email]

http://lists.squid-cache.org/listinfo/squid-users

 


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Ahmad Alzaeem
Tested on both OS below :

Centos 7.7  64 bits  & Centos 6.10


Same result , squid is not marking traffic .

Is there a way to run squid into debug mode and debug to see if its making DSCP or not ?



Thanks 



On May 24, 2020, at 3:15 AM, Eliezer Croitoru <[hidden email]> wrote:

What OS?
 
Sent from Mail for Windows 10
 
From: [hidden email]
Sent: Saturday, May 23, 2020 11:40 PM
To: [hidden email]
Subject: Re: [squid-users] Squid marking QOS and matching marks with linux iptables problem !
 
Hello Folks , any one in the mailing list can help me on the case ?
 
Thanks 
 
 
> On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <[hidden email]> wrote:
> 
> Hello Folks ,
> 
> Im trying to mark outgoing squid request based on Mark linux matching .
> 
> I added to squid conf :
> 
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> 
> But on iptables there is no match with the mark 0xd7 
> 
> 
> Im testing  marking with squid and matching with iptables  but its not matching , always statistics = 0 on linux iptables  That mean  its not matched .
> 
> Squid version is 4.8
> Also squid was complied with '--enable-zph-qos’ flag 
> 
> So not sure if I need specific config for squid .
> 
> Following :
> 
> 
> Based on it we need kernel patch for TOS , but I dont need TOS ,  I just need Layer 3 DSP , Linux mark rule based .
> 
> 
> i even tried to match traffic by mark and connmark and both did not help .
> 
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd4 -j ACCEPT
> 
> 
> So both rules above was not able to pickup squid marking .
> 
> Any helping Team on this case ?
> 
> 
> Thank you
 
_______________________________________________
squid-users mailing list


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Amos Jeffries
Administrator
On 24/05/20 12:17 pm, Ahmad Alzaeem wrote:
> Tested on both OS below :
>
> Centos 7.7  64 bits  & Centos 6.10
>
>
> Same result , squid is not marking traffic .
>
> Is there a way to run squid into debug mode and debug to see if its
> making DSCP or not ?


'mark' are Netfilter MARK values within the local TCP stack. Accessed
with Netfilter conntrack.

'tos' is what sets DSCP values on packets between machines.


DSCP values should remain 0x0 in the config you showed unless you have
iptables rules converting MARK into TOS values.


You can set "debug_options 33,5 17,5 50,5" to see what squid is doing.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Ahmad Alzaeem
In reply to this post by Ahmad Alzaeem
Hi Amos , 

Sorry I'm confused a a bit …

Are my results expected not to work with below :


qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7


-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd7 -j ACCEPT

?

Do I need to edit squid/iptables ?


Thanks 


On May 21, 2020, at 3:03 AM, Ahmad Alzaeem <[hidden email]> wrote:

-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd4 -j ACCEPT


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Amos Jeffries
Administrator
[NP: it would help if you replied through the list instead of directly
to me, even as a CC. Your messages keep getting diverted to spam folder. ]

On 25/05/20 4:26 am, Ahmad Alzaeem wrote:

> Hi Amos , 
>
> Sorry I'm confused a a bit …
>
> Are my results expected not to work with below :
>
>
> qos_flows mark local-hit=0xd7
> qos_flows mark local-miss=0xd7
>
>
> -A OUTPUT -m mark --mark 0xd7 -j ACCEPT
> -A OUTPUT -m connmark --mark 0xd7 -j ACCEPT
>
> ?

Squid should be MARK'ing packets with 0xd7.

Those iptables rules should match the packets MARK'ed with 0xd7.

Whether those statements are of any relevance depends on where your
iptables rules are configured in relation to all other rules and chains
your iptables is processing.


>
> Do I need to edit squid/iptables ?
>

Probably iptables. But not enough info to say how.


You asked about how to debug Squid MARK'ing earlier. What were the
results of that? did you see Squid doing any marking?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Ahmad Alzaeem
Here is debug result :



2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(1375) parseHttpRequest: Prepare absolute URL from 
2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc(2106) clientParseRequests: local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 flags=1: done parsing a request
2020/05/25 12:04:58.043 kid1| 33,3| Pipeline.cc(24) add: Pipeline 0x43d98a0 add request 1 0x41e43f0*4
2020/05/25 12:04:58.043 kid1| 33,5| Http1Server.cc(188) buildHttpRequest: normalize 1 Host header using analytics.yopify.com:443
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(641) clientSetKeepaliveFlag: http_ver = HTTP/1.1
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(642) clientSetKeepaliveFlag: method = CONNECT
2020/05/25 12:04:58.043 kid1| 33,3| http/Stream.h(141) mayUseConnection: This 0x41e43f0 marked 1
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 55332
2020/05/25 12:04:58.043 kid1| 50,3| comm.cc(946) comm_udp_sendto: comm_udp_sendto: Attempt to send UDP packet to 8.8.8.8:53 using FD 8 using Port 55332
2020/05/25 12:04:58.043 kid1| 33,3| client_side.cc(2119) clientParseRequests: Not parsing new requests, as this request may need the connection
2020/05/25 12:04:58.044 kid1| 33,5| AsyncJob.cc(154) callEnd: Http1::Server status out: [ job690]
2020/05/25 12:04:58.044 kid1| 33,5| AsyncCallQueue.cc(57) fireNext: leaving Server::doClientRead(local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 flags=1, data=0x43d9858)
2020/05/25 12:04:58.056 kid1| 17,3| FwdState.cc(1339) GetMarkingsToServer: from 45.150.17.10 netfilter mark 0
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(350) comm_openex: comm_openex: Attempt open socket for: 45.150.17.10
2020/05/25 12:04:58.056 kid1| 50,3| comm.cc(393) comm_openex: comm_openex: Opened socket local=45.150.17.10 remote=[::] FD 542 flags=1 : family=2, type=1, protocol=6
2020/05/25 12:04:58.064 kid1| 33,4| client_side.cc(2510) httpAccept: local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: accepted
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall ConnStateData::connStateClosed constructed, this=0x4024ec0 [call6687]
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall Http1::Server::requestTimeout constructed, this=0x422ab40 [call6688]
2020/05/25 12:04:58.064 kid1| 33,4| Server.cc(90) readSomeData: local=45.150.17.10:3128 remote=50.254.22.18:62917 FD 543 flags=1: reading request...
2020/05/25 12:04:58.064 kid1| 33,5| AsyncCall.cc(26) AsyncCall: The AsyncCall Server::doClientRead constructed, this=0x4025c50 [call6689]



I see mark 0 and mark 1 , Dont see any 0xd7 or so .

Thanks 

On May 25, 2020, at 10:02 AM, Amos Jeffries <[hidden email]> wrote:

[NP: it would help if you replied through the list instead of directly
to me, even as a CC. Your messages keep getting diverted to spam folder. ]

On 25/05/20 4:26 am, Ahmad Alzaeem wrote:
Hi Amos , 

Sorry I'm confused a a bit …

Are my results expected not to work with below :


qos_flows mark local-hit=0xd7
qos_flows mark local-miss=0xd7


-A OUTPUT -m mark --mark 0xd7 -j ACCEPT
-A OUTPUT -m connmark --mark 0xd7 -j ACCEPT

?

Squid should be MARK'ing packets with 0xd7.

Those iptables rules should match the packets MARK'ed with 0xd7.

Whether those statements are of any relevance depends on where your
iptables rules are configured in relation to all other rules and chains
your iptables is processing.



Do I need to edit squid/iptables ?


Probably iptables. But not enough info to say how.


You asked about how to debug Squid MARK'ing earlier. What were the
results of that? did you see Squid doing any marking?


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users


_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users
Reply | Threaded
Open this post in threaded view
|

Re: Squid marking QOS and matching marks with linux iptables problem !

Amos Jeffries
Administrator
On 25/05/20 9:25 pm, Ahmad Alzaeem wrote:

> Here is debug result :
>
>
>
> 2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc
> <http://client_side.cc>(1375) parseHttpRequest: Prepare absolute URL from 
> 2020/05/25 12:04:58.043 kid1| 33,5| client_side.cc
> <http://client_side.cc>(2106) clientParseRequests:
> local=45.150.17.10:3128 remote=50.254.22.18:62916 FD 540 flags=1: done
> parsing a request

The client connection on FD 540 was open long before this log trace
begins. Any netfilter details fetched are back at the point it was accepted.



> 2020/05/25 12:04:58.043 kid1| 33,3| http/Stream.h(141) mayUseConnection:
> This 0x41e43f0 marked 1

NP: this is a different kind of marking, about whether it is persistent
or not. Not relevant.


...
> 2020/05/25 12:04:58.056 kid1| 17,3| FwdState.cc
> <http://FwdState.cc>(1339) GetMarkingsToServer: from 45.150.17.10
> netfilter mark 0

This 0 mark is what iptables has set on returning packets for the origin
server connection.

That lien existing at least confirms absolutely that the library and
relevant code is built properly - what Eliezer was looking for with the
squid -v request.


> 2020/05/25 12:04:58.056 kid1| 50,3| comm.cc <http://comm.cc>(350)
> comm_openex: comm_openex: Attempt open socket for: 45.150.17.10
> 2020/05/25 12:04:58.056 kid1| 50,3| comm.cc <http://comm.cc>(393)
> comm_openex: comm_openex: Opened socket local=45.150.17.10 remote=[::]
> FD 542 flags=1 : family=2, type=1, protocol=6

New connection opened, but the log snippet ends before the per-message
socket options are updated for the outgoing HTTP request message.

...



To find the most relevant lines look for "doNfmarkLocalHit",
"doNfmarkLocalMiss" and "setSockNfmark".

If there are errors receiving a MARK from iptables
"getNfmarkFromConnection" will show up too.

When you have found the relevant places, use the FD value on those lines
to grep for more details on what is happening on that connection.


Amos
_______________________________________________
squid-users mailing list
[hidden email]
http://lists.squid-cache.org/listinfo/squid-users