[squid-users] Squid3.1 TProxy weirdness

From: Felipe W Damasio <felipewd_at_gmail.com>
Date: Wed, 6 Jan 2010 11:40:09 -0200

  Hi all,

  I'm new to this list, but checked the archives a lot before asking this.
  I'm trying to get squid-3.1 up and running with TProxy 4.1 on an ISP network.
  My setup is working correctly when only a few users are connected to
the users VLAN. The users can browse and TProxy works.
  But when I plug in the router with all the users (around 60000),
squid doesn't respond anymore.
  I first suspected the problem was iptables/ebtables rules not
routing the packets to squid, but iptables -v -t mangle -L shows:

Chain PREROUTING (policy ACCEPT 144K packets, 50M bytes)
 pkts bytes target     prot opt in     out     source
destination
   85  6232 DIVERT     tcp  --  any    any     anywhere
anywhere            socket
 5568 1581K TPROXY     tcp  --  eth0   any     anywhere
anywhere            tcp dpt:http TPROXY redirect 0.0.0.0:3128 mark
0x1/0x1

  And about 2 seconds later:

Chain PREROUTING (policy ACCEPT 208K packets, 62M bytes)
 pkts bytes target     prot opt in     out     source
destination
   92  6692 DIVERT     tcp  --  any    any     anywhere
anywhere            socket
 7690 2210K TPROXY     tcp  --  eth0   any     anywhere
anywhere            tcp dpt:http TPROXY redirect 0.0.0.0:3128 mark
0x1/0x1

  So the requests are going through iptables, right?

  I added debug_options ALL,1 ALL,0 and 33,4, so I could see if
comm_accept returned OK or not. But cache.log doesn't show anything.
  Just so you guys know, eth0 is the client-facing interface and eth1
is the internet-facing interface.
  I'm using a 2.6.29.6 vanilla kernel, with these proc options:

echo 1 >  /proc/sys/net/ipv4/ip_forward
echo 0 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/ip_nonlocal_bind
echo 1 >  /proc/sys/net/ipv4/tcp_low_latency
echo 0 > /proc/sys/net/ipv4/conf/eth1/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 0 > /proc/sys/net/ipv4/conf/br0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/forwarding
echo 1 > /proc/sys/net/ipv4/conf/all/send_redirects
echo 1 > /proc/sys/net/ipv4/conf/eth0/send_redirects

  Also, I'm using these rules that I got on the squid wiki TProxy tutorial:

iptables -t mangle -N DIVERT
iptables -t mangle -A DIVERT -j MARK --set-mark 1
iptables -t mangle -A DIVERT -j ACCEPT
iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80  -j TPROXY
--tproxy-mark 0x1/0x1 --on-port 3128

ebtables -t broute -A BROUTING -i eth0 -p ipv4 --ip-proto tcp
--ip-dport 80  -j redirect --redirect-target DROP
ebtables -t broute -A BROUTING -i eth1 -p ipv4 --ip-proto tcp
--ip-sport 80 -j redirect --redirect-target DROP

 cd /proc/sys/net/bridge/
 for i in *
 do
   echo 0 > $i
 done
 unset i

  Is there any tests I can do or any other info I can provide?

  Ebtables version is "ebtables v2.0.9-1 (June 2009)". And iptables is
"iptables v1.4.3.2".

  What kills me is that if I plug in a single user on the client
interface everything works...also if I put a single user on the VLAN
of the client interface everything works too...no idea why it doesn't
work when all users are plugged in.

  Thanks in advance!

Felipe Damasio
Received on Wed Jan 06 2010 - 13:40:16 MST

This archive was generated by hypermail 2.2.0 : Thu Jan 07 2010 - 12:00:02 MST