Accessing packet marking functions

Accessing packet marking functions

[Andrew Beverley]

I am considering patching Squid proxy so that it retains a packet's mark
value if it could not be fetched from the cache. Squid already has
similar functionality for the TOS field, but I would like to extend this
to netfilter's mark feature.

Can somebody point me in the right direction for the correct way of
setting and accessing the mark value of a packet? The TOS feature in
Squid uses setsockopt(). Is there an equivalent for mark? Should I be
using libnetfilter_queue?

Thanks in advance,

Andy

Re: Accessing packet marking functions

[Jan Engelhardt]

On Saturday 2010-06-19 18:42, Andrew Beverley wrote:

>I am considering patching Squid proxy so that it retains a packet's mark
>value if it could not be fetched from the cache. Squid already has
>similar functionality for the TOS field, but I would like to extend this
>to netfilter's mark feature.
>
>Can somebody point me in the right direction for the correct way of
>setting and accessing the mark value of a packet? The TOS feature in
>Squid uses setsockopt(). Is there an equivalent for mark? Should I be
>using libnetfilter_queue?

setsockopt(fd, SOL_SOCKET, SO_MARK, ...)

Re: Accessing packet marking functions

[Andrew Beverley]

> >Can somebody point me in the right direction for the correct way of
> >setting and accessing the mark value of a packet? The TOS feature in
> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
> >using libnetfilter_queue?
> 
> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)

Thanks Jan. I was honestly googling that for ages :-)

Not really for discussion here, but the whole concept of having a proxy
server in combination with traffic shaping rules makes things
challenging. All my traffic shaping rules are based on source and
destination interfaces, ports, and client addresses, so once a proxy is
thrown in, that sort of information is unavailable, as all the traffic
is no longer forwarded, but instead goes to and from the local host...

Andy

Re: Accessing packet marking functions

[Andrew Beverley]

> >Can somebody point me in the right direction for the correct way of
> >setting and accessing the mark value of a packet? The TOS feature in
> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
> >using libnetfilter_queue?
> 
> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)

I am getting the error "Operation not permitted" when trying to do this.
Is this because the packet is not in a state where it can be marked, or
am I doing something stupid? My code is:

int nfmark = 255;
setsockopt(fd, SOL_SOCKET, SO_MARK, (int *) &nfmark, sizeof(int));


The following lines of code in the same place work okay to set the TOS:

int nfmark = 255;
setsockopt(fd, IPPROTO_IP, IP_TOS, (int *) &nfmark, sizeof(int));


Thanks,

Andy

Re: Accessing packet marking functions

[Jan Engelhardt]

On Sunday 2010-06-20 13:16, Andrew Beverley wrote:

>> >Can somebody point me in the right direction for the correct way of
>> >setting and accessing the mark value of a packet? The TOS feature in
>> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
>> >using libnetfilter_queue?
>> 
>> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)
>
>I am getting the error "Operation not permitted" when trying to do this.
>Is this because the packet is not in a state where it can be marked, or
>am I doing something stupid? My code is:
>
>int nfmark = 255;
>setsockopt(fd, SOL_SOCKET, SO_MARK, (int *) &nfmark, sizeof(int));
>
>
>The following lines of code in the same place work okay to set the TOS:
>
>int nfmark = 255;
>setsockopt(fd, IPPROTO_IP, IP_TOS, (int *) &nfmark, sizeof(int));

1. Do away with the pointless casts.
2. Needs root privileges.

Re: Accessing packet marking functions

[Andrew Beverley]

> >> >Can somebody point me in the right direction for the correct way of
> >> >setting and accessing the mark value of a packet? The TOS feature in
> >> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
> >> >using libnetfilter_queue?
> >> 
> >> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)
> >
> >I am getting the error "Operation not permitted" when trying to do this.
> >Is this because the packet is not in a state where it can be marked, or
> >am I doing something stupid? My code is:
> >
> >int nfmark = 255;
> >setsockopt(fd, SOL_SOCKET, SO_MARK, (int *) &nfmark, sizeof(int));

> 1. Do away with the pointless casts.
> 2. Needs root privileges.

Thanks, that works now when running as root (with pointless casts
removed).

The problem is that Squid normally runs as a non-privileged user (I had
to remove the root checks from the code to get it to run as root). Is
there any way to mark packets when not root? Or is the only way to make
this work to run a small part of Squid as root?

Thanks,

Andy

Re: Accessing packet marking functions

[Patrick McHardy]

Andrew Beverley wrote:
>>>>> Can somebody point me in the right direction for the correct way of
>>>>> setting and accessing the mark value of a packet? The TOS feature in
>>>>> Squid uses setsockopt(). Is there an equivalent for mark? Should I be
>>>>> using libnetfilter_queue?
>>>>>           
>>>> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)
>>>>         
>>> I am getting the error "Operation not permitted" when trying to do this.
>>> Is this because the packet is not in a state where it can be marked, or
>>> am I doing something stupid? My code is:
>>>
>>> int nfmark = 255;
>>> setsockopt(fd, SOL_SOCKET, SO_MARK, (int *) &nfmark, sizeof(int));
>>>       
>
>   
>> 1. Do away with the pointless casts.
>> 2. Needs root privileges.
>>     
>
> Thanks, that works now when running as root (with pointless casts
> removed).
>
> The problem is that Squid normally runs as a non-privileged user (I had
> to remove the root checks from the code to get it to run as root). Is
> there any way to mark packets when not root? Or is the only way to make
> this work to run a small part of Squid as root?


enter_suid()/leave_suid().

Re: Accessing packet marking functions

[Andrew Beverley]

> > The problem is that Squid normally runs as a non-privileged user (I had
> > to remove the root checks from the code to get it to run as root). Is
> > there any way to mark packets when not root? Or is the only way to make
> > this work to run a small part of Squid as root?
> 
> 
> enter_suid()/leave_suid().

Thanks, although in the end I have decided to try and use the
CAP_NET_ADMIN capability flag instead, to keep the use of root to a
minimum.

Cheers,

Andy

Re: Accessing packet marking functions

[Jan Engelhardt]

On Monday 2010-06-28 23:21, Andrew Beverley wrote:

>> > The problem is that Squid normally runs as a non-privileged user (I had
>> > to remove the root checks from the code to get it to run as root). Is
>> > there any way to mark packets when not root? Or is the only way to make
>> > this work to run a small part of Squid as root?
>> 
>> enter_suid()/leave_suid().
>
>Thanks, although in the end I have decided to try and use the
>CAP_NET_ADMIN capability flag instead, to keep the use of root to a
>minimum.

Hey, I've you're thatmuch worried, you'd be using selinux ;-)

Re: Accessing packet marking functions

[Andrew Beverley]

> >I am considering patching Squid proxy so that it retains a packet's mark
> >value if it could not be fetched from the cache. Squid already has
> >similar functionality for the TOS field, but I would like to extend this
> >to netfilter's mark feature.
> >
> >Can somebody point me in the right direction for the correct way of
> >setting and accessing the mark value of a packet? The TOS feature in
> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
> >using libnetfilter_queue?
> 
> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)

Thanks for the help so far. To retrieve the mark should I just be using:

getsockopt(fd, SOL_SOCKET, SO_MARK, ...) ?

I keep getting a mark of 0 despite setting a mark in PREROUTING. My code
is as follows:

int mark = 0;
int marklen = sizeof(mark);
getsockopt(newsocket, SOL_SOCKET, SO_MARK, &mark, &marklen);



Thanks,

Andy

Re: Accessing packet marking functions

[Maciej Żenczykowski]

That retrieves the socket mark, not the packet mark.
The packet mark on outgoing packets gets initialized to the socket mark...

On Tue, Jun 29, 2010 at 14:22, Andrew Beverley <andy@andybev.com> wrote:
>> >I am considering patching Squid proxy so that it retains a packet's mark
>> >value if it could not be fetched from the cache. Squid already has
>> >similar functionality for the TOS field, but I would like to extend this
>> >to netfilter's mark feature.
>> >
>> >Can somebody point me in the right direction for the correct way of
>> >setting and accessing the mark value of a packet? The TOS feature in
>> >Squid uses setsockopt(). Is there an equivalent for mark? Should I be
>> >using libnetfilter_queue?
>>
>> setsockopt(fd, SOL_SOCKET, SO_MARK, ...)
>
> Thanks for the help so far. To retrieve the mark should I just be using:
>
> getsockopt(fd, SOL_SOCKET, SO_MARK, ...) ?
>
> I keep getting a mark of 0 despite setting a mark in PREROUTING. My code
> is as follows:
>
> int mark = 0;
> int marklen = sizeof(mark);
> getsockopt(newsocket, SOL_SOCKET, SO_MARK, &mark, &marklen);
>
>
>
> Thanks,
>
> Andy
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Accessing packet marking functions

[Andrew Beverley]

On Tue, 2010-06-29 at 14:35 -0700, Maciej Żenczykowski wrote:
> That retrieves the socket mark, not the packet mark.
> The packet mark on outgoing packets gets initialized to the socket mark...

Hmmm, I understand. So is there any way to retrieve a packet's mark as
opposed to a socket's mark?

Thanks,

Andy


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Accessing packet marking functions

[Jan Engelhardt]

On Wednesday 2010-06-30 08:14, Andrew Beverley wrote:
>
>On Tue, 2010-06-29 at 14:35 -0700, Maciej Żenczykowski wrote:
>> That retrieves the socket mark, not the packet mark.
>> The packet mark on outgoing packets gets initialized to the socket mark...
>
>Hmmm, I understand. So is there any way to retrieve a packet's mark as
>opposed to a socket's mark?

And how would you do that with SOCK_STREAM anyway?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: Accessing packet marking functions

[Andrew Beverley]

> >> That retrieves the socket mark, not the packet mark.
> >> The packet mark on outgoing packets gets initialized to the socket mark...
> >
> >Hmmm, I understand. So is there any way to retrieve a packet's mark as
> >opposed to a socket's mark?
> 
> And how would you do that with SOCK_STREAM anyway?

I don't know. I'll admit that I don't fully understand what I'm doing
here, which I apologise for, but I'm trying to learn.

All I want to do is retain a packet's mark from its arrival into Squid,
onto its transmission to the client. Something like this:


ppp0 -> PREROUTING -> Squid -> POSTROUTING -> eth0

            ^^                      ^^
         Set Mark               Read mark


If this isn't possible then please tell me.

Thanks,

Andy

Re: Accessing packet marking functions

[Jan Engelhardt]

On Wednesday 2010-06-30 08:32, Andrew Beverley wrote:
>> >> That retrieves the socket mark, not the packet mark.
>> >> The packet mark on outgoing packets gets initialized to the socket mark...
>> >
>> >Hmmm, I understand. So is there any way to retrieve a packet's mark as
>> >opposed to a socket's mark?
>> 
>> And how would you do that with SOCK_STREAM anyway?
>
>I don't know. I'll admit that I don't fully understand what I'm doing
>here, which I apologise for, but I'm trying to learn.
>
>All I want to do is retain a packet's mark from its arrival into Squid,
>onto its transmission to the client. Something like this:
>
>
>ppp0 -> PREROUTING -> Squid -> POSTROUTING -> eth0
>
>            ^^                      ^^
>         Set Mark               Read mark
>
>If this isn't possible then please tell me.

Hm, interesting case. I would say you could:

 - use CONNMARK in PREROUTING/INPUT
 - use libnetfilter_conntrack to query the connmark from within squid
   (since squid has address and port, that should identify the 
   connection within the nfct table)
 - use the so-obtained ctmark to populate the new socket's skmark

Re: Accessing packet marking functions

[Andrew Beverley]

> >All I want to do is retain a packet's mark from its arrival into Squid,
> >onto its transmission to the client. Something like this:
> >
> >
> >ppp0 -> PREROUTING -> Squid -> POSTROUTING -> eth0
> >
> >            ^^                      ^^
> >         Set Mark               Read mark
> >
> >If this isn't possible then please tell me.
> 
> Hm, interesting case. I would say you could:
> 
>  - use CONNMARK in PREROUTING/INPUT
>  - use libnetfilter_conntrack to query the connmark from within squid
>    (since squid has address and port, that should identify the 
>    connection within the nfct table)
>  - use the so-obtained ctmark to populate the new socket's skmark

Thanks for this suggestion. Thought I'd drop a quick email (for
completeness) to say that the patch for this has now been included into
Squid. So, it is now possible for Squid to retain the mark on packets
for items that aren't cached, or set a mark on packets when items are
fetched from the cache.

Andy

Re: Accessing packet marking functions

[Jan Engelhardt]

On Sunday 2010-10-24 19:30, Andrew Beverley wrote:
>> >All I want to do is retain a packet's mark from its arrival into Squid,
>> >onto its transmission to the client. Something like this:
>> >
>> >
>> >ppp0 -> PREROUTING -> Squid -> POSTROUTING -> eth0
>> >
>> >            ^^                      ^^
>> >         Set Mark               Read mark
>> >
>> >If this isn't possible then please tell me.
>> 
>> Hm, interesting case. I would say you could:
>> 
>>  - use CONNMARK in PREROUTING/INPUT
>>  - use libnetfilter_conntrack to query the connmark from within squid
>>    (since squid has address and port, that should identify the 
>>    connection within the nfct table)
>>  - use the so-obtained ctmark to populate the new socket's skmark
>
>Thanks for this suggestion. Thought I'd drop a quick email (for
>completeness) to say that the patch for this has now been included into
>Squid. So, it is now possible for Squid to retain the mark on packets
>for items that aren't cached, or set a mark on packets when items are
>fetched from the cache.

I looked at the change in the squid SCM and...

libnetfilter_conntrack offers .pc files, so squid's configure.ac
should make use of PKG_CHECK_MODULES.