Return-Path: X-Original-To: apmail-trafficserver-users-archive@www.apache.org Delivered-To: apmail-trafficserver-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id DE9A5C643 for ; Thu, 24 May 2012 11:52:04 +0000 (UTC) Received: (qmail 5481 invoked by uid 500); 24 May 2012 11:52:04 -0000 Delivered-To: apmail-trafficserver-users-archive@trafficserver.apache.org Received: (qmail 4930 invoked by uid 500); 24 May 2012 11:52:00 -0000 Mailing-List: contact users-help@trafficserver.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: users@trafficserver.apache.org Delivered-To: mailing list users@trafficserver.apache.org Received: (qmail 4902 invoked by uid 99); 24 May 2012 11:51:59 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 May 2012 11:51:59 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: local policy) Received: from [216.200.145.36] (HELO imta-38.everyone.net) (216.200.145.36) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 May 2012 11:51:51 +0000 Received: from pps.filterd (m0004960 [127.0.0.1]) by imta-38.everyone.net (8.14.4/8.14.4) with SMTP id q4OBp559003292 for ; Thu, 24 May 2012 04:51:28 -0700 X-Eon-Dm: dm0213 Received: by dm0213.mta.everyone.net (EON-AUTHRELAY2[SSL] - 3281665b) id dm0213.4f90dc71.77b7b5 for ; Thu, 24 May 2012 04:51:28 -0700 X-Eon-Sig: AQNNi8pPviDAxpGcgQIAAAAB,f3b92b616ed3feb08ad354db1d442047 X-Originating-Ip: 50.129.102.91 Date: Thu, 24 May 2012 06:51:32 -0500 From: "Alan M. Carroll" Organization: Network Geographics, Inc. X-Priority: 3 (Normal) Message-ID: <17510255028.20120524065132@network-geographics.com> To: Saraswathi Venkataraman Subject: Re: Configuring traffic server on transparent proxy mode. In-Reply-To: References: <371609216.20120522194054@network-geographics.com> <94755473.20120523102502@network-geographics.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.7.7724,1.0.260,0.0.0000 definitions=2012-05-24_06:2012-05-24,2012-05-24,1970-01-01 signatures=0 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 spamscore=0 ipscore=0 suspectscore=2 phishscore=0 bulkscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=6.0.2-1203120001 definitions=main-1205240076 I would use just server_ports for all port description information. It was put in to do precisely that. For iptables, a "--set-mark 0x1/0x1 -j ACCEPT" is effectively the same as your DIVERT chain. I don't use the "-m socket" because once a stream is established normal routing will handle it. My iptables basically has two rules, one for --sport and one for --dport. Thursday, May 24, 2012, 1:13:20 AM, you wrote: > Thanks Alan. > Are there any alternative ways to implement it without redundancy so that I can compare and see what can be re moved? How do you suggest I implement it? > Thanks & Regards > Saraswathi Venkataraman | Xoriant Solutions Pvt. Ltd. > Winchester, Hiranandani Business Park, Powai, Mumbai 400076, INDIA. > Tel: +91 22 30511000 | Ext: 1113 | http://www.xoriant.com > -----Original Message----- > From: Alan M. Carroll [mailto:amc@network-geographics.com] > Sent: Wednesday, May 23, 2012 8:55 PM > To: Saraswathi Venkataraman > Subject: Re: Configuring traffic server on transparent proxy mode. > The use of server_port and server_other_ports is deprecated. You should use server_ports only, with "8080:tr-full". However the change was made so that those options should still work, although they will be removed in a future release. You should not under any circumstances use both server_port&server_other_ports and server_ports, that can cause port conflicts. > You are marking packets and using routing table 100. Do you define rules for table 100? Also, it looks like your divert chain marks packets the same way as your --dport rule. But if it works, then it's correct. > Wednesday, May 23, 2012, 8:18:24 AM, you wrote: >> Finally resolved it this way: It got configured on tproxy mode