commit 2db32599d23de8aec2cc3c9bcd788788c979e8b6
Author: Alexander Gozman <goal81@gmail.com>
Date:   2018-02-16 13:52:58 +0300

    Fix clientside_mark and client port logging in TPROXY mode (#150)
    
    The clientside_mark ACL was not working with TPROXY because a
    conntrack query could not find connmark without a true client port.
    
    Ip::Intercept::Lookup() must return true client address, but its
    TproxyTransparent() component was reseting the client port. We should
    use zero port when we compute the source address for the Squid-to-peer
    connection instead.

diff --git a/src/FwdState.cc b/src/FwdState.cc
index 0646792..6b50df1 100644
--- a/src/FwdState.cc
+++ b/src/FwdState.cc
@@ -1246,6 +1246,7 @@ getOutgoingAddress(HttpRequest * request, Comm::ConnectionPointer conn)
             else
 #endif
                 conn->local = request->client_addr;
+            conn->local.port(0); // let OS pick the source port to prevent address clashes
             // some flags need setting on the socket to use this address
             conn->flags |= COMM_DOBIND;
             conn->flags |= COMM_TRANSPARENT;
diff --git a/src/ip/Intercept.cc b/src/ip/Intercept.cc
index 9c0164a..dd43020 100644
--- a/src/ip/Intercept.cc
+++ b/src/ip/Intercept.cc
@@ -168,7 +168,6 @@ Ip::Intercept::TproxyTransparent(const Comm::ConnectionPointer &newConn, int sil
     /* Trust the user configured properly. If not no harm done.
      * We will simply attempt a bind outgoing on our own IP.
      */
-    newConn->remote.port(0); // allow random outgoing port to prevent address clashes
     debugs(89, 5, HERE << "address TPROXY: " << newConn);
     return true;
 #else