Stef Coene wrote:
But when do you see the hostname? In the dns request and maybe in the http request. For all other packets only the ip address is known.But tc sees the fwmark value that iptables has attached to a packet, right? Hence the idea to accomplish the "destination host distinction" with iptables-rules, setting fwmark accordingly and let tc decide on the different fwmark values.
The http requests surely will contain the hostname, at least in those scenarios where a http-server is contacted that serves more than one (sub)domain (*).
So, at least the first packet of an established http connection will contain a "Host:"-line, which allows to mark that packet accordingly. Every following packet that belongs to the same connection can be handled with connection tracking, I think.
(*) There is a rare chance that no "Host: "-line is in the http-request, but most probably these requests won't be a problem regarding the necessity of controling their used bandwidth, since the client won't be able to make use of all services of the server. So, if the solution doesn't match these rare situations, it won't hurt, I suppose.
Well, I have to admit that I'm no iptables/tc-pro, so the idea I described could be wrong. Also:
Rereading the original post, I think he has an other problem.
Possibly. But maybe still another one than you described: he could be the admin of the subnet the described users sit in, or the admin of the mentioned server(s). Depending on this "point of view" different solutions could apply. It would be good if the original poster could clarify this aspect :)
Bye, Mike _______________________________________________ LARTC mailing list / LARTC@xxxxxxxxxxxxxxx http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
