I've attached a graph which explains what are the marked packets.
Your design is wrong. You mark the upload traffic, when the main http
traffic is the download traffic. That is why your QoS seems ineffective
The general goal is to do a QoS based on user ip. If I had no proxy,
it would
be easy. However, since I've a proxy, my firewall sees the proxy ip,
not the
users IP.
Where is your firewall ? Between the proxy and the webserver, or the
otherside ?
In the first case, you can only mark the upload traffic (it's to late
for the download traffic). You should use the conntrack module to mark a
connection, and so, you will be able to mark the download traffic
Moreover, I don't understand why you don't have access to your user
addresses. You use mark, so your firewall and your proxy are running on
the same box. So, when the download traffic leaves your proxy/firewall,
the destination adsress is the user address. tc is called when a packet
is send to the network, or when a packet arrive. So you can do IP based
QoS.
Antoine
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
