Le Saturday 25 December 2010 03:35:12, Antoine Souques a écrit : > > I've attached a graph which explains what are the marked packets. > > Your design is wrong. You mark the upload traffic, when the main http > traffic is the download traffic. That is why your QoS seems ineffective In this case I have probably misunderstood the goal of the tcp_outgoing_mark squid directive. Andrew, in what purpose is it developped ? > > > The general goal is to do a QoS based on user ip. If I had no proxy, it > > would be easy. However, since I've a proxy, my firewall sees the proxy > > ip, not the users IP. > > Where is your firewall ? Between the proxy and the webserver, or the > otherside ? > Yes it is > In the first case, you can only mark the upload traffic (it's to late > for the download traffic). You should use the conntrack module to mark a > connection, and so, you will be able to mark the download traffic I thank it was the goal of the tcp_outgoing_mark squid directive (authored by Andrew). > Moreover, I don't understand why you don't have access to your user > addresses. You use mark, so your firewall and your proxy are running on > the same box. So, when the download traffic leaves your proxy/firewall, > the destination adsress is the user address. tc is called when a packet > is send to the network, or when a packet arrive. So you can do IP based > QoS. The problem is if I limit the traffic between the proxy and users, then he won't any difference between the data downloaded from internet and the data which was in cache in squid. I want to limit the rate only for non-cached data, so it seems relevant to apply QoS between proxy server and internet.
Attachment:
signature.asc
Description: This is a digitally signed message part.
