On Sat, 2010-12-25 at 04:51 +0100, GrÃgoire Leroy wrote: > Le Saturday 25 December 2010 03:35:12, Antoine Souques a Ãcrit : > > > I've attached a graph which explains what are the marked packets. > > > > Your design is wrong. You mark the upload traffic, when the main http > > traffic is the download traffic. That is why your QoS seems ineffective > > In this case I have probably misunderstood the goal of the tcp_outgoing_mark > squid directive. Andrew, in what purpose is it developped ? > tcp_outgoing_mark will mark packets going from squid to the webserver. If you want to mark packets going from squid to your client then you need to use clientside_mark instead. > > > > > The general goal is to do a QoS based on user ip. If I had no proxy, it > > > would be easy. However, since I've a proxy, my firewall sees the proxy > > > ip, not the users IP. > > > > Where is your firewall ? Between the proxy and the webserver, or the > > otherside ? > > > > Yes it is > > > In the first case, you can only mark the upload traffic (it's to late > > for the download traffic). You should use the conntrack module to mark a > > connection, and so, you will be able to mark the download traffic > > I thank it was the goal of the tcp_outgoing_mark squid directive (authored by > Andrew). > If you're going to mark packets on the other side of Squid, then you'll probably need to move the interface that your HTB qdisc is attached to. > > Moreover, I don't understand why you don't have access to your user > > addresses. You use mark, so your firewall and your proxy are running on > > the same box. So, when the download traffic leaves your proxy/firewall, > > the destination adsress is the user address. tc is called when a packet > > is send to the network, or when a packet arrive. So you can do IP based > > QoS. > > The problem is if I limit the traffic between the proxy and users, then he > won't any difference between the data downloaded from internet and the data > which was in cache in squid. > > I want to limit the rate only for non-cached data, so it seems relevant to > apply QoS between proxy server and internet. > In which case you want qos_flows, as Amos has already pointed out. Andy -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html