Jason wrote:
Jason wrote:
Amos,
Thanks for answering.
Amos Jeffries wrote:
Jason wrote:
Everyone,
I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
NP: please use the correct version numbering: 3.1.0.6.
there will probably be a 3.1.6 at some point in the future and
hopefully this problem will not apply to those users, best not to add
confusion.
My mistake. This is for 3.1.0.6. My apologies to the squid community.
zph options enabled. I don't peer with any other caches, so all
peering
stuff is disabled in my build. I did not compile a kernel with the zph
patches, because, as I understand, that is only necessary if I want to
preserve zph marks between caches. Plus, there is no zph patch for
the kernel version I am running.
Right.
With shorewall redirect rules, squid is operating as a transparent
intercepting proxy just fine. I do not use tproxy - this is a NAT
setup.
I can not get the zph functions to work.
Here are my config options:
squid.conf
...
qos_flows local-hit=0x30
...
shorewall tcstart:
#root htb
tc qdisc add dev eth1 root handle 1: htb default 1
#default htb
tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
ceil 64kbps
#squid htb
tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
#I tried this for squid too
#tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
The shorewall tcrules are all commented out right now, so it is not
applying
any filtering.
I have about one week to finish off this server for production...
Help?
Jason Wallace
So what are the packet traces showing you about events?
Also, its much easier for most of us to read the real firewall rules.
what does "iptables -L && iptables -t nat -L" show hapening?
Amos
iptables -L && iptables -t nat -L yields the following. I will try to
packet trace this afternoon.
I have researched what a packet trace could mean. Do you want to see
what wireshark says on a client computer when I try to retrieve
something that should come from the cache?
I can't see the tos handling in iptables, maybe we needed -v option on
the list, or shorewall may have placed it elsewhere.
I just thought, check your config for tcp_outgoing_tos, which is likely
to replace any qos_flow specifics with the blanket TOS. I'm going to
have to fix that clash up someday.
Amos
--
Please be using
Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13
Current Beta Squid 3.1.0.6
