On Thu, 2013-03-28 at 22:52 +0000, Ed W wrote: [...] > Users have a choice of gateways to use the internet via (each will have > a cost). Their choice of gateway is marked on packets from their > machine, we then route through the appropriate gateway based on the > connection mark (hence why I need it passed upstream through squid) > > Also we mark each connection with a unique per user mark so that > iptables can account for the traffic they consume and bill them. > Technically this could be done inside squid, but all other traffic is > accounted in iptables and there is some hairy calculations needed to > bill differently for different gateways, so I don't want to reproduce > this in multiple locations Ah, I see. In which case I can't think of any other way around it. > Hence I think I need to implement the reverse of the current code? Yes, you're probably right. > Now, as for implementation, I don't have the code in front of me, but I > think I noticed there is a single code path to open a new upstream > connection? I can't remember the exact details off the top of my head, but there are various places that deal with the upstream network connection. Some parts are only run on connection to a new website host, others are run every time data is sent. > At present this applies a packet mark based on tcp_outgoing_mark. Well, there is various ways of applying a mark. tcp_outgoing_mark is only one of them. You'd probably be better looking at the qos_flows code, as this specifically transfers the connection mark from the server side to the client side. > Is the client connection information available at this point, so that I > could mark the connection at this point based on the client connection > mark? Again, off the top of my head I'm not 100% sure, but I imagine it would be possible. The key thing is that you can only retrieve the *connection* mark from the socket, not the *packet* mark, but I don't think that would be a problem for you. > However, I think squid uses persistent connections to upstream? Only if configured to do so, and even then you can still change the mark on an existing connection. > (I will always have another proxy as my upstream). If so then actually > I need to reset the mark for each request? I *think* you could just set the mark on the upstream connection for each request. > Where would be the correct location to put the marking code in this > case, ie I guess where the packet is sent to the upstream socket? I'd need to look into this in slower time. > (I guess I need to be careful about pipelining also?) Don't know. As I said, the above are answers without checking the code (it's been a couple of years since I've looked at it). I can have a look in due course, or Amos might be able to chip in ;-) In the meantime, you might want to look at the original patch for ideas: http://bazaar.launchpad.net/~squid/squid/3.2/revision/10815 Andy
