On 18/07/2016 8:05 p.m., Omid Kosari wrote: > Maybe i should describe more . > The port 8080 is a parent peer of squid . It is > http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-td4678454.html > > squid config is > > acl wu dstdom_regex \.download\.windowsupdate\.com$ > acl wu-rejects dstdom_regex stats > acl GET method GET > cache_peer 127.0.0.1 parent 8080 0 proxy-only no-tproxy no-digest no-query > no-netdb-exchange name=ms1 > cache_peer_access ms1 allow GET wu !wu-rejects > cache_peer_access ms1 deny all > never_direct allow GET wu !wu-rejects > never_direct deny all > > and > > iptables -t mangle -A OUTPUT -p tcp -m tcp -d > 127.0.0.1,192.168.1.1,192.168.1.2 --sport 8080 -j DSCP --set-dscp 0x60 > > Now with this iptables rule i want to change the dscp of packets which comes > from parent peer to squid . Then squid preserve that dscp and send it to > clients . With my description will everything work as i want ? That is a clearer description. Thanks Your answer is: No. There are kernel patches required to allow Squid to load the DSCP TOS marking from *incoming* packets from the peer. Last I heard those patches were not accepted into the kernel, no longer being maintained and no recent Linux kernel is compatible with them. You might be lucky and find out otherwise, but I am doubtful. There are two alternatives though: 1) your above iptables rule is no different in behaviour on the outgoing traffic side of Squid from what "qos_flows tos parent-hit=0x60" should be doing. So modulo bugs, there is no need to do anything with TOS on incoming because Squid cache_peer line has the info saying that traffic was from a parent (a versus any random connection marked with DSCP 0x60 inbound). Data from the parent always arrives over connections associated by Squid with that cache_peer config. 2) Squid can do pass-thru using Netfilter MARK flags. Each squid.conf directive that deals with TOS has both a 'tos' and a 'mark' variant. The 'mark' ones are able to pass-thru these netfilter markings the way you want. However, since netfilter marks are local to the one machine and not transmitted externally. You need to use iptables rules to convert received TOS/DSCP values into local MARK values on packets arriving, and the reverse translation for packets leaving the machine. IIRC there were some gotchas involved. I do remember specifically that the TOS needed to be converted to CONNMARK (not MARK) in mangle or earlier. Then the NF MARK values sync'd with CONNMARK at some stage just after that (sorry my memory of that particular bit is long gone). The sync'd NF MARK is what gets passed between Squid and the kernel. It is a bit clumsy and annoying, but without any kernel API to receive the TOS/DSCP values on incoming packets it is what it is. Amos _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users