Amos Jeffries wrote > On 18/07/2016 8:05 p.m., Omid Kosari wrote: >> Maybe i should describe more . >> The port 8080 is a parent peer of squid . It is >> http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-td4678454.html >> >> squid config is >> >> acl wu dstdom_regex \.download\.windowsupdate\.com$ >> acl wu-rejects dstdom_regex stats >> acl GET method GET >> cache_peer 127.0.0.1 parent 8080 0 proxy-only no-tproxy no-digest >> no-query >> no-netdb-exchange name=ms1 >> cache_peer_access ms1 allow GET wu !wu-rejects >> cache_peer_access ms1 deny all >> never_direct allow GET wu !wu-rejects >> never_direct deny all >> >> and >> >> iptables -t mangle -A OUTPUT -p tcp -m tcp -d >> 127.0.0.1,192.168.1.1,192.168.1.2 --sport 8080 -j DSCP --set-dscp 0x60 >> >> Now with this iptables rule i want to change the dscp of packets which >> comes >> from parent peer to squid . Then squid preserve that dscp and send it to >> clients . With my description will everything work as i want ? > > That is a clearer description. Thanks > > Your answer is: No. There are kernel patches required to allow Squid to > load the DSCP TOS marking from *incoming* packets from the peer. > > Last I heard those patches were not accepted into the kernel, no longer > being maintained and no recent Linux kernel is compatible with them. You > might be lucky and find out otherwise, but I am doubtful. > > There are two alternatives though: > > 1) your above iptables rule is no different in behaviour on the > outgoing traffic side of Squid from what "qos_flows tos parent-hit=0x60" > should be doing. > > So modulo bugs, there is no need to do anything with TOS on incoming > because Squid cache_peer line has the info saying that traffic was from > a parent (a versus any random connection marked with DSCP 0x60 inbound). > Data from the parent always arrives over connections associated by Squid > with that cache_peer config. > > > 2) Squid can do pass-thru using Netfilter MARK flags. Each squid.conf > directive that deals with TOS has both a 'tos' and a 'mark' variant. The > 'mark' ones are able to pass-thru these netfilter markings the way you > want. > > However, since netfilter marks are local to the one machine and not > transmitted externally. You need to use iptables rules to convert > received TOS/DSCP values into local MARK values on packets arriving, and > the reverse translation for packets leaving the machine. > > IIRC there were some gotchas involved. I do remember specifically that > the TOS needed to be converted to CONNMARK (not MARK) in mangle or > earlier. Then the NF MARK values sync'd with CONNMARK at some stage just > after that (sorry my memory of that particular bit is long gone). The > sync'd NF MARK is what gets passed between Squid and the kernel. > > It is a bit clumsy and annoying, but without any kernel API to receive > the TOS/DSCP values on incoming packets it is what it is. > > > Amos > > _______________________________________________ > squid-users mailing list > squid-users@.squid-cache > http://lists.squid-cache.org/listinfo/squid-users About alternative 1 .Simpler english please . I even could not understand what you say . About 2 . Seems painful . I hope other threads solve the problem . Thanks -- View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/cache-peer-communication-about-HIT-MISS-between-squid-and-and-non-squid-peer-tp4600931p4678582.html Sent from the Squid - Users mailing list archive at Nabble.com. _______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
