[squid-users] cache peer communication about HIT/MISS between squid and and non-squid peer

[Amos Jeffries]

On 21/07/2016 6:21 p.m., Omid Kosari wrote:
> Amos Jeffries wrote
>> 2) Squid can do pass-thru using Netfilter MARK flags. Each squid.conf
>> directive that deals with TOS has both a 'tos' and a 'mark' variant. The
>> 'mark' ones are able to pass-thru these netfilter markings the way you
>> want.
>>
>> However, since netfilter marks are local to the one machine and not
>> transmitted externally. You need to use iptables rules to convert
>> received TOS/DSCP values into local MARK values on packets arriving, and
>> the reverse translation for packets leaving the machine.
>>
>> IIRC there were some gotchas involved. I do remember specifically that
>> the TOS needed to be converted to CONNMARK (not MARK) in mangle or
>> earlier. Then the NF MARK values sync'd with CONNMARK at some stage just
>> after that (sorry my memory of that particular bit is long gone). The
>> sync'd NF MARK is what gets passed between Squid and the kernel.

Sorry, go that bit wrong. Its the sync'd CONNMARK that gets passed.

>>
>> It is a bit clumsy and annoying, but without any kernel API to receive
>> the TOS/DSCP values on incoming packets it is what it is.
>>
>>
>> Amos
> 
> First i am going to to it on same server which may be simpler and no need to
> involve with convert to/from TOS
> 
> I have following iptables log
> 
>  IN= OUT=lo SRC=127.0.0.1 DST=127.0.0.1 LEN=4148 TOS=0x00 PREC=0x00 TTL=64
> ID=57642 DF PROTO=TCP SPT=8080 DPT=12513 WINDOW=1495 RES=0x00 ACK PSH URGP=0
> MARK=0x30 

squid.conf:

  qos_flows mark


As the documentation says:
"
By default this functionality is disabled.

To enable it with the default settings simply use "qos_flows mark" ...

Default settings will result in the netfilter mark ... value being
copied from the upstream connection to the client.

Note that it is the connection CONNMARK value not the packet MARK value
that is copied.
"



Amos