[squid-users] cache peer communication about HIT/MISS between squid and and non-squid peer

Amos Jeffries squid3 at treenet.co.nz
Mon Jul 18 10:55:28 UTC 2016


On 18/07/2016 8:05 p.m., Omid Kosari wrote:
> Maybe i should describe more .
> The port 8080 is a parent peer of squid . It is
> http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-td4678454.html
> 
> squid config is 
> 
> acl wu dstdom_regex \.download\.windowsupdate\.com$
> acl wu-rejects dstdom_regex stats
> acl GET method GET
> cache_peer 127.0.0.1 parent 8080 0 proxy-only no-tproxy no-digest no-query
> no-netdb-exchange name=ms1
> cache_peer_access ms1 allow GET wu !wu-rejects
> cache_peer_access ms1 deny all
> never_direct allow GET wu !wu-rejects
> never_direct deny all
> 
> and
> 
> iptables -t mangle -A OUTPUT -p tcp -m tcp -d
> 127.0.0.1,192.168.1.1,192.168.1.2 --sport 8080 -j DSCP --set-dscp 0x60
> 
> Now with this iptables rule i want to change the dscp of packets which comes
> from parent peer to squid . Then squid preserve that dscp and send it to
> clients . With my description will everything work as i want ?

That is a clearer description. Thanks

Your answer is:  No. There are kernel patches required to allow Squid to
load the DSCP TOS marking from *incoming* packets from the peer.

Last I heard those patches were not accepted into the kernel, no longer
being maintained and no recent Linux kernel is compatible with them. You
might be lucky and find out otherwise, but I am doubtful.

There are two alternatives though:

 1) your above iptables rule is no different in behaviour on the
outgoing traffic side of Squid from what "qos_flows tos parent-hit=0x60"
should be doing.

So modulo bugs, there is no need to do anything with TOS on incoming
because Squid cache_peer line has the info saying that traffic was from
a parent (a versus any random connection marked with DSCP 0x60 inbound).
Data from the parent always arrives over connections associated by Squid
with that cache_peer config.


2) Squid can do pass-thru using Netfilter MARK flags. Each squid.conf
directive that deals with TOS has both a 'tos' and a 'mark' variant. The
'mark' ones are able to pass-thru these netfilter markings the way you want.

However, since netfilter marks are local to the one machine and not
transmitted externally. You need to use iptables rules to convert
received TOS/DSCP values into local MARK values on packets arriving, and
the reverse translation for packets leaving the machine.

IIRC there were some gotchas involved. I do remember specifically that
the TOS needed to be converted to CONNMARK (not MARK) in mangle or
earlier. Then the NF MARK values sync'd with CONNMARK at some stage just
after that (sorry my memory of that particular bit is long gone). The
sync'd NF MARK is what gets passed between Squid and the kernel.

It is a bit clumsy and annoying, but without any kernel API to receive
the TOS/DSCP values on incoming packets it is what it is.


Amos



More information about the squid-users mailing list