[squid-users] cache peer communication about HIT/MISS between squid and and non-squid peer

Omid Kosari omidkosari at yahoo.com
Tue Jul 19 11:11:37 UTC 2016


Amos Jeffries wrote
> On 18/07/2016 8:05 p.m., Omid Kosari wrote:
>> Maybe i should describe more .
>> The port 8080 is a parent peer of squid . It is
>> http://squid-web-proxy-cache.1019090.n4.nabble.com/Windows-Updates-a-Caching-Stub-zone-A-windows-updates-store-td4678454.html
>> 
>> squid config is 
>> 
>> acl wu dstdom_regex \.download\.windowsupdate\.com$
>> acl wu-rejects dstdom_regex stats
>> acl GET method GET
>> cache_peer 127.0.0.1 parent 8080 0 proxy-only no-tproxy no-digest
>> no-query
>> no-netdb-exchange name=ms1
>> cache_peer_access ms1 allow GET wu !wu-rejects
>> cache_peer_access ms1 deny all
>> never_direct allow GET wu !wu-rejects
>> never_direct deny all
>> 
>> and
>> 
>> iptables -t mangle -A OUTPUT -p tcp -m tcp -d
>> 127.0.0.1,192.168.1.1,192.168.1.2 --sport 8080 -j DSCP --set-dscp 0x60
>> 
>> Now with this iptables rule i want to change the dscp of packets which
>> comes
>> from parent peer to squid . Then squid preserve that dscp and send it to
>> clients . With my description will everything work as i want ?
> 
> That is a clearer description. Thanks
> 
> Your answer is:  No. There are kernel patches required to allow Squid to
> load the DSCP TOS marking from *incoming* packets from the peer.
> 
> Last I heard those patches were not accepted into the kernel, no longer
> being maintained and no recent Linux kernel is compatible with them. You
> might be lucky and find out otherwise, but I am doubtful.
> 
> There are two alternatives though:
> 
>  1) your above iptables rule is no different in behaviour on the
> outgoing traffic side of Squid from what "qos_flows tos parent-hit=0x60"
> should be doing.
> 
> So modulo bugs, there is no need to do anything with TOS on incoming
> because Squid cache_peer line has the info saying that traffic was from
> a parent (a versus any random connection marked with DSCP 0x60 inbound).
> Data from the parent always arrives over connections associated by Squid
> with that cache_peer config.
> 
> 
> 2) Squid can do pass-thru using Netfilter MARK flags. Each squid.conf
> directive that deals with TOS has both a 'tos' and a 'mark' variant. The
> 'mark' ones are able to pass-thru these netfilter markings the way you
> want.
> 
> However, since netfilter marks are local to the one machine and not
> transmitted externally. You need to use iptables rules to convert
> received TOS/DSCP values into local MARK values on packets arriving, and
> the reverse translation for packets leaving the machine.
> 
> IIRC there were some gotchas involved. I do remember specifically that
> the TOS needed to be converted to CONNMARK (not MARK) in mangle or
> earlier. Then the NF MARK values sync'd with CONNMARK at some stage just
> after that (sorry my memory of that particular bit is long gone). The
> sync'd NF MARK is what gets passed between Squid and the kernel.
> 
> It is a bit clumsy and annoying, but without any kernel API to receive
> the TOS/DSCP values on incoming packets it is what it is.
> 
> 
> Amos
> 
> _______________________________________________
> squid-users mailing list

> squid-users at .squid-cache

> http://lists.squid-cache.org/listinfo/squid-users

About alternative 1 .Simpler english please  . I even could not understand
what you say .

About 2 . Seems painful . I hope other threads solve the problem .

Thanks



--
View this message in context: http://squid-web-proxy-cache.1019090.n4.nabble.com/cache-peer-communication-about-HIT-MISS-between-squid-and-and-non-squid-peer-tp4600931p4678582.html
Sent from the Squid - Users mailing list archive at Nabble.com.


More information about the squid-users mailing list