Re: Marking uncached packets with a netfilter mark value

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Tue, 22 Jun 2010 16:18:55 +1200

Robert Collins wrote:
> On Tue, Jun 22, 2010 at 8:52 AM, Andrew Beverley <andy_at_andybev.com> wrote:
>
>> 1. Because the marking process needs to be run as root, can this only be
>> achieved by putting the mark function within the squid process that
>> originally starts up, and stipulate that this has to be run as root?
>
> Consider a dedicated helper like the diskd helper - send it a fd using
> shm, and a mark to place, and have it make the call. This can be
> started up before squid drops privileges. Better still, to a patch to
> netfilter to allow non root capabilities here.

A very complicated replacement for something usually done with a one-line:
   iptables ... --pid P -mark N ...

>
>> 2. Is any such patch likely to be accepted?
>
> Yes, modulo code quality, testing, cleanliness etc etc - all the usual concerns.

... and convincing us that its not possible to do the marking in
iptables where marks are supposed to be set. Squid only has the concept
of whole flows. Not packets, so if you are wanting packet-level marking
mid-stream it's a bit limited in scope.

  The current practice 3.1+ with the ZPH feature is to configure TOS for
the separate flow types Squid generates (direct source, sibling source,
parent source, cache HIT) and have the firewall mark per TOS according
to its policies.

Does that match what you are trying to do?

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE9 or 3.1.4
Received on Tue Jun 22 2010 - 04:19:07 MDT

This archive was generated by hypermail 2.2.0 : Tue Jun 22 2010 - 12:00:07 MDT