Jason wrote:
> Jason wrote:
>> Amos,
>>
>> Thanks for answering.
>>
>> Amos Jeffries wrote:
>>> Jason wrote:
>>>> Everyone,
>>>>
>>>> I have compiled squid 3.1.6 from source on amd64 Debian 5.0 with
>>>
>>> NP: please use the correct version numbering: 3.1.0.6.
>>> there will probably be a 3.1.6 at some point in the future and
>>> hopefully this problem will not apply to those users, best not to add
>>> confusion.
>> My mistake. This is for 3.1.0.6. My apologies to the squid community.
>>>
>>>> zph options enabled. I don't peer with any other caches, so all
>>>> peering
>>>> stuff is disabled in my build. I did not compile a kernel with the zph
>>>> patches, because, as I understand, that is only necessary if I want to
>>>> preserve zph marks between caches. Plus, there is no zph patch for
>>>> the kernel version I am running.
>>>
>>> Right.
>>>
>>>>
>>>> With shorewall redirect rules, squid is operating as a transparent
>>>> intercepting proxy just fine. I do not use tproxy - this is a NAT
>>>> setup.
>>>>
>>>> I can not get the zph functions to work.
>>>>
>>>> Here are my config options:
>>>>
>>>> squid.conf
>>>> ...
>>>> qos_flows local-hit=0x30
>>>> ...
>>>>
>>>> shorewall tcstart:
>>>> #root htb
>>>> tc qdisc add dev eth1 root handle 1: htb default 1
>>>>
>>>> #default htb
>>>> tc class add dev eth1 parent 1: classid 1:1 htb rate 64kbps /
>>>> ceil 64kbps
>>>>
>>>> #squid htb
>>>> tc class add dev eth1 parent 1: classid 1:7 htb rate 1Mbit
>>>>
>>>> tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>>> ip protocol 0x6 0xff match ip tos 0x30 0xff flowid 1:7
>>>>
>>>> #I tried this for squid too
>>>> #tc filter add dev eth1 parent 1: protocol ip prio 1 u32 match /
>>>> ip protocol 0x6 0xff match u32 0x880430 0xffffffff at 20 flowid 1:7
>>>>
>>>> The shorewall tcrules are all commented out right now, so it is not
>>>> applying
>>>> any filtering.
>>>>
>>>> I have about one week to finish off this server for production...
>>>> Help?
>>>>
>>>>
>>>> Jason Wallace
>>>>
>>>
>>> So what are the packet traces showing you about events?
>>>
>>> Also, its much easier for most of us to read the real firewall rules.
>>> what does "iptables -L && iptables -t nat -L" show hapening?
>>>
>>> Amos
>>
>> iptables -L && iptables -t nat -L yields the following. I will try to
>> packet trace this afternoon.
> I have researched what a packet trace could mean. Do you want to see
> what wireshark says on a client computer when I try to retrieve
> something that should come from the cache?
>
I can't see the tos handling in iptables, maybe we needed -v option on
the list, or shorewall may have placed it elsewhere.
I just thought, check your config for tcp_outgoing_tos, which is likely
to replace any qos_flow specifics with the blanket TOS. I'm going to
have to fix that clash up someday.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE13 Current Beta Squid 3.1.0.6Received on Thu Apr 09 2009 - 07:44:51 MDT
This archive was generated by hypermail 2.2.0 : Thu Apr 09 2009 - 12:00:02 MDT