On Thu, 2013-03-28 at 22:52 +0000, Ed W wrote:
[...]
> Users have a choice of gateways to use the internet via (each will have
> a cost). Their choice of gateway is marked on packets from their
> machine, we then route through the appropriate gateway based on the
> connection mark (hence why I need it passed upstream through squid)
>
> Also we mark each connection with a unique per user mark so that
> iptables can account for the traffic they consume and bill them.
> Technically this could be done inside squid, but all other traffic is
> accounted in iptables and there is some hairy calculations needed to
> bill differently for different gateways, so I don't want to reproduce
> this in multiple locations
Ah, I see. In which case I can't think of any other way around it.
> Hence I think I need to implement the reverse of the current code?
Yes, you're probably right.
> Now, as for implementation, I don't have the code in front of me, but I
> think I noticed there is a single code path to open a new upstream
> connection?
I can't remember the exact details off the top of my head, but there are
various places that deal with the upstream network connection. Some
parts are only run on connection to a new website host, others are run
every time data is sent.
> At present this applies a packet mark based on tcp_outgoing_mark.
Well, there is various ways of applying a mark. tcp_outgoing_mark is
only one of them. You'd probably be better looking at the qos_flows
code, as this specifically transfers the connection mark from the server
side to the client side.
> Is the client connection information available at this point, so that I
> could mark the connection at this point based on the client connection
> mark?
Again, off the top of my head I'm not 100% sure, but I imagine it would
be possible. The key thing is that you can only retrieve the
*connection* mark from the socket, not the *packet* mark, but I don't
think that would be a problem for you.
> However, I think squid uses persistent connections to upstream?
Only if configured to do so, and even then you can still change the mark
on an existing connection.
> (I will always have another proxy as my upstream). If so then actually
> I need to reset the mark for each request?
I *think* you could just set the mark on the upstream connection for
each request.
> Where would be the correct location to put the marking code in this
> case, ie I guess where the packet is sent to the upstream socket?
I'd need to look into this in slower time.
> (I guess I need to be careful about pipelining also?)
Don't know.
As I said, the above are answers without checking the code (it's been a
couple of years since I've looked at it). I can have a look in due
course, or Amos might be able to chip in ;-)
In the meantime, you might want to look at the original patch for ideas:
http://bazaar.launchpad.net/~squid/squid/3.2/revision/10815
Andy
Received on Tue Apr 02 2013 - 20:14:36 MDT
This archive was generated by hypermail 2.2.0 : Wed Apr 03 2013 - 12:00:13 MDT