Re: [squid-users] Squid NT compile
sön 2010-06-20 klockan 19:03 + skrev winet...@gmail.com: No wonder even with port mapping and redirection working, the transparent proxy still not working. Where can I get or request one that compiled with transparent proxy feature? squid-dev is the best place to discuss this. How does the redirection method you use present the original destination address to the applications? Regards Henrik
Marking uncached packets with a netfilter mark value
I am considering writing a patch for Squid so that it maintains a packet's netfilter mark value if not fetched from the cache. This would be similar to the QOS functionality, in that there would also be an option to set the mark on a packet that is fetched from the cache. I have done some initial scoping, but have discovered that in order to mark a packet using setsockopt(), the process needs to be run as root. My questions therefore are: 1. Because the marking process needs to be run as root, can this only be achieved by putting the mark function within the squid process that originally starts up, and stipulate that this has to be run as root? 2. Is any such patch likely to be accepted? Thanks, Andy
Re: Marking uncached packets with a netfilter mark value
On Tue, Jun 22, 2010 at 8:52 AM, Andrew Beverley a...@andybev.com wrote: 1. Because the marking process needs to be run as root, can this only be achieved by putting the mark function within the squid process that originally starts up, and stipulate that this has to be run as root? Consider a dedicated helper like the diskd helper - send it a fd using shm, and a mark to place, and have it make the call. This can be started up before squid drops privileges. Better still, to a patch to netfilter to allow non root capabilities here. 2. Is any such patch likely to be accepted? Yes, modulo code quality, testing, cleanliness etc etc - all the usual concerns. -Rob
Re: Marking uncached packets with a netfilter mark value
Robert Collins wrote: On Tue, Jun 22, 2010 at 8:52 AM, Andrew Beverley a...@andybev.com wrote: 1. Because the marking process needs to be run as root, can this only be achieved by putting the mark function within the squid process that originally starts up, and stipulate that this has to be run as root? Consider a dedicated helper like the diskd helper - send it a fd using shm, and a mark to place, and have it make the call. This can be started up before squid drops privileges. Better still, to a patch to netfilter to allow non root capabilities here. A very complicated replacement for something usually done with a one-line: iptables ... --pid P -mark N ... 2. Is any such patch likely to be accepted? Yes, modulo code quality, testing, cleanliness etc etc - all the usual concerns. ... and convincing us that its not possible to do the marking in iptables where marks are supposed to be set. Squid only has the concept of whole flows. Not packets, so if you are wanting packet-level marking mid-stream it's a bit limited in scope. The current practice 3.1+ with the ZPH feature is to configure TOS for the separate flow types Squid generates (direct source, sibling source, parent source, cache HIT) and have the firewall mark per TOS according to its policies. Does that match what you are trying to do? Amos -- Please be using Current Stable Squid 2.7.STABLE9 or 3.1.4