Robert Collins wrote:
On Tue, Jun 22, 2010 at 8:52 AM, Andrew Beverley <[email protected]> wrote:
1. Because the marking process needs to be run as root, can this only be
achieved by putting the mark function within the squid process that
originally starts up, and stipulate that this has to be run as root?
Consider a dedicated helper like the diskd helper - send it a fd using
shm, and a mark to place, and have it make the call. This can be
started up before squid drops privileges. Better still, to a patch to
netfilter to allow non root capabilities here.
A very complicated replacement for something usually done with a one-line:
iptables ... --pid P -mark N ...
2. Is any such patch likely to be accepted?
Yes, modulo code quality, testing, cleanliness etc etc - all the usual concerns.
... and convincing us that its not possible to do the marking in
iptables where marks are supposed to be set. Squid only has the concept
of whole flows. Not packets, so if you are wanting packet-level marking
mid-stream it's a bit limited in scope.
The current practice 3.1+ with the ZPH feature is to configure TOS for
the separate flow types Squid generates (direct source, sibling source,
parent source, cache HIT) and have the firewall mark per TOS according
to its policies.
Does that match what you are trying to do?
Amos
--
Please be using
Current Stable Squid 2.7.STABLE9 or 3.1.4
