From: Jack Bates <uo4zau@nottheoilrig.com>
To: giles@coochey.net
Cc: Steven Kath <steven@vyatta.com>, netfilter@vger.kernel.org
Subject: Re: Mark traffic on one machine, match on another machine?
Date: Thu, 29 Nov 2012 21:41:57 -0800 [thread overview]
Message-ID: <50B84725.3080608@nottheoilrig.com> (raw)
In-Reply-To: <3a947589368a2610486404839274d7cb@imap.netsecspec.co.uk>
On 28/11/12 04:54 AM, Giles Coochey wrote:
> On 28-11-2012 05:25, Steven Kath wrote:
>>> Is there a way to mark traffic on one machine and match the
>>> mark on another machine? so I can classify traffic on the
>>> proxy server and shape it on the router?
>>
>> This question is a good example of the rationale for the
>> TOS/DSCP header on IPv4 packets. netfilter/iptables are
>> quite capable of matching and manipulating the DSCP field,
>> as are some proxy servers.
>> --
>
> +1 to above.
>
> Alternatively, you could route the packet from the proxy to a different,
> secondary IP on the router. The router could then shape all the traffic
> that arrives on the secondary IP. You can achieve the secondary IP with
> sub-interfaces, secondary IP in the same subnet, or separate VLAN
> interfaces
>
> I don't think there is any net-filter tagging, in the way that you can
> tag packets in rules while it passes internally through the proxy, that
> would be visible externally to the router.
Cool, thanks a lot for this advice Steven and Giles, our proxy server is
Apache Traffic Server, so I started work on a simple "remap" plugin to
set TOS/DSCP field: http://nottheoilrig.com/trafficserver/201211300/tos.cc
It should enable something like the following, in the Traffic Server
remap.config:
map http://gmail.com @plugin=tos.so @pparam=3
map http://facebook.com @plugin=tos.so @pparam=7
But what about response traffic? Is there a way to copy the TOS/DSCP
field to the response from the origin server?
next prev parent reply other threads:[~2012-11-30 5:41 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-28 5:09 Mark traffic on one machine, match on another machine? Jack Bates
2012-11-28 5:25 ` Steven Kath
2012-11-28 12:54 ` Giles Coochey
2012-11-30 5:41 ` Jack Bates [this message]
2012-11-30 6:27 ` Eliezer Croitoru
2012-12-03 8:43 ` Jack Bates
2012-12-03 11:52 ` Eliezer Croitoru
2012-12-03 14:32 ` Jack Bates
2012-12-05 2:39 ` Anatoly Muliarski
2012-12-05 9:12 ` Eliezer Croitoru
2012-12-05 14:17 ` Jack Bates
2012-12-06 4:18 ` Anatoly Muliarski
2012-12-10 16:18 ` Jack Bates
2012-12-10 20:11 ` Anatoly Muliarski
2012-12-12 15:25 ` Jack Bates
2012-12-13 5:06 ` Anatoly Muliarski
2012-12-13 5:45 ` Andrew Collins
2012-12-13 20:59 ` Anatoly Muliarski
2012-12-13 22:06 ` Andrew Collins
2012-12-14 5:17 ` Anatoly Muliarski
2012-12-08 20:58 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=50B84725.3080608@nottheoilrig.com \
--to=uo4zau@nottheoilrig.com \
--cc=giles@coochey.net \
--cc=netfilter@vger.kernel.org \
--cc=steven@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.