On Thu, 22 Apr 2004, Viet Hai wrote:

> If that's true, it's mean that the kernel receives request (TCP packet) from
> client, then depack these packet and give it to Squid.


> So, I wonder how the way Squid can set access control list on the IP address
> of source or destination WHILE it can't PROCESS IP packets.

Because if knows the source and destination, and can then decide on if it
will accept doing what the clien requested or no.

> Can Henrik tell me the detail that:
> 1. Does Squid process the IP packets (include TCP or UDP packets) or this's
> kernel's jobs?


> 2. If processing the IP packets is the kernel's job, how can squid does it's
> ACL based on IP address, port?

It gets this information from the kernel as part of the accept() call
where the kernel gives the client connection to Squid.

> 3. If squid can process IP packets, why you and Squid's developers take
> squid does bandwidth control at Transport layer in replace with Application
> layer?

Squid can not process IP packets. Squid can process HTTP messages and the
data flows within HTTP.

> 4. If processing the IP packets is the kernel's job, how do squid tell
> kernel to limit bandwidth? (Duane Wassels has no detail information about
> it!!!)

Squid limits the bandwidth at the application level by limiting how fast
it forwards the requested information at the application layer.

The layers forwarded traffic goes via are:

ethernet (kernel)
IP (kernel)
TCP (kernel)
Squid (squid)
TCP (kernel)
IP (kernel)
ethernet (kernel)

By Squid limiting how fast it forwards the information it causes the
TCP window to be filled up at the TCP level, slowing down the TCP which
causes no more IP packets to be sent by the sending host.