Hi, I have a slightly peculiar requirement to track very accurate *per
user* traffic for a small remote bunch of users. The internet
connections these users have available will be some kind of satellite
telephone with non trivial bandwidth costs and we want to attribute very
exact costs back on a per user basis. (these kinds of devices have
running costs circa $10-100/MB)
To do this I'm using a small custom built embedded router, and we will
use some form of 802.11x or captive portal style user authentication but
I have one area I need advice on solving:
- Tracking bandwidth *through* "proxies" such dnsmasq.
Basically there isn't an exact match between the flows between dnsmasq
and the client and dnsmasq and the upstream dns resolver...
I think at least on linux a good solution would be to copy the iptables
"mark" from an incoming connection and apply it to any outgoing
connections (across the expensive link). I could then track bandwidth
by simply tracking on the connection mark and this would watch both
direct traffic and via the "proxy"?
Squid recently added exactly this to their codebase:
http://bazaar.launchpad.net/~squid/squid/3-trunk/revision/10925
Does someone have an idea on how much effort this would be to implement
in dnsmasq? Simon, would you consider a feature request to add such a
thing?
(Note this could be slightly useful for uses other than my scenario, for
example more general captive portals tend to be vulnerable to dns
tunnelling hacks - such a feature would allow dnsmasq to resolve local
and cached responses, but the firewall can make decisions based on the
connection mark to allow outbound queries)
Thanks for any thoughts
Ed W
