Using IDENT ACL for peer selection

Dear Dr. Wessels,
Dear Squid maintainers,

I sent already once a patch for Squid to implement the minimum_direct_rtt
parameter for the direct/non-direct peer selection and it seems to work
fine, at least for us.

Now I would like to propose yet another enhancement to the peer selection
algorithm. The patch to implement it is in the attachment.

The reason to do it is following.

We have several peers which are used by Squid in our site. One of them has
conciderably better connectivity to the Internet, therefore is faster. Other
peers use slower channel but are very cheep - they cost nothing. Therefore,
we would like that only authoritative users could get the fast and costly
peer while other users be transparently switched by Squid to the slower
channels. This is easily achieved via the cache_peer_access allow/deny
clauses as long as all users on the same Unix host are allowed (or denied)
in the same time. If we wish to allow some users and to deny others from the
same client host, then we need to use IDENT ACLs in the cache_peer_access
parameter.

Unfortunately, although Squid speeks the IDENT protocol and obtains the user
names for the inclusion into the access_log files, and even allows to
restrict them in the http_access tag, the user names are not yet accessible
while the peer selection takes place. Also, the ConnStateData structure
where the username is kept is not transferred into the ps_state structure,
and the user_ident field of the request structure is usually not yet filled.
Simple inclusion of the ConnStateData into request had also the bad
consequence that squid got wild asserts in several tens of minutes although
cbdataLock() was done. But even if it would be there - we still do need a
mechanism to start ident lookup from within peer selection because it must
not necessarily be requested somewhere earlier.

Finally, I have taken the following approach to the problem, and it seems to
work correctly, as expected.

structs.h

Four extra members are added to ps_state. They are the ident field, the
ident lookup state, and the 'peer' and 'me' sockaddrs. Also the client port
which is required for the ident lookup is added to the request struct.

client_side.c

Firstly, the client port is saved to request->client_port while filling just
created new request structure. This allows to start the ident lookup later
while peer selection. Secondly, if the request->user_ident field is empty,
and conn->ident contains the username, it is transferred into
request->user_ident. This allows us to spare extra unnecessary ident lookups
which otherwise would be done by the peer selection code - for the keepalive
connections, or also if for some reason the ident lookup has already been
done elsewhere.

neighbors.c

The ident value is unconditionally transferred into the checklist structure
so that if it has been initialized - it can be taken into account by
aclCheckFast().

peer_select.c

As aclCheckFast() is uncapable to start asynchronous lookups, we have to
provide the necessary code here. It is similar to the DIRECT checking. The
necessary ps_state fields are initialized while creation. The ident lookup
callback function is defined. I hope, if the same ident lookup has already
been started in client_side.c and not yet finished, both should be hashed to
refer to the same single lookup.

Many particularities are taken into account here not to start unnecessary
ident lookups. They are:

If direct == DIRECT_YES - no peer is to be selected, therefore ident lookup
inside peer selection is not needed.

If request->user_ident already contains a username - ident lookup has
already been done elsewhere and no reason to repeat it here - this username
will be taken. Otherwise ident lookup still might be needed.

If the client in question is not allowed in the ident_lookup_access ACLs -
we should not do ident lookup for it at all. Otherwise ident lookup still
might be needed.

Then all ACLs are scanned to find out if some ident ACL is specified
somewhere at all. If yes, it might influence this particular request and the
ident lookup will be started. If no ident ACL is used in the squid.conf file
- ident cannot influence peer selection and therefore has not to be started.

If the ident lookup has been started here and finished successfully, the
resulting username will be filled into request->user ident for the case it
could be necessary somewhere later.

This strategie really allows to reject the majority of duplicated lookups.
If the client in question is also included in the http_access ident ACL
which is always allowed then there will be no duplicated lookups at all.

Of course, in no case has this approach to be concidered as the best
cache_peer_access ident implementation. It is a trial to get it working as
easily as possible without rewriting too deep parts of Squid. May be,
somebody will do it better. If not - I would ask to include this code into
some future release of Squid.

The patch against squid-2.4.STABLE1 is in the attachment.

The changelog entry could look somehow like
IDENT ACL support for the cache_peer_access tag

Thank you for the attention,
Georgy.
_______________________________________________________________________________

Georgy Salnikov
NMR Group
Novosibirsk Institute of Organic Chemistry
Lavrentjeva, 9, 630090 Novosibirsk, Russia
Tel. +7-3832-341960 +7-3832-331456
Fax +7-3832-331456
Email sge@nmr.nioch.nsc.ru
_______________________________________________________________________________