On 05/22/2013 09:48 AM, Chris Ross wrote:
> I noticed inside of forward.cc, in getOutgoingAddress, the ACL
> checking it's doing calls cf->fastCheck(). Does that mean that it
> will avoid calling "slow" acl mechanisms for some reason?
Yes, fastCheck() does not support slow ACLs. To be more precise, Squid,
depending on the version and the slow ACL type, may "call" that slow ACL
during a fast check, but that call will fail as far as ACL matching is
concerned if a slow/non-blocking lookup is required to evaluate the
match. If a slow ACL can be matched in a fast mode (e.g., due to
previous ACL results caching), the match may succeed. In other words, a
documented-as-slow ACL may work as a fast one, depending on Squid state.
There are two reasons getOutgoingAddress code is using fastCheck()
instead of nonBlockingCheck():
1. The code using fast checks is much easier to write.
2. Fast checks are faster,
even when no slow ACLs are used in a nonBlockingCheck().
The second reason is a relatively weak one -- I do not recall any cases
where a patch offering fast-to-nonblocking conversion was rejected on
performance grounds alone. However, it should probably be rejected
without a good use case. This is especially true for getOutgoingAddress
checks because they may perform fastCheck calls multiple times.
Please note that a correct conversion is not trivial because one has to
save the current state of the caller and restore it in the non-blocking
callback, dealing with all the usual async code complications. The
getOutgoingAddress() code conversion would be especially tricky because
it calls fastCheck in a loop!
> Either way, I wanted to ask, because I can tell that I'm seeing
> connections and it's trying to choose an outgoing address, but seems
> to never choose the ones attached to the external_acl helper, and
> seems to never inquire of it.
If your external ACL can make a decision earlier (e.g., during
http_access checks), then you can use helper annotations API to record
that external ACL decision as annotations and then use a "note" ACL to
pick the right outgoing address depending on the previously recorded
annotations. The "note" ACL is fast.
This solution is available for a patched trunk-based code. Numbered
releases do not support the "note" ACL yet, and the trunk patch
acceptance got delayed due to new features being added to the project
scope during patch review on squid-dev. See the "note acl" thread.
HTH,
Alex.
Received on Wed May 22 2013 - 16:55:18 MDT
This archive was generated by hypermail 2.2.0 : Thu May 23 2013 - 12:01:10 MDT