On Wed, 4 May 2011 16:36:08 -0700 (PDT), david_at_lang.hm wrote:
> On Wed, 4 May 2011, Alex Rousskov wrote:
>
>> On 05/04/2011 12:49 PM, david_at_lang.hm wrote:
>>
<snip>
>> IMHO, you can maximize your chances of getting free help by
>> isolating
>> the problem better. For example, perhaps you can try to reproduce it
>> with different kinds of fast ACLs (the simpler the better!). This
>> will
>> help clarify whether the problem is specific to IPv6, IP, or ACLs in
>> general. Test different number of ACLs: Does the problem happen only
>> when there number of simple ACLs is huge? Make the problem easier to
>> reproduce by posting configuration files (including Polygraph
>> workloads
>> or options for some other benchmarking tool you use).
>>-
>> This is not a guarantee that somebody will jump and help you, but
>> fixing
>> a well-triaged issue is often much easier.
>
> that's why I'm speaking up. I just have not known what to test.
>
> are there other types of ACLs that I should be testing?
We can't answer that without having seen your config file and which are
in use now.
The list of all available ACL are at
http://wiki.squid-cache.org/SquidFaq/SquidAcl and
http://www.squid-cache.org/Doc/config/acl/
>
> I'll setup some tests with differnet numbers of ACLs. since I've
> already verified that the number of ACLs defined isn't the
> significant
> factor, only the number tested before one succeds (by moving the ACL
> that allows my access from the end of the file to the beginning of
> the
> file, keeping everything else the same), I'll see if the slowdown
> seems proportional to the number of rules, or if there is something
> else going on.
>
> any other types of testing I should do?
The above looks like a good benchmark *provided* all the ACLs have the
same type with consistent content counts. Mixing types makes the result
non-comparable with other tests.
If you have time (and want to), we kind of need that type of
benchmarking done for each ACL type. Prioritising by popularity: src/dst
by IP, port, domain and regex variants. Then proxy_auth, external (the
"fake" helpers can help here). Then the others; ie browser, proto,
method, header matching.
We know general fuzzy details like, for example, a port test is faster
than a domain test. One with details presented up front by the client is
also faster than one where a lookup is needed. But have no deeper info
to say if a dstdomain test is faster or slower than a src (IP) test.
Way down my TODO list is the dream of micro-benchmarking the ACLs in
their unit-tests.
Amos
Received on Thu May 05 2011 - 01:35:33 MDT
This archive was generated by hypermail 2.2.0 : Thu May 05 2011 - 12:00:02 MDT