[squid-users] Strange behavior in selection of tcp_outgoing_address

From: Alex Domoradov <alex.hha_at_gmail.com>
Date: Mon, 20 May 2013 00:37:38 +0300

Hello all, I have encountered with strange issue in selection of
tcp_outgoing_address. I have linux box with CentOS-6.4 x64. Is default
getaway for a few vlans. On the router is installed squid

# squid -v
Squid Cache: Version 3.1.10
configure options: '--build=x86_64-redhat-linux-gnu'
'--host=x86_64-redhat-linux-gnu' '--target=x86_64-redhat-linux-gnu'
'--program-prefix=' '--prefix=/usr' '--exec-prefix=/usr'
'--bindir=/usr/bin' '--sbindir=/usr/sbin' '--sysconfdir=/etc'
'--datadir=/usr/share' '--includedir=/usr/include'
'--libdir=/usr/lib64' '--libexecdir=/usr/libexec'
'--sharedstatedir=/var/lib' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--enable-internal-dns'
'--disable-strict-error-checking' '--exec_prefix=/usr'
'--libexecdir=/usr/lib64/squid' '--localstatedir=/var'
'--datadir=/usr/share/squid' '--sysconfdir=/etc/squid'
'--with-logdir=$(localstatedir)/log/squid'
'--with-pidfile=$(localstatedir)/run/squid.pid'
'--disable-dependency-tracking' '--enable-arp-acl'
'--enable-follow-x-forwarded-for'
'--enable-auth=basic,digest,ntlm,negotiate'
'--enable-basic-auth-helpers=LDAP,MSNT,NCSA,PAM,SMB,YP,getpwnam,multi-domain-NTLM,SASL,DB,POP3,squid_radius_auth'
'--enable-ntlm-auth-helpers=smb_lm,no_check,fakeauth'
'--enable-digest-auth-helpers=password,ldap,eDirectory'
'--enable-negotiate-auth-helpers=squid_kerb_auth'
'--enable-external-acl-helpers=ip_user,ldap_group,session,unix_group,wbinfo_group'
'--enable-cache-digests' '--enable-cachemgr-hostname=localhost'
'--enable-delay-pools' '--enable-epoll' '--enable-icap-client'
'--enable-ident-lookups' '--enable-linux-netfilter'
'--enable-referer-log' '--enable-removal-policies=heap,lru'
'--enable-snmp' '--enable-ssl' '--enable-storeio=aufs,diskd,ufs'
'--enable-useragent-log' '--enable-wccpv2' '--enable-esi' '--with-aio'
'--with-default-user=squid' '--with-filedescriptors=16384' '--with-dl'
'--with-openssl' '--with-pthreads'
'build_alias=x86_64-redhat-linux-gnu'
'host_alias=x86_64-redhat-linux-gnu'
'target_alias=x86_64-redhat-linux-gnu' 'CFLAGS=-O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -fpie' 'LDFLAGS=-pie'
'CXXFLAGS=-O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions
-fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic -fpie'
--with-squid=/builddir/build/BUILD/squid-3.1.10

in squid.conf I have a few departments

acl department1 src 192.168.100.0/24
acl department2 src 192.168.101.0/24
acl department3 src 192.168.102.0/24
acl department4 src 192.168.103.0/24
acl department5 src 192.168.104.0/24

and I want that each department go to the internet via own ISP

tcp_outgoing_address xxx.xxx.xxx.228 department1
tcp_outgoing_address yyy.yyy.yyy.34 department2
tcp_outgoing_address zzz.zzz.zzz.2 department3
tcp_outgoing_address zzz.zzz.zzz.2 department4
tcp_outgoing_address zzz.zzz.zzz.2 department5

But with such settings I got the following behavior
dep1 -> xxx.xxx.xxx.228 (as expected)
dep2 -> zzz.zzz.zzz.2 (not expected)
dep3/4/5 -> xxx.xxx.xxx.228 (not expected)

Could anyone point me in the right way - how can I debug such strange
(imho) behavior in selection of tcp_outgoing_address?

P.S.
If I have removed acl in tcp_outgoing_address all works fine. For example

tcp_outgoing_address yyy.yyy.yyy.34

then all department go via yyy.yyy.yyy.34
Received on Sun May 19 2013 - 21:37:45 MDT

This archive was generated by hypermail 2.2.0 : Mon May 20 2013 - 12:00:05 MDT