Re: [squid-users] Intercepting with iptables: DNAT vs REDIRECT

From: Amos Jeffries <>
Date: Wed, 23 Oct 2013 19:36:57 +1300

On 23/10/2013 7:34 p.m., Amos Jeffries wrote:
> On 23/10/2013 7:22 p.m., Dan Charlesworth wrote:
>> Very edifying. Thanks so much for that Amos.
>> While the thread’s going, would you be able to elaborate at all on
>> the “trickery with multiple rules and IPs”?
> Well, normally you cant use more than 64K ports on one IP address. But
> you can setup multiple rules load balancing traffic across N Squid
> listening ports. This has a couple of useful side effects:
> 1) 64K ports multiplies up by N
> 2) Squid accept() rate limiters are also raised by a multiple of N.
> The default IIRC is up to 15 accept() every select loop. On high
> traffic load making that 15*N can be faster.
> This can be done to spread across either Squid listenng ports by port
> number, or by IP address, or both. This config example shows a good
> way to do it

Actually looking at that example it uses REDIRECT. I'm going to have to
partialy retract my statement about REDIRECT not being able to do it.
REDIRECT is limited to doing it only by port number. DNAT can do all
three permutations of IP/port/both.
Received on Wed Oct 23 2013 - 06:37:03 MDT

This archive was generated by hypermail 2.2.0 : Wed Oct 23 2013 - 12:00:06 MDT