Hi,Amos,
As tcp_outgoing_address support fast group ACL, can I use ACL base on
some header?
Regards
Simon
δΊ 14-3-10 19:20, Amos Jeffries ει:
> On 10/03/2014 8:56 p.m., babajaga wrote:
>> As I have a similar problem, just using this thread:
>> How to use tcp_outgoing_address for load balancing (round robin) ?
>>
>> My idea was to write an ACL-helper doing the round-robin, which would be
>> very easy; but how to detect a failed WAN-connection within ACL-helper ?)
>>
>>
>> (One local interface, 3 WAN-interfaces to different ISPs, for redundancy and
>> balanced load sharing)
>
> Simple answer is that tcp_outgoing_address is the wrong place for that.
> Use the OS routing/firewall rules instead.
>
>
> There are a few issues:
>
> 1) tcp_outgoing_address is a "fast group" ACL. Meaning it cannot use
> external ACL helpers directly, must rely on a cached result from some
> previous lookup of the helper.
>
> 2) In the recent Squid releases you can use the "random" type ACL to
> spread the outgoing connections between a lit of tcp_outgoing_address
> values.
> 2a) tcp_outgoing_address is checked for every *potential* connection.
> So load balancing using it does not work for any domains with multiple IPs.
> 2b) the OS is free to ignore tcp_outgoing_address if its rules assign
> an IP address (ie source-NAT).
> 2c) the choice of an outgoing IP address in no way limits what route
> the packets may use. The OS routing rues need to be configured
> explicitly for that. So may as well configure the load balancing there
> to begin with.
>
>
> Also the kernel already has all available information about up/down
> state of NIC. So trying to get that into Squid is a lot of extra work
> and latency on all connections for a very little benefit gain on
> uncommon occasions.
>
>
> Amos
>
Received on Tue Mar 11 2014 - 04:12:29 MDT
This archive was generated by hypermail 2.2.0 : Tue Mar 11 2014 - 12:00:04 MDT