On 26.02.13 10:31, Amos Jeffries wrote:
Which is ALG-NAT. Client source IP on traffic entering the box, and
Squid IP as source on traffic leaving it.
Fair point, but is there any problem with Squid being an ALG-NAT? This
is basically what "intercept" mode was all about (and the full squid
functionality isn't something you're ever going to find in Netfilter, so
"netfilter does NAT, just use that" isn't a good answer here).
They added it last August. It should be filtering down to general use
around kernel 3.4 or so.
I'm going to go with "oh god please no" :)
There are uses for NAT (even in the IPv6 world), but far too many people
seem to think its a Good Thing in its own right rather than a tool to
solve specific problems. Anyway, I'm going way off topic now.
Code simplicity. An "if(flags.spoof)" test is far faster than even
constructing a checklist and processing "allow all" in fast-ACL pathway.
So if the ACL flexibility does not actually have a clear need the speed
would be better.
Ok. Well I'm a bit on the fence here too.
I can see some use for the flexibility - the situation I mentioned would
require spoofing to be disabled for requests from the branch offices but
it would probably be desirable to leave spoofing on for the main office.
But it wouldn't be a huge issue to disable spoofing for everyone. It
would also be possible to have a separate tproxy socket for people in
then main office although that would increase the complexity of the
squid config and netfilter rules, even though it reduces the complexity
of squid code.
I tend to think that since the ACL isn't constructed and tested in the
default case (and therefore for most people there is no performance
hit), I would err towards increased functionality rather than increased
performance.
--
- Steve Hill
Technical Director
Opendium Limited http://www.opendium.com
Direct contacts:
Instant messager: xmpp:[email protected]
Email: [email protected]
Phone: sip:[email protected]
Sales / enquiries contacts:
Email: [email protected]
Phone: +44-844-9791439 / sip:[email protected]
Support contacts:
Email: [email protected]
Phone: +44-844-4844916 / sip:[email protected]
