Hi,Amos,
As tcp_outgoing_address support fast group ACL, can I use ACL base on
some header?
Regards
Simon
δΊ 14-3-10 19:20, Amos Jeffries ει:
On 10/03/2014 8:56 p.m., babajaga wrote:
As I have a similar problem, just using this thread:
How to use tcp_outgoing_address for load balancing (round robin) ?
My idea was to write an ACL-helper doing the round-robin, which would be
very easy; but how to detect a failed WAN-connection within ACL-helper ?)
(One local interface, 3 WAN-interfaces to different ISPs, for redundancy and
balanced load sharing)
Simple answer is that tcp_outgoing_address is the wrong place for that.
Use the OS routing/firewall rules instead.
There are a few issues:
1) tcp_outgoing_address is a "fast group" ACL. Meaning it cannot use
external ACL helpers directly, must rely on a cached result from some
previous lookup of the helper.
2) In the recent Squid releases you can use the "random" type ACL to
spread the outgoing connections between a lit of tcp_outgoing_address
values.
2a) tcp_outgoing_address is checked for every *potential* connection.
So load balancing using it does not work for any domains with multiple IPs.
2b) the OS is free to ignore tcp_outgoing_address if its rules assign
an IP address (ie source-NAT).
2c) the choice of an outgoing IP address in no way limits what route
the packets may use. The OS routing rues need to be configured
explicitly for that. So may as well configure the load balancing there
to begin with.
Also the kernel already has all available information about up/down
state of NIC. So trying to get that into Squid is a lot of extra work
and latency on all connections for a very little benefit gain on
uncommon occasions.
Amos
