[squid-users] tcp_outgoing_address issue how to deny traffic to other IPs

Alex Rousskov rousskov at measurement-factory.com
Thu Feb 22 22:05:32 UTC 2018


On 02/22/2018 11:15 AM, Patrick Chemla wrote:

> acl Percent001 random 1/5
> acl Percent002 random 1/5
> acl Percent003 random 1/5
> acl Percent004 random 1/5
> acl Percent005 random 1/5

It is trivial to google up wrong configurations. Think about it: Giving
the same "random 1/5" ACL five different names does not make sense,
regardless of what you are trying to do!

As I will show below, you need 4 different ACLs instead (plus "all"):

  acl OneFifth  random 1/5
  acl OneFourth random 1/4
  acl OneThird  random 1/3
  acl OneHalf   random 1/2

> tcp_outgoing_address XX.3X.YYY.10 Percent001
> tcp_outgoing_address XX.X3.YYY.21 Percent002
> tcp_outgoing_address XX.5X.YYY.31 Percent003
> tcp_outgoing_address XX.X9.YYY.34 Percent004
> tcp_outgoing_address XX.5X.YYY.38 Percent005

... and if none of the *random* ACLs match?

You need to make sure that one of the ACLs matches. That cannot be done
with random ACLs alone. You also need to get your probabilities right:


  tcp_outgoing_address XX.3X.YYY.10 OneFifth
  tcp_outgoing_address XX.X3.YYY.21 OneFourth
  tcp_outgoing_address XX.5X.YYY.31 OneThird
  tcp_outgoing_address XX.X9.YYY.34 OneHalf
  tcp_outgoing_address XX.5X.YYY.38 all

If the above looks strange, recall that the first matching
tcp_outgoing_address rule/line wins, and the rules are tested
individually and independently in the order they appear in squid.conf.
The rest is basic probability theory, but it may also think about it in
step-by-steps terms:

1. Given that there are five possible addresses, how much traffic should
the first out of those five address receive? Obviously 1/5.

2. Now, if the first rule did not match, then there are four addresses
left. Given that there are four possible addresses, how much traffic
should the first out of those four address receive? Obviously 1/4.

...


> When I look at the log, or using network tcpdump analyzer, I can see
> that there is squid outgoing traffic on this IP

Yes, AFAICT, your rules did not tell Squid to use a specific secondary
IP in 33% of cases: (1-1/5)^5 = 0.33


HTH,

Alex.


More information about the squid-users mailing list