<div dir="ltr"><div>Hi,</div><div><br></div><div>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Update: <br>
We have been using a small code patch to add the IP_BIND_ADDRESS_NO_PORT sockopt prior to the bind system call on outbound connections from squid. This has allowed us to significantly scale concurrent sessions, with the entire ip_local_port_range available to each unique destination IP:PORT. Without the code patch, outbound connections to all destinations max out at the ephemeral port range size. </p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">What is the process to have this code patch upstreamed for future squid versions?<span class="gmail-Apple-converted-space"> </span></p></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Fri, May 20, 2022 at 9:31 PM Amos Jeffries <<a href="mailto:squid3@treenet.co.nz" target="_blank">squid3@treenet.co.nz</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 20/05/22 19:44, Praveen Ponakanti wrote:<br>
> Hi Alex,<br>
> <br>
> Thanks for going through several steps to help mitigate src port <br>
> exhaustion. We are looking to achieve 400-500% more <br>
> concurrent connections if we could :) as there is a significant buffer <br>
> on the available CPU.<br>
<br>
Then you require at least 4, maybe 5, IP addresses to handle that many <br>
concurrent connections with Squid.<br>
<br></blockquote><div><br></div><div>





<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">We would like to investigate going beyond the ephemeral port range for some specific destination IP:PORT addresses. For that it appears squid does not round-robin requests if we use multiple tcp_outgoing_addresses. We could use ACL’s to pick a different outbound IP based on the clients source IP, however that is not very ideal in our environment as our clients aren’t always equally split by subnet. However, if we could split by the client’s source port that might help achieve this. For example something like:</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-converted-space">  </span>acl pool1 clientport 0-32768</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-converted-space">  </span>acl pool2 clientport 32769-65536</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-converted-space">  </span>tcp_outgoing_address 10.1.0.1 pool1</p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><span class="gmail-Apple-tab-span" style="white-space:pre">  </span><span class="gmail-Apple-converted-space">  </span>tcp_outgoing_address 10.1.0.2 pool2</p>
<p class="gmail-p2" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue";min-height:15px"><br></p>
<p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Squid's ACLs currently do not allow filtering by the client's source port. We could look into a separate patch to add this functionality to squid’s ACL code if that makes sense. Or is there a better way to achieve this?</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue""><br></p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Thanks</p><p class="gmail-p1" style="margin:0px;font-variant-numeric:normal;font-variant-east-asian:normal;font-stretch:normal;font-size:13px;line-height:normal;font-family:"Helvetica Neue"">Praveen</p></div><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
> The option to use multiple tcp_outoing_addresses appears to be promising <br>
> along with some tweaks to the TCP timeouts. I guess we could use ACLs to <br>
> pick a different outbound IP based on the requesting client's prefix. We <br>
> had not considered that option as the ephemeral ports were no longer <br>
> available to other applications when squid uses most of them with a <br>
> single outbound IP configured. We are also looking to modify the code to <br>
> use the IP_BIND_ADDRESS_NO_PORT sockopt as that could help delay port <br>
> assignment with the bind() call on the outbound TCP sessions (to <br>
> hopefully allow access to the 4-tuple on the socket).<br>
<br>
Patches welcome.<br>
<br>
However, please be aware that use of the 4-tuple is often no different <br>
from the 3-tuple since the dst-port is typically identical for all <br>
outgoing traffic to a given dst-IP.<br>
<br>
<br>
Cheers<br>
Amos<br>
_______________________________________________<br>
squid-users mailing list<br>
<a href="mailto:squid-users@lists.squid-cache.org" target="_blank">squid-users@lists.squid-cache.org</a><br>
<a href="http://lists.squid-cache.org/listinfo/squid-users" rel="noreferrer" target="_blank">http://lists.squid-cache.org/listinfo/squid-users</a><br>
</blockquote></div></div>