[squid-users] tcp_outgoing_address issue how to deny traffic to other IPs
Alex Rousskov
rousskov at measurement-factory.com
Thu Feb 22 22:05:32 UTC 2018
On 02/22/2018 11:15 AM, Patrick Chemla wrote:
> acl Percent001 random 1/5
> acl Percent002 random 1/5
> acl Percent003 random 1/5
> acl Percent004 random 1/5
> acl Percent005 random 1/5
It is trivial to google up wrong configurations. Think about it: Giving
the same "random 1/5" ACL five different names does not make sense,
regardless of what you are trying to do!
As I will show below, you need 4 different ACLs instead (plus "all"):
acl OneFifth random 1/5
acl OneFourth random 1/4
acl OneThird random 1/3
acl OneHalf random 1/2
> tcp_outgoing_address XX.3X.YYY.10 Percent001
> tcp_outgoing_address XX.X3.YYY.21 Percent002
> tcp_outgoing_address XX.5X.YYY.31 Percent003
> tcp_outgoing_address XX.X9.YYY.34 Percent004
> tcp_outgoing_address XX.5X.YYY.38 Percent005
... and if none of the *random* ACLs match?
You need to make sure that one of the ACLs matches. That cannot be done
with random ACLs alone. You also need to get your probabilities right:
tcp_outgoing_address XX.3X.YYY.10 OneFifth
tcp_outgoing_address XX.X3.YYY.21 OneFourth
tcp_outgoing_address XX.5X.YYY.31 OneThird
tcp_outgoing_address XX.X9.YYY.34 OneHalf
tcp_outgoing_address XX.5X.YYY.38 all
If the above looks strange, recall that the first matching
tcp_outgoing_address rule/line wins, and the rules are tested
individually and independently in the order they appear in squid.conf.
The rest is basic probability theory, but it may also think about it in
step-by-steps terms:
1. Given that there are five possible addresses, how much traffic should
the first out of those five address receive? Obviously 1/5.
2. Now, if the first rule did not match, then there are four addresses
left. Given that there are four possible addresses, how much traffic
should the first out of those four address receive? Obviously 1/4.
...
> When I look at the log, or using network tcpdump analyzer, I can see
> that there is squid outgoing traffic on this IP
Yes, AFAICT, your rules did not tell Squid to use a specific secondary
IP in 33% of cases: (1-1/5)^5 = 0.33
HTH,
Alex.
More information about the squid-users
mailing list