[squid-users] ACL with a non-contiguous mask - using multiple outgoing addresses

Scott 3m9n51s2ewut at thismonkey.com
Sun Jul 16 12:03:34 UTC 2023


Hi all,

I have four IPv4s that I use for outgoing source addresses to origin servers.
I currently have them used randomly, but this sometimes causes issues for 
certain sites that get confused if your source changes for various resources.  
For these sites I have an exception to the random IPs.

I decided to create the following acls which should match on the 2 low-order 
bits in the client addresses:

acl tm_src_v4_00 src 10.0.0.0 255.0.0.3
acl tm_src_v4_01 src 10.0.0.1 255.0.0.3
acl tm_src_v4_10 src 10.0.0.2 255.0.0.3
acl tm_src_v4_11 src 10.0.0.3 255.0.0.3

tcp_outgoing_address 10.1.22.21 tm_src_v4_00
tcp_outgoing_address 10.1.22.22 tm_src_v4_01
tcp_outgoing_address 10.1.22.23 tm_src_v4_10
tcp_outgoing_address 10.1.22.24 tm_src_v4_11

However I did not get the behaviour I was after, rather all clients use the 
same outgoing address.

Is there a way to share multiple outgoing IPs while maintaining consistency 
per-source?

Follow-up: can I do the same for IPv6 clients?

Thanks,
Scott

PS: As an aside, the following ACL generated the following warning:

acl tm_src_11 src 0.0.0.3 0.0.0.3

Configuration for squid passes.
2023/07/15 23:38:40| WARNING: (B) '0.0.0.3' is a subnetwork of (A) '0.0.0.3'
2023/07/15 23:38:40| WARNING: because of this '0.0.0.3' is ignored to keep splay tree searching predictable
2023/07/15 23:38:40| WARNING: You should probably remove '0.0.0.3' from the ACL named 'tm_src_11'

Could someone please explain what the issue is with that ACL?  Thanks.


More information about the squid-users mailing list