Le mardi 25 mai 2010 à 21:31 -0300, Felipe W Damasio a écrit : > Hi, > > I'm using squid on an ISP as a webcache. > > We have a very high load cache (6000 users with 300Mbps of web > access), and to solve the squid slowdown, the solution is to use > multiple http_port, using around 48 squid instances to serve the > users. > > It works fine when I put the machine (which is in bridge mode) > between the users and the final router (which does the NAT from > reserved IP addresses to the real IPs). I separated the rules like > this: > > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 192.168.1.0/24 > --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127 > iptables -t mangle -A PREROUTING -i eth0 -p tcp -s 192.168.2.0/24 > --dport 80 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 > ... > > > Everything works fine when we use this scenario. > > But now it was decided (and I can't reverse the decision) that the > webcache machine was to be located between the final Router and the > internet....in this case, the cache machine is now only seeing a few > IP addresses....so I can't do this "-s <network or ip>" trick. > > So I'd like to know if I can cycle through all these rules based on > the number of connections. > > Something like "Forward the first 100 connections to port 3127, the > next 100 to 3128 ....at the end, forward the next 100 to port 3127 > again", and so on. > > Is it possible? > > If it isn't currently, can this functionality be added? How can I help? > So all connections are coming from the NAT device, with a single IP, and ports from say 30000 to 60000 (check your NAT device) You could add a test on source port instead, using existing multiport ? iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -m multiport --source-ports 30000:31000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3127 iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -m multiport --source-ports 31000:32000 -j TPROXY --tproxy-mark 0x1/0x1 --on-port 3128 ... exact port ranges should be computed with (60000-30000/number of squid instances) I bet a better scheme would be to hash (saddr, daddr, sport, dport) and be able to do this with one single rule iptables -t mangle -A PREROUTING -i eth0 -p tcp --dport 80 -m multiport --source-ports 30000:31000 -j TPROXY --tproxy-mark 0x1/0x1 --on-ports 3127:3174 But it would need to extend TPROXY module -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
