On Wed, 4 May 2011 16:36:08 -0700 (PDT), david@xxxxxxx wrote:
On Wed, 4 May 2011, Alex Rousskov wrote:
On 05/04/2011 12:49 PM, david@xxxxxxx wrote:
<snip>
IMHO, you can maximize your chances of getting free help by
isolating
the problem better. For example, perhaps you can try to reproduce it
with different kinds of fast ACLs (the simpler the better!). This
will
help clarify whether the problem is specific to IPv6, IP, or ACLs in
general. Test different number of ACLs: Does the problem happen only
when there number of simple ACLs is huge? Make the problem easier to
reproduce by posting configuration files (including Polygraph
workloads
or options for some other benchmarking tool you use).
-
This is not a guarantee that somebody will jump and help you, but
fixing
a well-triaged issue is often much easier.
that's why I'm speaking up. I just have not known what to test.
are there other types of ACLs that I should be testing?
We can't answer that without having seen your config file and which are
in use now.
The list of all available ACL are at
http://wiki.squid-cache.org/SquidFaq/SquidAcl and
http://www.squid-cache.org/Doc/config/acl/
I'll setup some tests with differnet numbers of ACLs. since I've
already verified that the number of ACLs defined isn't the
significant
factor, only the number tested before one succeds (by moving the ACL
that allows my access from the end of the file to the beginning of
the
file, keeping everything else the same), I'll see if the slowdown
seems proportional to the number of rules, or if there is something
else going on.
any other types of testing I should do?
The above looks like a good benchmark *provided* all the ACLs have the
same type with consistent content counts. Mixing types makes the result
non-comparable with other tests.
If you have time (and want to), we kind of need that type of
benchmarking done for each ACL type. Prioritising by popularity: src/dst
by IP, port, domain and regex variants. Then proxy_auth, external (the
"fake" helpers can help here). Then the others; ie browser, proto,
method, header matching.
We know general fuzzy details like, for example, a port test is faster
than a domain test. One with details presented up front by the client is
also faster than one where a lookup is needed. But have no deeper info
to say if a dstdomain test is faster or slower than a src (IP) test.
Way down my TODO list is the dream of micro-benchmarking the ACLs in
their unit-tests.
Amos
