On 09/09/2013 04:45 AM, Nikolai Gorchilov wrote:
> Seems the issue is not TPROXY related, but kicks in always when a
> socket bind is requested to an IP (local or foreign, doesn't matter)
> without specifying a port number. In this scenario the broken logic of
> the kernel is to take the difference between max and min of
> /proc/sys/net/ipv4/ip_local_port_range and use it as a cap of the
> number of automatically assigned ports. The counter of assigned ports
> is global, not per IP, this is what creates the issue.
Hi Niki,
We have seen similar problems with high-performance Web Polygraph
tests and added an option for Polygraph clients to explicitly manage
client port assignment instead of relying on kernel's ephemeral ports
algorithm. Polygraph code also detects runtime collisions with other
programs and moves conflicting ports into a "do not use unless
absolutely necessary" pile.
The combination of the two approaches solves the problem, provided you
have enough IP addresses to accommodate all concurrent outgoing TCP
connections (in all relevant TCP states) for your request rates.
You can add a similar feature to Squid. If your SMP workers share
outgoing IP addresses, then specifying non-overlapping worker-specific
port ranges should work without the need for synchronization among workers.
HTH,
Alex.
