Re: tcp splicing with transparent proxy...

From: Sameh M. Shaker <>
Date: Tue, 06 May 2008 09:58:54 +0400
Hello Willy,

Willy Tarreau wrote:
Hello Sameh,

On Sun, May 04, 2008 at 03:02:41PM +0400, Sameh M. Shaker wrote:
Hello there everyone,
I've successfully tried to use CTTProxy + HAProxy, and it worked like 
magic; We mainly used it to present the client IPs to the servers in the 
backend ...

BTW, did you test the old CTTProxy or the new one (tproxy4) ?

I've only tried the old CTTProxy, since it was the only version which had patches for 2.6.18 kernel which is the kernel version available with XEN...

Also I've tried out TCP-Splicing + HAProxy, and it was a great success, 
but it won't present the client IPs to the backend servers (correct me 
if i'm wrong)...

No, you're prefectly right. However, you should be *very* careful, as
tcp-splicing is still experimental. I managed to get it to abusively
reuse some sessions in the past, but I agree that it is blazingly fast !

I've tried to try them both together, TCP-Splicing + CTTProxy, but 
didn't work out...But to be honest, I didn't spend much time debugging 
the issue...

what am I missing? some iptables trick? may be they don't work nicely 
together ?

To be honnest, I don't know, I've never tried to use both at the same
time. I'm not sure whether it can work, because from what I remember of
Alex's explanations, the tcp-splicing code works at the packet level,
and is very close to the network interfaces (reason why it's so fast),
but it may be bypassing any netfilter, nat, ... in between. We said
with Alex that we should work on a different model, copying data between
socket buffers, but while I have very few time, I believe he has even

There is another feature that may be of interest to you. Recent linux
kernels, as well as some NICs such as Myricom 10GE support a feature
called "Large Receive Offload (LRO)" which consists in aggregating
consecutive TCP segments and forward a huge packet to the system. At
first glance, it would not be much expected to boost the application
that much, but in fact it does because then haproxy gets woken up with
a single large 16 kB buffer (or more depending on your build options),
which can be read at once. The gain is comparable to using jumbo frames,
which is not bad at all!

Sounds nice, will certainly try that out and feed you back with our results...
Thank you very much for your time and for the info...

Received on 2008/05/06 07:58

This archive was generated by hypermail 2.2.0 : 2008/05/06 08:00 CEST