2.2. Secondary sessions

Certain proxies support the use of secondary sessions, i.e. several sessions using the same proxy instance (the same thread), effectively reusing proxy instances. As new sessions enter the proxy via a fastpath, using secondary sessions can significantly decrease the load on the firewall.

When a new connection is accepted, Zorp looks for the appropriate proxy instance which is willing to accept secondary sessions. If there is none, a new proxy instance is started. An already running proxy instance is appropriate if it is willing to accept secondary channels and the criteria about secondary sessions are met. (The criteria can be specified in the configuration of the proxy class.)

The criteria are set via the secondary_mask attribute, while the number of secondary sessions allowed within the same instance is controlled by the secondary_sessions attribute. The secondary_mask attribute is an integer specifying which properties of an established session are considered to be important. If all important properties match, the connection can be handled as a secondary session by a proxy instance accepting secondary sessions, provided the new session does not exceed the limit set in secondary_sessions. The secondary_mask attribute is actually a bitfield interpreted as follows: bit 0 means source address; bit 1 means source port; bit 2 means destination address; bit 3 means destination port.

Currently the Plug, RADIUS, and Sip proxies support the use of secondary sessions.

Example 2.5. Example PlugProxy allowing secondary sessions

This example allows 100 parallel sessions in one proxy thread if the IP address and Port of the targets are the same.

class MyPlugProxy(PlugProxy):
	def config(self):
		PlugProxy.config(self)
		self.secondary_mask = 0xC
		self.secondary_sessions = 100