Re: Re[2]: squid ACL marking patch

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Tue, 28 May 2002 23:32:59 +0200

On Tuesday 28 May 2002 22:08, Alex Petrov wrote:

> I'm using it for 2-3 years and its completely fulfill my tasks.
> I do not need to check some urls/dst ip,by reverse resolving it
> during
> parsing, and apply this patch for different solutions but in any of
> them it fully decide all tasks. Just marking without ACL very
> rarely needed in my tasks. If squid once do this task during
> passing acl, why it can mark some requests for me :)
> I can simply cultivate access.log in c after such marking, all
> necessary info saved in access.log.
> My ACL's too rapidly changes and to hard to take carry about 5000
> ips acl, and reached destinations.

I don't disagree on the value of the function your patch does, only
the details of how it is acheived.

> 1:http_access allow lv+mark:L lvusers # mark the line if it belongz
> to Latvian
> 1:http_access allow lvusers lv+mark:L # fail on lvusers and didn't
> pass thru

What about simply using

http_access allow +L lvusers

> 2:http_access allow inetusers # all full inet access
> 3:http_access deny all+mark:U # mark all unknown

http_access deny all +U

> What about user authorization together with Ident ? same field
> also...

Correct. authentication is given a higher priority than ident in such
case as the authenticated user id is more reliable than ident..

> HN> In fact the major use of this field is for proxy
> HN> authentication.. and # may be valid in user names..

> huh :)

Not to mention that ident servers may return # in the user name, even
if not strictly allowed by the RFC..

> P.s. By the way about some features:
> - acl's in squid is slow, what you think about taking in hash them
> ? why just http auth is taken in hash ?

All sortable acl types are using splay trees to speed up matches, this
includes proxy_auth, ident, dstdomain, dst, src, srcdomain and
possibly more.

acl types that cannot be sorted is linear.

none of the acl types is hashed.

> why not ip/domains this should speed up compares ?

dst,src,dstdomain and srcdomain acls all use the exact same splay tree
mechanism as proxy_auth. Not sure why you say they are not. In fact,
these all did it long before proxy_auth did...

> squidguard beet squid in speed of such compares.

possibly, but more likely because it is easier to set up a speedy acl
pattern using the squidguard syntax..

> - what about grouping acls like {} and label groups ?
> this should very expand ACL functionality and decrease ACL
> compares
> on large ACLs.

Not sure I understand what you refer to here. Please explain.

> - per IP/subnets summary DUMPing sometimes required.
> I also implement this, and dump per ip stat to SQL.
> This also allow me to check QUOTAS per IP on-the fly,
> and deny over quoted ips.

Also here.. please explain.

and please keep design discussions cc: squid-dev@squid-cache.org

Regards
Henrik
Received on Tue May 28 2002 - 15:36:19 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:15:31 MST