Fwd: Re[4]: squid ACL marking patch

This belongs here..

---------- Forwarded Message ----------

Subject: Re[4]: squid ACL marking patch
Date: Wed, 29 May 2002 02:48:41 +0300
From: Alex Petrov <sysman@sysman.net>
To: Henrik Nordstrom <hno@squid-cache.org>

Hello Henrik,

Wednesday, May 29, 2002, 12:32:59 AM, you wrote:

HN> I don't disagree on the value of the function your patch does,
 only HN> the details of how it is acheived.
I accept new ideas :)

HN> What about simply using
HN> http_access allow +L lvusers

>> 2:http_access allow inetusers # all full inet access
>> 3:http_access deny all+mark:U # mark all unknown

HN> http_access deny all +U
hmm and how it save in already existing structures ?
I must look in code...
but I do this little bit later ,now I too busy for this.
HN> Correct. authentication is given a higher priority than ident in
 such HN> case as the authenticated user id is more reliable than
 ident.. But in life one didn't exclude other, and your solutions
 also allow ppl to break security, steeling proxy passwords on unix
 one machine between different users is more then real.

HN> acl types that cannot be sorted is linear.
Your true.

>> squidguard beet squid in speed of such compares.

HN> possibly, but more likely because it is easier to set up a speedy
 acl HN> pattern using the squidguard syntax..

>> - what about grouping acls like {} and label groups ?
>> this should very expand ACL functionality and decrease ACL
>> compares
>> on large ACLs.

HN> Not sure I understand what you refer to here. Please explain.
I mean absolutely the same "speedy acl organization" like in
squidguard.

>> - per IP/subnets summary DUMPing sometimes required.
>> I also implement this, and dump per ip stat to SQL.
>> This also allow me to check QUOTAS per IP on-the fly,
>> and deny over quoted ips.

HN> Also here.. please explain.
Bandwidth & accounting control is still very useful and required
features. Bandwidth already realized in squid,
 but accounting I think still missing.
Accounting with summary by clients(user/ip/subnet) with following
limitation by used amount of network traffic, now work only like
 external feature. For example some script/perl/c-code read
 access.log make summarization and change acls to permit or deny
 access,
if some one of user/ip/subnet exceed network volume or traffic
 quotas. But squid simple can count this internally.
Taking care about table like:
USER/IP QUOTA KB (here also can came hits/miss&etc)
10.10.10.1 50000
I build some patch for squid(oriented for solving my tasks),
 but I think this can be also very usable for others.
     This also allow to make more hardest limitation if quota of
allowed MB was reached, and also allow more simply count it.
Squid can dump this table and reload on start, this also allow to
reject to large downloads for clients.
Squid also can control quotas using existing ACL,
acl just should be extended with something like.
acl user_quotas quota HIT 50MB
acl miss_quotas quotas MISS 0 # no limit by default.
http_access allow user_quotas.

HN> and please keep design discussions cc: squid-dev@squid-cache.org
Should I join to this list before ?

----
Best regards,
 Alex
-----------------------------------------------
            Unix & IT Specialist.
     Network and Computer security officer.
e-mail: sysman@sysman.net
-------------------------------------------------------