=== modified file 'src/DelayId.cc' --- src/DelayId.cc 2011-06-03 06:20:23 +0000 +++ src/DelayId.cc 2011-06-28 03:21:13 +0000 @@ -126,7 +126,7 @@ if (http->getConn() != NULL) ch.conn(http->getConn()); - if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck()) { + if (DelayPools::delay_data[pool].theComposite().getRaw() && ch.fastCheck() == ACCESS_ALLOWED) { DelayId result (pool + 1); CompositePoolNode::CompositeSelectionDetails details; === modified file 'src/HttpHeaderTools.cc' --- src/HttpHeaderTools.cc 2011-05-31 21:06:39 +0000 +++ src/HttpHeaderTools.cc 2011-06-28 03:26:35 +0000 @@ -433,7 +433,7 @@ ACLFilledChecklist checklist(hm->access_list, request, NULL); - if (checklist.fastCheck()) { + if (checklist.fastCheck() == ACCESS_ALLOWED) { /* aclCheckFast returns true for allow. */ retval = 1; } else if (NULL == hm->replacement) { === modified file 'src/HttpReply.cc' --- src/HttpReply.cc 2011-04-27 23:48:03 +0000 +++ src/HttpReply.cc 2011-06-28 03:09:43 +0000 @@ -604,7 +604,7 @@ ch.reply = HTTPMSGLOCK(this); // XXX: this lock makes method non-const for (acl_size_t *l = Config.ReplyBodySize; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this size value */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { debugs(58, 4, HERE << "bodySizeMax=" << bodySizeMax); bodySizeMax = l->size; // may be -1 break; === modified file 'src/HttpRequest.cc' --- src/HttpRequest.cc 2011-06-04 12:48:45 +0000 +++ src/HttpRequest.cc 2011-06-28 03:10:03 +0000 @@ -666,7 +666,7 @@ for (acl_size_t *l = Config.rangeOffsetLimit; l; l = l -> next) { /* if there is no ACL list or if the ACLs listed match use this limit value */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { debugs(58, 4, HERE << "rangeOffsetLimit=" << rangeOffsetLimit); rangeOffsetLimit = l->size; // may be -1 break; === modified file 'src/ICP.h' --- src/ICP.h 2010-10-02 08:39:22 +0000 +++ src/ICP.h 2011-06-28 10:32:36 +0000 @@ -131,7 +131,7 @@ HttpRequest* icpGetRequest(char *url, int reqnum, int fd, Ip::Address &from); /// \ingroup ServerProtocolICPAPI -int icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); +bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request); /// \ingroup ServerProtocolICPAPI SQUIDCEXTERN void icpCreateAndSend(icp_opcode, int flags, char const *url, int reqnum, int pad, int fd, const Ip::Address &from); === modified file 'src/acl/Acl.h' --- src/acl/Acl.h 2009-03-08 19:45:44 +0000 +++ src/acl/Acl.h 2011-06-28 03:05:18 +0000 @@ -107,6 +107,7 @@ typedef enum { ACCESS_DENIED, ACCESS_ALLOWED, + ACCESS_DUNNO, ACCESS_REQ_PROXY_AUTH } allow_t; === modified file 'src/acl/Checklist.cc' --- src/acl/Checklist.cc 2011-06-15 08:47:09 +0000 +++ src/acl/Checklist.cc 2011-06-28 11:53:09 +0000 @@ -49,7 +49,7 @@ } void -ACLChecklist::check() +ACLChecklist::matchNonBlocking() { if (checking()) return; @@ -169,7 +169,7 @@ { preCheck(); /* does the current AND clause match */ - matchAclListSlow(accessList->aclList); + matchAclList(accessList->aclList, false); } void @@ -197,12 +197,6 @@ } void -ACLChecklist::matchAclListSlow(const ACLList * list) -{ - matchAclList(list, false); -} - -void ACLChecklist::matchAclList(const ACLList * head, bool const fast) { PROF_start(aclMatchAclList); @@ -328,25 +322,40 @@ { callback = callback_; callback_data = cbdataReference(callback_data_); - check(); + matchNonBlocking(); +} + +allow_t const & +ACLChecklist::fastCheck(const ACLList * list) +{ + PROF_start(aclCheckFast); + currentAnswer(ACCESS_DUNNO); + matchAclList(list, true); + // assume ALLOWED on matches due to not having an acl_access object + if (finished()) + currentAnswer(ACCESS_ALLOWED); + PROF_stop(aclCheckFast); + return currentAnswer(); } /* Warning: do not cbdata lock this here - it * may be static or on the stack */ -int +allow_t const & ACLChecklist::fastCheck() { PROF_start(aclCheckFast); - currentAnswer(ACCESS_DENIED); + currentAnswer(ACCESS_DUNNO); + debugs(28, 5, "aclCheckFast: list: " << accessList); const acl_access *acl = cbdataReference(accessList); while (acl != NULL && cbdataReferenceValid(acl)) { currentAnswer(acl->allow); - if (matchAclListFast(acl->aclList)) { + matchAclList(acl->aclList, true); + if (finished()) { PROF_stop(aclCheckFast); cbdataReferenceDone(acl); - return currentAnswer() == ACCESS_ALLOWED; + return currentAnswer(); } /* @@ -357,10 +366,10 @@ cbdataReferenceDone(A); } - debugs(28, 5, "aclCheckFast: no matches, returning: " << (currentAnswer() == ACCESS_DENIED)); - + debugs(28, 5, "aclCheckFast: no matches, returning: " << currentAnswer()); PROF_stop(aclCheckFast); - return currentAnswer() == ACCESS_DENIED; + + return currentAnswer(); } @@ -381,12 +390,3 @@ { return !cbdataReferenceValid(callback_data); } - -bool -ACLChecklist::matchAclListFast(const ACLList * list) -{ - matchAclList(list, true); - return finished(); -} - - === modified file 'src/acl/Checklist.h' --- src/acl/Checklist.h 2011-06-15 08:47:09 +0000 +++ src/acl/Checklist.h 2011-06-28 11:52:35 +0000 @@ -107,34 +107,20 @@ * knowledge of the ACL usage rather than depend on this default. * That will also save on work setting up ACLChecklist fields for a no-op. * - * \retval 1/true Access Allowed - * \retval 0/false Access Denied - */ - int fastCheck(); - - /** - * Trigger a blocking access check for a single ACL line (a AND b AND c). - * - * ACLs which cannot be satisfied directly from available data are ignored. - * This means any proxy_auth, external_acl, DNS lookups, Ident lookups etc - * which have not already been performed and cached will not be checked. - * - * \retval 1/true Access Allowed - * \retval 0/false Access Denied - */ - bool matchAclListFast(const ACLList * list); - - /** - * Attempt to check the current checklist against current data. - * This is the core routine behind all ACL test routines. - * As much as possible of current tests are performed immediately - * and the result is maybe delayed to wait for async lookups. - * - * When all tests are done callback is presented with one of: - * - ACCESS_ALLOWED Access explicitly Allowed - * - ACCESS_DENIED Access explicitly Denied - */ - void check(); + * \retval ACCESS_DUNNO Unable to determine any result + * \retval ACCESS_ALLOWED Access Allowed + * \retval ACCESS_DENIED Access Denied + */ + allow_t const & fastCheck(); + + /** + * A version of fastCheck() for use when there is a one-line set of ACLs + * to be tested and a match determins the result action to be done. + * + * \retval ACCESS_DUNNO Unable to determine any result + * \retval ACCESS_ALLOWED ACLs all matched + */ + allow_t const & fastCheck(const ACLList * list); bool asyncInProgress() const; void asyncInProgress(bool const); @@ -156,6 +142,7 @@ protected: virtual void checkCallback(allow_t answer); + private: void checkAccessList(); void checkForAsync(); @@ -166,10 +153,21 @@ PF *callback; void *callback_data; + /** + * Attempt to check the current checklist against current data. + * This is the core routine behind all ACL test routines. + * As much as possible of current tests are performed immediately + * and the result is maybe delayed to wait for async lookups. + * + * When all tests are done callback is presented with one of: + * - ACCESS_ALLOWED Access explicitly Allowed + * - ACCESS_DENIED Access explicitly Denied + */ + void matchNonBlocking(); + private: /* internal methods */ void preCheck(); void matchAclList(const ACLList * list, bool const fast); - void matchAclListSlow(const ACLList * list); bool async_; bool finished_; === modified file 'src/acl/DestinationDomain.cc' --- src/acl/DestinationDomain.cc 2011-05-15 08:42:17 +0000 +++ src/acl/DestinationDomain.cc 2011-06-28 12:06:45 +0000 @@ -68,7 +68,7 @@ checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markDestinationDomainChecked(); checklist->request->recordLookup(details); - checklist->check(); + checklist->matchNonBlocking(); } === modified file 'src/acl/DestinationIp.cc' --- src/acl/DestinationIp.cc 2011-06-23 08:33:13 +0000 +++ src/acl/DestinationIp.cc 2011-06-28 12:06:36 +0000 @@ -94,7 +94,7 @@ checklist->request->recordLookup(details); checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } === modified file 'src/acl/Gadgets.cc' --- src/acl/Gadgets.cc 2009-12-22 23:24:28 +0000 +++ src/acl/Gadgets.cc 2011-06-28 12:06:55 +0000 @@ -196,7 +196,7 @@ for (B = *head, T = head; B; T = &B->next, B = B->next); *T = A; - /* We lock _acl_access structures in ACLChecklist::check() */ + /* We lock _acl_access structures in ACLChecklist::matchNonBlocking() */ } void === modified file 'src/acl/SourceDomain.cc' --- src/acl/SourceDomain.cc 2009-07-12 22:56:47 +0000 +++ src/acl/SourceDomain.cc 2011-06-28 12:07:06 +0000 @@ -66,7 +66,7 @@ checklist->changeState (ACLChecklist::NullState::Instance()); checklist->markSourceDomainChecked(); checklist->request->recordLookup(details); - checklist->check(); + checklist->matchNonBlocking(); } === modified file 'src/adaptation/icap/Launcher.cc' --- src/adaptation/icap/Launcher.cc 2011-03-11 23:02:23 +0000 +++ src/adaptation/icap/Launcher.cc 2011-06-28 03:14:57 +0000 @@ -136,7 +136,7 @@ new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str); cl->reply = HTTPMSGLOCK(info.icapReply); - const bool result = cl->fastCheck(); + bool result = cl->fastCheck() == ACCESS_ALLOWED; delete cl; return result; } === modified file 'src/adaptation/icap/Xaction.cc' --- src/adaptation/icap/Xaction.cc 2011-06-17 10:41:10 +0000 +++ src/adaptation/icap/Xaction.cc 2011-06-28 03:15:24 +0000 @@ -501,7 +501,7 @@ { if (IcapLogfileStatus == LOG_ENABLE) { ACLChecklist *checklist = new ACLFilledChecklist(::Config.accessList.icap, al.request, dash_str); - if (!::Config.accessList.icap || checklist->fastCheck()) { + if (!::Config.accessList.icap || checklist->fastCheck() == ACCESS_ALLOWED) { finalizeLogInfo(); icapLogLog(&al, checklist); } === modified file 'src/auth/AclProxyAuth.cc' --- src/auth/AclProxyAuth.cc 2010-05-06 11:07:19 +0000 +++ src/auth/AclProxyAuth.cc 2011-06-28 12:06:25 +0000 @@ -170,7 +170,7 @@ checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } void === modified file 'src/client_side.cc' --- src/client_side.cc 2011-06-23 08:31:56 +0000 +++ src/client_side.cc 2011-06-28 03:20:38 +0000 @@ -672,7 +672,7 @@ if (al.reply) checklist->reply = HTTPMSGLOCK(al.reply); - if (!Config.accessList.log || checklist->fastCheck()) { + if (!Config.accessList.log || checklist->fastCheck() == ACCESS_ALLOWED) { if (request) al.adapted_request = HTTPMSGLOCK(request); accessLogLog(&al, checklist); @@ -3128,7 +3128,7 @@ ACLFilledChecklist identChecklist(Ident::TheConfig.identLookup, NULL, NULL); identChecklist.src_addr = client->remote; identChecklist.my_addr = client->local; - if (identChecklist.fastCheck()) + if (identChecklist.fastCheck() == ACCESS_ALLOWED) Ident::Start(client, clientIdentDone, result); } #endif @@ -3187,21 +3187,18 @@ /* it was said several times that client write limiter does not work if client_db is disabled */ ClientDelayPools& pools(Config.ClientDelay.pools); + ACLFilledChecklist ch(NULL, NULL, NULL); + + // TODO: we check early to limit error response bandwith but we + // should recheck when we can honor delay_pool_uses_indirect + // TODO: we should also pass the port details for myportname here. + ch.src_addr = details->remote; + ch.my_addr = details->local; + for (unsigned int pool = 0; pool < pools.size(); pool++) { /* pools require explicit 'allow' to assign a client into them */ - if (!pools[pool].access) - continue; // warned in ClientDelayConfig::Finalize() - - ACLFilledChecklist ch(pools[pool].access, NULL, NULL); - - // TODO: we check early to limit error response bandwith but we - // should recheck when we can honor delay_pool_uses_indirect - - ch.src_addr = details->remote; - ch.my_addr = details->local; - - if (ch.fastCheck()) { + if (pools[pool].access && ch.fastCheck(pools[pool].access) == ACCESS_ALLOWED) { /* request client information from db after we did all checks this will save hash lookup if client failed checks */ === modified file 'src/external_acl.cc' --- src/external_acl.cc 2011-06-04 12:48:45 +0000 +++ src/external_acl.cc 2011-06-28 12:06:03 +0000 @@ -1562,7 +1562,7 @@ checklist->extacl_entry = cbdataReference((external_acl_entry *)result); checklist->asyncInProgress(false); checklist->changeState (ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } /* This registers "external" in the registry. To do dynamic definitions === modified file 'src/forward.cc' --- src/forward.cc 2011-06-23 08:33:13 +0000 +++ src/forward.cc 2011-06-28 03:22:34 +0000 @@ -209,9 +209,7 @@ ACLFilledChecklist ch(Config.accessList.miss, request, NULL); ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; - int answer = ch.fastCheck(); - - if (answer == 0) { + if (ch.fastCheck() == ACCESS_DENIED) { err_type page_id; page_id = aclGetDenyInfoPage(&Config.denyInfoList, AclMatchedName, 1); @@ -804,7 +802,9 @@ return; } - request->flags.pinned = 0; + request->flags.pinned = 0; // XXX: what if the ConnStateData set this to flag existing credentials? + // XXX: answer: the peer selection *should* catch it and give us only the pinned peer. so we reverse the =0 step below. + // XXX: also, logs will now lie if pinning is broken and leads to an error message. if (serverDestinations[0]->peerType == PINNED) { ConnStateData *pinned_connection = request->pinnedConnection(); assert(pinned_connection); @@ -1212,7 +1212,7 @@ acl_tos *l; for (l = head; l; l = l->next) { - if (!l->aclList || ch->matchAclListFast(l->aclList)) + if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) return l->tos; } @@ -1226,7 +1226,7 @@ acl_nfmark *l; for (l = head; l; l = l->next) { - if (!l->aclList || ch->matchAclListFast(l->aclList)) + if (!l->aclList || ch->fastCheck(l->aclList) == ACCESS_ALLOWED) return l->nfmark; } @@ -1284,7 +1284,7 @@ if (conn->remote.IsIPv4() != l->addr.IsIPv4()) continue; /* check ACLs for this outgoing address */ - if (!l->aclList || ch.matchAclListFast(l->aclList)) { + if (!l->aclList || ch.fastCheck(l->aclList) == ACCESS_ALLOWED) { conn->local = l->addr; return; } === modified file 'src/htcp.cc' --- src/htcp.cc 2011-05-13 08:13:01 +0000 +++ src/htcp.cc 2011-06-28 09:49:29 +0000 @@ -848,18 +848,17 @@ return d; } -static int -htcpAccessCheck(acl_access * acl, htcpSpecifier * s, Ip::Address &from) +static bool +htcpAccessAllowed(acl_access * acl, htcpSpecifier * s, Ip::Address &from) { /* default deny if no access list present */ if (!acl) - return 0; + return false; ACLFilledChecklist checklist(acl, s->request, NULL); checklist.src_addr = from; checklist.my_addr.SetNoAddr(); - int result = checklist.fastCheck(); - return result; + return (checklist.fastCheck() == ACCESS_ALLOWED); } static void @@ -1206,7 +1205,7 @@ return; } - if (!htcpAccessCheck(Config.accessList.htcp, s, from)) { + if (!htcpAccessAllowed(Config.accessList.htcp, s, from)) { debugs(31, 2, "htcpHandleTstRequest: Access denied"); htcpLogHtcp(from, dhdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); @@ -1279,7 +1278,7 @@ return; } - if (!htcpAccessCheck(Config.accessList.htcp_clr, s, from)) { + if (!htcpAccessAllowed(Config.accessList.htcp_clr, s, from)) { debugs(31, 2, "htcpHandleClr: Access denied"); htcpLogHtcp(from, hdr->opcode, LOG_UDP_DENIED, s->uri); htcpFreeSpecifier(s); === modified file 'src/icp_v2.cc' --- src/icp_v2.cc 2011-05-15 08:42:17 +0000 +++ src/icp_v2.cc 2011-06-28 09:50:23 +0000 @@ -445,18 +445,17 @@ } } -int +bool icpAccessAllowed(Ip::Address &from, HttpRequest * icp_request) { /* absent an explicit allow, we deny all */ if (!Config.accessList.icp) - return 0; + return true; ACLFilledChecklist checklist(Config.accessList.icp, icp_request, NULL); checklist.src_addr = from; checklist.my_addr.SetNoAddr(); - int result = checklist.fastCheck(); - return result; + return (checklist.fastCheck() == ACCESS_ALLOWED); } char const * === modified file 'src/ident/AclIdent.cc' --- src/ident/AclIdent.cc 2011-02-02 10:23:15 +0000 +++ src/ident/AclIdent.cc 2011-06-28 12:06:16 +0000 @@ -159,7 +159,7 @@ checklist->asyncInProgress(false); checklist->changeState(ACLChecklist::NullState::Instance()); - checklist->check(); + checklist->matchNonBlocking(); } #endif /* USE_IDENT */ === modified file 'src/log/access_log.cc' --- src/log/access_log.cc 2011-03-30 04:29:35 +0000 +++ src/log/access_log.cc 2011-06-28 03:11:30 +0000 @@ -111,7 +111,7 @@ xstrncpy(al->hier.host, dash_str, SQUIDHOSTNAMELEN); for (; log; log = log->next) { - if (checklist && log->aclList && !checklist->matchAclListFast(log->aclList)) + if (log->aclList && checklist && checklist->fastCheck(log->aclList) != ACCESS_ALLOWED) continue; if (log->logfile) { === modified file 'src/neighbors.cc' --- src/neighbors.cc 2011-06-04 12:48:45 +0000 +++ src/neighbors.cc 2011-06-28 11:15:42 +0000 @@ -55,7 +55,7 @@ /* count mcast group peers every 15 minutes */ #define MCAST_COUNT_RATE 900 -int peerAllowedToUse(const peer *, HttpRequest *); +bool peerAllowedToUse(const peer *, HttpRequest *); static int peerWouldBePinged(const peer *, HttpRequest *); static void neighborRemove(peer *); static void neighborAlive(peer *, const MemObject *, const icp_common_t *); @@ -138,18 +138,14 @@ return p->type; } -/* - * peerAllowedToUse - * - * this function figures out if it is appropriate to fetch REQUEST - * from PEER. +/** + * \return Whether it is appropriate to fetch REQUEST from PEER. */ -int +bool peerAllowedToUse(const peer * p, HttpRequest * request) { const struct _domain_ping *d = NULL; - int do_ping = 1; assert(request != NULL); if (neighborType(p, request) == PEER_SIBLING) { @@ -159,28 +155,27 @@ debugs(15, 2, "peerAllowedToUse(" << p->name << ", " << request->GetHost() << ") : multicast-siblings optimization match"); #endif if (request->flags.nocache) - return 0; + return false; if (request->flags.refresh) - return 0; + return false; if (request->flags.loopdetect) - return 0; + return false; if (request->flags.need_validation) - return 0; + return false; } // CONNECT requests are proxy requests. Not to be forwarded to origin servers. // Unless the destination port matches, in which case we MAY perform a 'DIRECT' to this peer. if (p->options.originserver && request->method == METHOD_CONNECT && request->port != p->in_addr.GetPort()) - return 0; + return false; if (p->peer_domain == NULL && p->access == NULL) - return do_ping; - - do_ping = 0; - + return true; + + bool do_ping = false; for (d = p->peer_domain; d; d = d->next) { if (0 == matchDomainName(request->GetHost(), d->domain)) { do_ping = d->do_ping; @@ -190,8 +185,8 @@ do_ping = !d->do_ping; } - if (p->peer_domain && 0 == do_ping) - return do_ping; + if (p->peer_domain && !do_ping) + return false; if (p->access == NULL) return do_ping; @@ -211,7 +206,7 @@ #endif - return checklist.fastCheck(); + return (checklist.fastCheck() == ACCESS_ALLOWED); } /* Return TRUE if it is okay to send an ICP request to this peer. */ === modified file 'src/peer_select.cc' --- src/peer_select.cc 2011-06-24 04:05:33 +0000 +++ src/peer_select.cc 2011-06-28 11:16:00 +0000 @@ -427,7 +427,7 @@ peerSelectDnsPaths(ps); } -int peerAllowedToUse(const peer * p, HttpRequest * request); +bool peerAllowedToUse(const peer * p, HttpRequest * request); /** * peerSelectPinned === modified file 'src/snmp_core.cc' --- src/snmp_core.cc 2011-05-13 08:13:01 +0000 +++ src/snmp_core.cc 2011-06-28 03:44:53 +0000 @@ -444,7 +444,12 @@ u_char *Community; u_char *buf = rq->buf; int len = rq->len; - int allow = 0; + allow_t allow = ACCESS_DENIED; + + if (!Config.accessList.snmp) { + debugs(49, DBG_IMPORTANT, "WARNING: snmp_access not configured. agent query DENIED from : " << rq->from); + return; + } debugs(49, 5, HERE << "Called."); PDU = snmp_pdu_create(0); @@ -454,25 +459,26 @@ /* Check if we have explicit permission to access SNMP data. * default (set above) is to deny all */ - if (Community && Config.accessList.snmp) { + if (Community) { ACLFilledChecklist checklist(Config.accessList.snmp, NULL, NULL); checklist.src_addr = rq->from; checklist.snmp_community = (char *) Community; allow = checklist.fastCheck(); - } - - if ((snmp_coexist_V2toV1(PDU)) && (Community) && (allow)) { - rq->community = Community; - rq->PDU = PDU; - debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]"); - snmpConstructReponse(rq); + + if (allow == ACCESS_ALLOWED && (snmp_coexist_V2toV1(PDU))) { + rq->community = Community; + rq->PDU = PDU; + debugs(49, 5, "snmpAgentParse: reqid=[" << PDU->reqid << "]"); + snmpConstructReponse(rq); + } else { + debugs(49, DBG_IMPORTANT, "WARNING: SNMP agent query DENIED from : " << rq->from); + } + xfree(Community); + } else { - debugs(49, 1, HERE << "Failed SNMP agent query from : " << rq->from); + debugs(49, DBG_IMPORTANT, "WARNING: Failed SNMP agent query from : " << rq->from); snmp_free_pdu(PDU); } - - if (Community) - xfree(Community); } /* === modified file 'src/ssl/support.cc' --- src/ssl/support.cc 2011-06-23 00:23:48 +0000 +++ src/ssl/support.cc 2011-06-28 03:46:24 +0000 @@ -240,7 +240,7 @@ if (check) { Filled(check)->ssl_error = error_no; - if (check->fastCheck()) { + if (check->fastCheck() == ACCESS_ALLOWED) { debugs(83, 3, "bypassing SSL error " << error_no << " in " << buffer); ok = 1; } else { === modified file 'src/tunnel.cc' --- src/tunnel.cc 2011-06-24 05:07:06 +0000 +++ src/tunnel.cc 2011-06-28 03:47:28 +0000 @@ -595,7 +595,6 @@ /* Create state structure. */ TunnelStateData *tunnelState = NULL; ErrorState *err = NULL; - int answer; HttpRequest *request = http->request; char *url = http->uri; @@ -613,9 +612,7 @@ ACLFilledChecklist ch(Config.accessList.miss, request, NULL); ch.src_addr = request->client_addr; ch.my_addr = request->my_addr; - answer = ch.fastCheck(); - - if (answer == 0) { + if (ch.fastCheck() == ACCESS_DENIED) { err = errorCon(ERR_FORWARDING_DENIED, HTTP_FORBIDDEN, request); *status_ptr = HTTP_FORBIDDEN; errorSend(http->getConn()->clientConnection, err);