Index: /thirdparty/squid/branches/3.3/source/src/cf.data.pre
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/cf.data.pre	(revision 148)
+++ /thirdparty/squid/branches/3.3/source/src/cf.data.pre	(revision 169)
@@ -1034,4 +1034,20 @@
 	of follow_x_forewarded_for with a limited set of trusted
 	sources is required to prevent abuse of your proxy.
+DOC_END
+
+NAME: spoof
+TYPE: acl_access
+LOC: Config.accessList.spoof
+DEFAULT_IF_NONE: allow all
+DOC_START
+	Allow client address spoofing based on defined access lists
+
+	spoof allow|deny [!]aclname ...
+
+	If there are no "spoof" lines present, the default is to "allow"
+	spoofing of any suitable request.
+
+	This clause supports fast acl types.
+	See http://wiki.squid-cache.org/SquidFaq/SquidAcl for details.
 DOC_END
 
Index: /thirdparty/squid/branches/3.3/source/src/client_side.cc
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/client_side.cc	(revision 146)
+++ /thirdparty/squid/branches/3.3/source/src/client_side.cc	(revision 169)
@@ -2671,5 +2671,9 @@
     if (http->clientConnection != NULL) {
         request->flags.intercepted = ((http->clientConnection->flags & COMM_INTERCEPTION) != 0);
-        request->flags.spoofClientIp = ((http->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+	if (http->clientConnection->flags & COMM_TRANSPARENT) {
+	    ACLFilledChecklist *checklist = clientAclChecklistCreate(Config.accessList.spoof, http);
+	    request->flags.spoofClientIp = checklist->fastCheck() == ACCESS_ALLOWED;
+	    delete checklist;
+    	} else request->flags.spoofClientIp = 0;
     }
 
@@ -3580,5 +3584,10 @@
 #endif
         fakeRequest->my_addr = connState->clientConnection->local;
-        fakeRequest->flags.spoofClientIp = ((connState->clientConnection->flags & COMM_TRANSPARENT) != 0 ) ;
+	fakeRequest->myportname = connState->port->name;
+	if (connState->clientConnection->flags & COMM_TRANSPARENT) {
+            ACLFilledChecklist *checklist = new ACLFilledChecklist(Config.accessList.spoof, fakeRequest, NULL);
+	    fakeRequest->flags.spoofClientIp = checklist->fastCheck() == ACCESS_ALLOWED;
+	    delete checklist;
+    	} else fakeRequest->flags.spoofClientIp = 0;
         fakeRequest->flags.intercepted = ((connState->clientConnection->flags & COMM_INTERCEPTION) != 0);
         debugs(33, 4, HERE << details << " try to generate a Dynamic SSL CTX");
Index: /thirdparty/squid/branches/3.3/source/src/SquidConfig.h
===================================================================
--- /thirdparty/squid/branches/3.3/source/src/SquidConfig.h	(revision 146)
+++ /thirdparty/squid/branches/3.3/source/src/SquidConfig.h	(revision 169)
@@ -399,4 +399,5 @@
         acl_access* icap;
 #endif
+	acl_access* spoof;
     } accessList;
     AclDenyInfoList *denyInfoList;