Strange acl prob / possibly a bug

From: Matthias Barnutz <barney@dont-contact.us>
Date: Fri, 25 Feb 2000 00:11:03 +0100

Hi!

I have a very strange problem with Access Lists and http_access. In my
opinion, it seems to be a bug.

After squid running a few hours or a few days, suddenly it answers requests
from some clients with TCP_DENIED. After doing a "squid -k reconfigure"
everything works fine again. Until the next time.

System:
Linux 2.2.12 i586
Squid Object Cache: Version 2.3.STABLE1

The squid config file contains only three http_access entries:

http_access allow paid
http_access allow figge unido
http_access deny all

Here are the corresponding acl lines:

acl all src 0.0.0.0/0.0.0.0
acl figge src 129.217.240.0/255.255.254.0 129.217.255.128/255.255.255.192
129.217.255.248/255.255.255.248
acl unido dstdomain .uni-dortmund.de
acl paid src "/etc/squid.clients"

In words: Requests from IPs, which are written into the file
/etc/squid.clients, should be allowed everytime and to every destination.
All hosts from the mentioned subnets may access all destinations in the
mentioned dstdomain. And all other accesses should be denied.

The file /etc/squid.clients looks like this (sample):

129.217.240.38
129.217.240.82
129.217.240.140
129.217.240.87
129.217.240.112

Just the IP-addresses, unsorted. In total, about 400 entries.

What happens is, that suddenly all requests from some hosts, with source IP
addresses listet in the file, are denied (TCP_DENIED). After doing a
reconfigure, requests from the same hosts are allowed again. But
/etc/squid.clients hasn't changed meanwhile. If /etc/squid.clients is
changed, a reconfigure is done automatically. In the cache.log file there
aren't any uncommon events. The hosts, from which requests are denied, are
not always the same.

Anyone has any idea what could be this? Has anyone had the same problem?

I'm sorry that I actually can not provide more information, like log file
fragments. Squid is running on a production system, and I have not the
resources to turn on full debugging. There are many requests, and the
logfile grows very fast if debugging is turned on (even if only acl
debugging is turned on). And, actually I do a "squid -k reconfigure" every
hour by a cronjob, so the problem at the moment is not present, and there's
nothing to log. But this is not a solution. Or is there something wrong with
the acl configuration?

Maybe someone could "simulate" this scenario in his "lab" and track down the
problem ...

Thanks for your help.

Kind regards,

Matthias

--
Matthias Barnutz, University of Dortmund, Germany
http://www.nef.wh.uni-dortmund.de/~barney
ICQ: 12031262
Received on Thu Feb 24 2000 - 16:17:41 MST

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:51:33 MST