Re: [squid-users] IPv6 Always_Direct/Never_Direct ACLs from Henrik Nordstrom on 2002-08-30 (squid-users)

From: Henrik Nordstrom <hno@dont-contact.us>
Date: Fri, 30 Aug 2002 23:19:52 +0200

The "ipv6" CVS tag would be the ipv6 project at devel.squid-cache.org
http://devel.squid-cache.org/ipv6/

I don't have any IPv6 network running and only a sketchy view of IPv6
addressing and cannot easily test this at this time, and the branch
needs testers and code review to be able to get included into Squid.

But after looking a little more closely on your squid.conf rules I
think there is something fishy..

You say:

always_direct allow network SSL_ports CONNECT ipv6dst

which is very narrow and I seriously doubt it can ever be true (can
the same request match both the IPv4 network acl and ipv6dst?). What
is it actually you want this rule to do?

Based on what you have written in your never_direct rule I think you
want something like the following:

   always_direct allow network
   always_direct allow CONNECT
   always_direct allow ipv6dst
   never_direct allow all

This would send any requests for 'network', 'ipv6dst' or using the
CONNECT method (SSL) directly, bypassing your parent. Everything else
will be sent to the parent.

Remeber that access lists (http_access/always_direct/never_direct)
only matches if all acl expressions in the access list matches the
request, and the first access list matching within the specific
directive is the one being used..

  http_access allow/deny acl1 AND acl2 AND acl3 AND ...
  OR
  http_access allow/deny acl4 AND acl5 AND acl6 AND ...
  OR
  ...

Regards
Henrik

On Tuesday 27 August 2002 02.19, Byte wrote:
> the cvs tag "ipv6"
>
> At 11:32 PM 26/08/2002 +0200, Henrik Nordstrom wrote:
> >Which IPV6 patch for Squid are you using?
> >
> >(the standard Squid distribution does not yet support IPv6)
> >
> >Regards
> >Henrik
> >
> >Byte wrote:
> > > I've got local sites working directly, and ipv4 sites is using
> > > a parent cache properly,
> > > but ipv6 sites try to use the parent when they need to go
> > > direct :/
> > >
> > > can anyone help me with this?
> > >
> > >
> > >
> > > acl SSL_ports port 443 563
> > > acl CONNECT method CONNECT
> > > acl network dst ::ffff:192.168.0.0/255.255.0.0
> > >
> > > ::ffff:172.16.0.0/255.255.0.0 ::ffff:10.0.0.0/255.0.0.0
> > >
> > > acl ipv6dst dst 3ffe::/16 2000::/3
> > > acl ipv4dst dst ::ffff:0:0/96
> > >
> > > always_direct allow network SSL_ports CONNECT ipv6dst
> > > never_direct allow ipv4dst !network !SSL_ports !CONNECT
> > > !ipv6dst
Received on Fri Aug 30 2002 - 15:21:23 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 17:09:54 MST