Inter-Squid firewalling

I've got a situation in which two domains, each running Squid on a
firewall, want to allow access to each other's internal webpages. The
current firewalling code handles the case of a Squid on the Internet with
direct access to all hosts, and the case of a Squid behind a firewall
which must use proxies, but doesn't handle this case correctly. Some
requests (eg. those on the hierarchy_stoplist, and gopher searches) will
always be sent directly if Squid has Internet access, and will fail since
the remote internal-network hosts don't exist on the Internet.

The following patch generalizes the syntax of the inside_firewall config
directive. It adds a tilde prefix, which indicates that hosts in a given
domain may be accessed directly or through an appropriate parent, and an
asterisk default hostname, allowing the default behaviour to be changed.

As an example, the following line:

inside_firewall ourdomain.net !theirdomain.net ~*

tells Squid that requests in ourdomain.net must always be done directly,
requests in theirdomain.net must always be done through an appropriate
parent (indicated with cache_host_domain et al), and all other requests
may be done through a parent or directly (normal Squid behaviour on the
Internet, as if no inside_firewall directive had been used).

Summary of inside_firewall syntax post-patch:
  domainname - requests to this domain must be done directly
  !domainname - requests to this domain must go through a parent
  ~domainname - requests to this domain may go either way
  and domainname may be an asterisk to match all other hosts.
  Default behavior is "either way" if no inside_firewall directive is
  given, and "must use a parent" if an inside_firewall list is given.
  As a special case "inside_firewall none" sends all requests to a
  parent.

This patch also fixes an incorrect comment, FWIW.

Duane, is there any chance of this or something similar getting into the
release?

Regards,
Anthony

*** proto.c.orig Mon May 26 15:10:19 1997
--- proto.c Wed May 28 14:23:39 1997
***************
*** 600,617 ****
  }
  
  /*
! * return 0 if the host is outside the firewall (no domains matched), and
! * return 1 if the host is inside the firewall or no domains at all.
! */
  int
  matchInsideFirewall(const char *host)
  {
      const wordlist *s = Config.inside_firewall_list;
      const char *key = NULL;
      int result = NO_FIREWALL;
      struct in_addr addr;
      if (!s && !Config.firewall_ip_list)
! /* no firewall goop, all hosts are "inside" the firewall */
          return NO_FIREWALL;
      for (; s; s = s->next) {
          key = s->key;
--- 600,620 ----
  }
  
  /*
! * Process inside_firewall directive for a given hostname. Return:
! * NO_FIREWALL means we can go direct or via proxy.
! * INSIDE_FIREWALL means we must go direct.
! * OUTSIDE_FIREWALL means we must use a parent proxy.
! */
  int
  matchInsideFirewall(const char *host)
  {
      const wordlist *s = Config.inside_firewall_list;
      const char *key = NULL;
      int result = NO_FIREWALL;
+ int def_result = OUTSIDE_FIREWALL;
      struct in_addr addr;
      if (!s && !Config.firewall_ip_list)
! /* no firewall goop, all hosts may be accessed directly or via proxy */
          return NO_FIREWALL;
      for (; s; s = s->next) {
          key = s->key;
***************
*** 621,630 ****
          if (*key == '!') {
              key++;
              result = OUTSIDE_FIREWALL;
          } else {
              result = INSIDE_FIREWALL;
          }
! if (matchDomainName(key, host))
              return result;
      }
      /* Check for dotted-quads */
--- 624,639 ----
          if (*key == '!') {
              key++;
              result = OUTSIDE_FIREWALL;
+ } else if (*key == '~') {
+ key++;
+ result = NO_FIREWALL;
          } else {
              result = INSIDE_FIREWALL;
          }
! if (!strcasecmp(key, "*")) {
! def_result = result;
! }
! else if (matchDomainName(key, host))
              return result;
      }
      /* Check for dotted-quads */
***************
*** 634,642 ****
                  return INSIDE_FIREWALL;
          }
      }
! /* all through the list and no domains matched, this host must
! * not be inside the firewall, it must be outside */
! return OUTSIDE_FIREWALL;
  }
  
  static int
--- 643,650 ----
                  return INSIDE_FIREWALL;
          }
      }
! /* all through the list and no domains matched */
! return def_result;
  }
  
  static int

-- 
Anthony DeBoer <adb@geac.com>                    #include <std.disclaimer>