RE: [squid-users] Brief Flash of CACHE_ACCESS_DENIED on 302 (yahoo.com)‏

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 23 Nov 2009 14:08:22 +1300

On Sun, 22 Nov 2009 23:54:49 +0000, Jenny Lee <bodycare_5_at_live.com> wrote:
>>> acl ERR_BADGUYS src 0.0.0.0/0.0.0.0
>>
>> acl ERR_BADGUYS src all
>
>
> WOWWWWW!
>
> Apart from the flashing issue, I also must mention that this made tons
of
> differences with my access lists and fixed so many issues for me.
>
> I am eternally grateful!

Um, sounds like you might have a few legacy setting issues.
Mail me a copy of your config if you would like a free audit.

>
> What exactly has changed from '0.0.0.0/0.0.0.0' or older '0.0.0.0/0',
> '0/0' to 'all'?
>
> Thank you!
>
> Jen
>
>
> PS: I have ipv6 stack removed from RedHat kernel and squid built with no
> ipv6.

Strangely the only difference between them is when squid is built with
IPv6 support.

 '0.0.0.0/0.0.0.0' becomes a weird 'odd' bitmask of ::ffff:0:0 in IPv6.
Which maps non-reversibly to a /0 CIDR (aka the bitmask of ::)

 '0.0.0.0/0' maps to ::/0, which is at least usable. But is noisy on
startup warnings because the /0 removes the four ::ffff* bits of the
0.0.0.0 IP's v4-mapping bitmask.

 'all' is hard-coded to match /0 (always true).

 '0/0' causes a DNS lookup to find the hostname '0' (zero).
 That may result in a routable IP address if 0.example.com has rDNS.
Before the /0 arrives and saves the day by wiping the address bitmask away.
 *** Unfortunately that only save the day in IPv4. In IPv6 it wipes the
bitmask down to a /96 CIDR and leaves the first 96 bits of the old IP being
used to match (or mostly fail rather) and many of the default squid
settings suddenly becomes 'allow' in IPv6.

Thanks for making me think about this. It's reminded me I have to add
extra checking and warnings for those values in 3.1.

Amos
Received on Mon Nov 23 2009 - 01:08:32 MST

This archive was generated by hypermail 2.2.0 : Mon Nov 23 2009 - 12:00:04 MST