'Re: [squid-users] IPv6 Always_Direct/Never_Direct ACLs'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-users
Subject:    Re: [squid-users] IPv6 Always_Direct/Never_Direct ACLs
From:       Henrik Nordstrom <hno () marasystems ! com>
Date:       2002-08-30 21:19:52
[Download RAW message or body]

The "ipv6" CVS tag would be the ipv6 project at devel.squid-cache.org
http://devel.squid-cache.org/ipv6/

I don't have any IPv6 network running and only a sketchy view of IPv6 
addressing and cannot easily test this at this time, and the branch 
needs testers and code review to be able to get included into Squid.

But after looking a little more closely on your squid.conf rules I 
think there is something fishy..

You say:

  always_direct allow network SSL_ports CONNECT ipv6dst

which is very narrow and I seriously doubt it can ever be true (can 
the same request match both the IPv4 network acl and ipv6dst?). What 
is it actually you want this rule to do?

Based on what you have written in your never_direct rule I think you 
want something like the following:

   always_direct allow network
   always_direct allow CONNECT
   always_direct allow ipv6dst
   never_direct allow all

This would send any requests for 'network', 'ipv6dst' or using the 
CONNECT method (SSL) directly, bypassing your parent. Everything else 
will be sent to the parent.

Remeber that access lists (http_access/always_direct/never_direct) 
only matches if all acl expressions in the access list matches the 
request, and the first access list matching within the specific 
directive is the one being used..

  http_access allow/deny acl1 AND acl2 AND acl3 AND ...
  OR
  http_access allow/deny acl4 AND acl5 AND acl6 AND ...
  OR 
  ...


Regards
Henrik


On Tuesday 27 August 2002 02.19, Byte wrote:
> the cvs tag "ipv6"
>
> At 11:32 PM 26/08/2002 +0200, Henrik Nordstrom wrote:
> >Which IPV6 patch for Squid are you using?
> >
> >(the standard Squid distribution does not yet support IPv6)
> >
> >Regards
> >Henrik
> >
> >Byte wrote:
> > > I've got local sites working directly, and ipv4 sites is using
> > > a parent cache properly,
> > > but ipv6 sites try to use the parent when they need to go
> > > direct :/
> > >
> > > can anyone help me with this?
> > >
> > >
> > >
> > > acl SSL_ports port 443 563
> > > acl CONNECT method CONNECT
> > > acl network dst ::ffff:192.168.0.0/255.255.0.0
> > >
> > > ::ffff:172.16.0.0/255.255.0.0 ::ffff:10.0.0.0/255.0.0.0
> > >
> > > acl ipv6dst dst 3ffe::/16 2000::/3
> > > acl ipv4dst dst ::ffff:0:0/96
> > >
> > > always_direct allow network SSL_ports CONNECT ipv6dst
> > > never_direct allow ipv4dst !network !SSL_ports !CONNECT
> > > !ipv6dst


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic