Hello!
I'd like to setup separate delay pools for different users of multi-user
box. Does delay_pools supposed to work with ident acls? I tried following
setup:
---
acl sunray2 src 195.208.251.171
acl user01 ident user01
ident_lookup_access allow sunray2
ident_lookup_access deny all
http_access allow sunray2 user01
delay_class 2 1
delay_access 2 allow sunray2 user01
delay_parameters 2 16384/16384
---
And it doesn't work. If I change delay_access 2 to be
delay_access 2 allow sunray2
then all traffic for sunray2 is limited to 16Kbps. So it looks like acl
user01 doesn't work. But usernames are being logged in access log:
1129142174.297 5437 195.208.251.171 TCP_MISS/200 3014657 GET http://ftp.rsu.ru/pub/FreeBSD/releases/i386/ISO-IMAGES/5.4/5.4-RELEASE-i386-disc1.iso user01 DIRECT/195.208.245.253 application/octet-stream
Enabling debug gives me this:
2005/10/12 18:36:08| aclCheck: checking 'http_access allow sunray2 user01'
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchAclList: returning 0
2005/10/12 18:36:08| aclCheck: Doing ident lookup
2005/10/12 18:36:08| aclCheck: checking 'http_access allow sunray2 user01'
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchUser: user is user01, case_insensitive is 0
2005/10/12 18:36:08| Top is 0x820e8e0, Top->data is user01
2005/10/12 18:36:08| aclMatchUser: returning 1,Top is 0x820e8e0, Top->data is user01
2005/10/12 18:36:08| aclMatchAclList: returning 1
2005/10/12 18:36:08| aclCheck: match found, returning 1
2005/10/12 18:36:08| aclCheckCallback: answer=1
2005/10/12 18:36:08| aclCheckFast: list: 0x827e830
2005/10/12 18:36:08| aclMatchAclList: checking sunray2
2005/10/12 18:36:08| aclMatchAcl: checking 'acl sunray2 src 195.208.251.171'
2005/10/12 18:36:08| aclMatchIp: '195.208.251.171' found
2005/10/12 18:36:08| aclMatchAclList: checking user01
2005/10/12 18:36:08| aclMatchAcl: checking 'acl user01 ident user01'
2005/10/12 18:36:08| aclMatchAclList: returning 0
2005/10/12 18:36:08| aclCheckFast: no matches, returning: 0
As far as I can understand 1st is http_access check and 2nd is
delay_access check. I did a quick look at sources and found that
delay_pools call only aclCheckFast which checks ident access lists only if
result of ident loockup already exists. I was hoping that forcing ident
loockup with http_access will cache username somewhere but this doesn't
seem to work either. :( Am I doing something wrong or this setup will not
work by design?
--
Oleg Sharoiko.
Software and Network Engineer
Computer Center of Rostov State University.