Re: Problem using external acl with tcp_outgoing_address

[Amos Jeffries <squid3@xxxxxxxxxxxxx>]

Adam wrote:
> Hello 
> I have simple external perl helper program
>
> #!/usr/bin/perl
> $| = 1;
> open(LOG, ">/tmp/squid.log");
> print LOG "RUNNING\n";
> close(LOG);
> while(defined($line = <STDIN>)){
>      print "OK\n";
>      open(LOG, ">>/tmp/squid.log");
>      print LOG "Got: $line\n";
>      close(LOG);
> }
>
> It should always returns OK
> -------
> In squid.conf there is external_acl_type definition
>
> external_acl_type testacl ttl=0 children=1 %SRC /usr/bin/test.pl
> acl testacl_ext external testacl
>
> It works fine with http_acces
>
> http_access allow testacl_ext
> -------
> 2009/05/10 15:17:36.382| ACLChecklist::preCheck: 0xa295d50 checking
> 'http_access allow testacl_ext'
> 2009/05/10 15:17:36.382| ACLList::matches: checking testacl_ext
> 2009/05/10 15:17:36.383| ACL::checklistMatches: checking 'testacl_ext'
> 2009/05/10 15:17:36.383| aclMatchExternal: acl="testacl"
> 2009/05/10 15:17:36.383| cbdWhataReferenceValid: 0xa2a1f98
> 2009/05/10 15:17:36.383| cbdataUnlock: 0xa2a1f98=0
> 2009/05/10 15:17:36.383| aclMatchExternal: testacl = 1
> 2009/05/10 15:17:36.383| ACL::ChecklistMatches: result for 'testacl_ext'
> is 1
> 2009/05/10 15:17:36.383| ACLList::matches: result is true
> -------
> BUT when this acl is invoked from tcp_outgoing_address
>
> tcp_outgoing_address 10.10.12.12 testacl_ext
> -------
> 2009/05/10 15:19:48.406| ACLList::matches: checking testacl_ext
> 2009/05/10 15:19:48.406| ACL::checklistMatches: checking 'testacl_ext'
> 2009/05/10 15:19:48.406| aclMatchExternal: acl="testacl"
> 2009/05/10 15:19:48.407| aclMatchExternal: testacl("127.0.0.1") = lookup
> needed
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": entry=@0, age=0
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": queueing a call.
> 2009/05/10 15:19:48.407| aclMatchExternal: "127.0.0.1": return -1.
> 2009/05/10 15:19:48.407| ACL::ChecklistMatches: result for 'testacl_ext'
> is -1
> 2009/05/10 15:19:48.407| ACLList::matches: result is false
> --------
>
> it just like not executing helper and returns false everytime 
>
> So please anybody ! Help me :D

The *_access lines are broken down into two groups:

 - Slow - are able to spend some time waiting for a result. These can 
do external lookups, auth etc.

 - Fast - must return a result immediately. No delays are acceptable. 
Only connection-related or pre-cached data are usable.

Selection of the outgoing IP is a 'fast' type.

You will need to cache the helper lookup for some time (ttl= , 
negative_ttl=) and perform its test in a slow Access control , such as 
http_access before it can be used in tcp_outgoing_address.

Amos
--
Please be using
  Current Stable Squid 2.7.STABLE6 or 3.0.STABLE15
  Current Beta Squid 3.1.0.7