On Sun, 22 Nov 2009 23:54:49 +0000, Jenny Lee <bodycare_5@xxxxxxxx> wrote: >>> acl ERR_BADGUYS src 0.0.0.0/0.0.0.0 >> >> acl ERR_BADGUYS src all > > > WOWWWWW! > > Apart from the flashing issue, I also must mention that this made tons of > differences with my access lists and fixed so many issues for me. > > I am eternally grateful! Um, sounds like you might have a few legacy setting issues. Mail me a copy of your config if you would like a free audit. > > What exactly has changed from '0.0.0.0/0.0.0.0' or older '0.0.0.0/0', > '0/0' to 'all'? > > Thank you! > > Jen > > > PS: I have ipv6 stack removed from RedHat kernel and squid built with no > ipv6. Strangely the only difference between them is when squid is built with IPv6 support. '0.0.0.0/0.0.0.0' becomes a weird 'odd' bitmask of ::ffff:0:0 in IPv6. Which maps non-reversibly to a /0 CIDR (aka the bitmask of ::) '0.0.0.0/0' maps to ::/0, which is at least usable. But is noisy on startup warnings because the /0 removes the four ::ffff* bits of the 0.0.0.0 IP's v4-mapping bitmask. 'all' is hard-coded to match /0 (always true). '0/0' causes a DNS lookup to find the hostname '0' (zero). That may result in a routable IP address if 0.example.com has rDNS. Before the /0 arrives and saves the day by wiping the address bitmask away. *** Unfortunately that only save the day in IPv4. In IPv6 it wipes the bitmask down to a /96 CIDR and leaves the first 96 bits of the old IP being used to match (or mostly fail rather) and many of the default squid settings suddenly becomes 'allow' in IPv6. Thanks for making me think about this. It's reminded me I have to add extra checking and warnings for those values in 3.1. Amos
