Re: adaptation_access not working with squid acl's

Stephen Stark <logic4life@xxxxxxxxx> · Fri, 15 Jul 2016 10:38:40 -0400

Hello,
I think I figured out what the problem is but I'd appreciate if someone could check my reasoning. 

My ACL is type localport, so I'm targeting the original request to Squid based on the Squid port the client is connecting to:

acl test localport 4000

Then I enable adaptation_access based on the ACL test:

adaptation_access service_avi_req allow test
adaptation_access service_avi_resp allow test

So here is where I think the problem is.  The client is connecting to Squid on port 4000, so the initial request it put in the ACL "test", however for some reason this ACL is not being
hit when adaptation_access is being used. I'm wondering if the reason is because localport is no longer the port the client connected to Squid on, but rather the port Squid is using to connect to the ICAP server?

I've verified with full debugging that the test ACL is not matched in the adaptation checks:

(initial request)

2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking '64.182.224.149'
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: '64.182.224.149' NOT found
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(42) match: checking 'none'
2016/07/15 10:32:44.246 kid1| 28,3| ServerName.cc(47) match: 'none' NOT found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: nobumpSites = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rule) = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: (ssl_bump rules) = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8 answer ALLOWED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xf3c2f8 answer=ALLOWED

(And now I'm guessing this is adaptation checking ACL's)

2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf40bb8 checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '192.168.100.6:61769' found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: http_access#1 = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: http_access = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf40bb8 answer ALLOWED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xf40bb8 answer=ALLOWED
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(70) preCheck: 0xf3c2f8 checking slow rules
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: Test = 0
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: adaptation_access#1 = 0
2016/07/15 10:32:44.246 kid1| 28,3| Ip.cc(539) match: aclIpMatchIp: '192.168.100.6:61769' found
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: all = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: adaptation_access#2 = 1
2016/07/15 10:32:44.246 kid1| 28,3| Acl.cc(158) matches: checked: adaptation_access = 1
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(63) markFinished: 0xf3c2f8 answer DENIED for match
2016/07/15 10:32:44.246 kid1| 28,3| Checklist.cc(163) checkCallback: ACLChecklist::checkCallback: 0xf3c2f8 answer=DENIED

What I don't get however is in this above log entry snapshot, the client source port (192.168.100.6) is shown, so I'd assume the localport would match.

This works if I change the ACL type to src IP address rather than localport, however the whole point of this is because I have another facility that is categorizing users by group and distributing them to Squid on specific destination ports.  So I really need this to work based on localport. 

Any thoughts?

On Fri, Jul 15, 2016 at 6:53 AM, Yuri Voinov <yvoinov@xxxxxxxxx> wrote:

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA256

15.07.2016 15:41, Amos Jeffries пишет:

> On 15/07/2016 6:35 a.m., Yuri Voinov wrote:

>>

>>

>>

http://wiki.squid-cache.org/action/show/HelpOnAccessControlLists?action="">

>>

>

> Yrui;  note that the "HelpOn" wiki pages are for help using the wiki

> itself. Not help using Squid.

Oooooooops. My mistake.

>

>

> I think you meant to reference:

> <http://wiki.squid-cache.org/SquidFaq/SquidAcl>

Yes, sure.

>

>

> Amos

>

> _______________________________________________

> squid-users mailing list

> squid-users@xxxxxxxxxxxxxxxxxxxxx

> http://lists.squid-cache.org/listinfo/squid-users

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v2

iQEcBAEBCAAGBQJXiMCiAAoJENNXIZxhPexGqdcH/02vxPWujZRDFeK6BZOXkGiX

IwAR6A3ovJpaucTaQhMXZUblIOcWXKs9MzZ2vwS8dCXaK6cppTWYL5+2rjxelOER

YE7Sjwf7J1gxC7DoHfvXkCWSL8ueBnF+9xrWj/dflaZBYRqGqdmUq0QT7FqTXXBu

8EGnXvyORd7Ta9xgEuhjwLcUkQ51wMRd4CB861LmmidHD2nXm78DaYomIHKanYtD

fcE+i7G6tQyUBh9V0F5IEa6p6/PfvTokLbO5OlsJhGIE5rb8DoA7P78q7X2WJJi6

89dR2mW+G8bcKmnVWLy8gl5Q1k8ByUvkmKbapdsuOOyzKK6grsY7nqE7+MyffRQ=

=1gkl

-----END PGP SIGNATURE-----

_______________________________________________

squid-users mailing list

squid-users@xxxxxxxxxxxxxxxxxxxxx

http://lists.squid-cache.org/listinfo/squid-users

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users