On Sun, Jun 5, 2011 at 18:04, Jim Pingle <[email protected]> wrote: > On 6/5/2011 7:10 AM, Odhiambo Washington wrote: > > So here is my patch, which also contains a few changes required in > squid-3. > > There's your problem, squid 3 is largely untested and should not be > trusted. :-) If you want it to work, use the squid 2.x package. > > Every so often someone else comes along and says something different > should be on that line, so at this point I'm not quite sure who is > exactly right. It would appear that the units portion is needed at least > though. > > http://forum.pfsense.org/index.php/topic,32923.msg191044.html > > http://forum.pfsense.org/index.php/topic,33616.msg174311.html > > Jim >
After consultations with squid-devs, here is what they had to say:
<Quote>
There are two special cases for traffic size:
"0". Meaning no body is permitted.
"none". Meaning no limit applied or "unlimited" size.
Units are not relevant on these and Squid does not currently accept any. You
can still add ACLs after these special values to indicate _when_ they apply.
NP: the default is not to limit any replies.
An implicit: "reply_body_max_size none all".
The word "deny" is also not relevant in reply_body_max_size.
Squid ACL lines have a general syntax "$directive $value $conditions". The
$value applies only when the $conditions are all matching.
In the case of http_access the $value is permission or rejection
(allow/deny). In reply_body_max_size the $value is the limit being set. So
what you would be used to as allow/deny elsewhere is written "n KB" here.
</Quote>
So in essence, we need:
(12:25:03 <~>) 0 $ diff squid.inc squid.inc.local
527c527
< }
---
> }
813,814c813,814
< acl all src 0.0.0.0/0.0.0.0
< acl localhost src 127.0.0.1/255.255.255.255
---
> acl all src all
> acl localhost src 127.0.0.1/32
903c903
< $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " deny
all\n";
---
> $conf .= 'reply_body_max_size ' . ($down_limit * 1024) . " all\n";
Another issue with regard to squid 3.1.x concerns this block in squid.inc:
if ($settings['allow_interface'] == 'on') {
$src = '';
foreach ($real_ifaces as $iface) {
list($ip, $mask) = $iface;
$ip = long2ip(ip2long($ip) & ip2long($mask));
$src .= " $ip/$mask";
}
$conf .= "# Allow local network(s) on interface(s)\n";
$conf .= "acl localnet src $src\n";
$valid_acls[] = 'localnet';
}
For squid 3.x netmasks are deprecated. CIDR masks are used instead.
So, someone needs to change something in this block:-)
Plus - could the package maintainer keep upto date with the squid branch?
It's lagging much behind.
--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
_ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _
I can't hear you -- I'm using the scrambler.
Please consider the environment before printing this email.
<<image001.png>>
