[squid-users] Squid-2.4-STABLE7 http_access breaks when Netfilter REDIRECT turned on/off/on

[per jarevez]

My http_access rules starts to allow all disregarding the other ACL's on the 
http_access rule (see below) after I start then stop then start using 
Netfilter REDIRECT again.

The http_access is flawless when I'm using Netfilter REDIRECT when Squid is 
loaded.  I stop using Netfilter REDIRECT for half a day then go back to 
using Netfilter REDIRECT.  Then problem with http_access shows up.

The "http_access allow myAllow all" would allow things in "myDeny" even when 
when I "squid -k reconfigure" with a changed MyAllow that contain one 
url_regex that surely doesn't match any actual requests from my browser on 
10.1.0.100.  However requests from my browser that match the url_regex in 
myDeny would still be accepted by Squid!

Is this a bug in Squid's --enable-linux-netfilter code?  Or something with 
my configuration?  "squid -k parse" gives no errors.  Help.

kernel-2.4.21-rc6  Netfilter-1.2.8  Squid-2.4-STABLE7
./configure --enable-gnuregex --enable-removal
-policies=heap --enable-async-io --enable-useragent-log --enable-delay-pools 
--enable-icmp --enable-referer-log --disable-wccp --enable-linux-netfilter 
--disable-ident-lookups --enable-underscores

acl all src 0.0.0.0/0.0.0.0
acl manager proto cache_object
acl localhost src 127.0.0.1/255.255.255.255
acl intranet src 10.0.0.0/255.0.0.0
acl SSL_ports port 443 563
acl Safe_ports port 80          # http
acl Safe_ports port 21          # ftp
acl Safe_ports port 443 563     # https, snews
acl Safe_ports port 70          # gopher
acl Safe_ports port 210         # wais
acl Safe_ports port 1025-65535  # unregistered ports
acl Safe_ports port 280         # http-mgmt
acl Safe_ports port 488         # gss-http
acl Safe_ports port 591         # filemaker
acl Safe_ports port 777         # multiling http
acl CONNECT method CONNECT
acl myAllow url_regex -i "/home/daemon/squid/myAllow.txt"
acl myDeny url_regex -i "/home/daemon/squid/myDeny.txt"
http_access allow manager localhost
http_access deny manager
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
#
# INSERT YOUR OWN RULE(S) HERE TO ALLOW ACCESS FROM YOUR CLIENTS
#
http_access allow myAllow all  <---- becomes "http_access allow all" after 
Netfilter REDIRECT is switched back on.
http_access deny myDeny all
http_access allow localhost
http_access allow intranet
# And finally deny all other access to this proxy
http_access deny all

myDeny.txt contains things like
advertising\.com
/ads/
/ads\.
webtrendslive\.com
myAllow.txt conatins things like
hotmail
messenger\.msn\.com
_________________________________________________________________
Tired of spam? Get advanced junk mail protection with MSN 8. 
http://join.msn.com/?page=features/junkmail