New version of squid filter patches

[Rene Mayrhofer]

Hi all,

[Please CC me in replies, I am not subscribed to this mailing list.]

I have finally come around to create a web page for my squid filter patches 
(an updated version of Olaf Titz's patches, as indicated by my last post 
http://www.squid-cache.org/mail-archive/squid-dev/200401/0062.html). They 
work with squid 2.5.9 and include a streaming clamav anti-virus filter plugin 
that works quite well. It has been included in Gibraltar firewall for over a 
year and has thus been tested at many sites (including networks with >100 
concurrent users).

There is a tradeoff between the probability of detecting a virus and 
performance, but it is configurable in squid.conf. With the values suggested 
at my web page, the probability of letting a virus through is low, and 
performance is reasonable.

You can find the current patch at http://www.mayrhofer.eu.org/squid-filter

(I am sorry for the shameless plug of my web page, but I think that these 
patches might be helpful to some people.)

with best regards,
Rene


pgpAxxaLuA5uu.pgp
Description: PGP signature

Squid Filter Patch

[Rene Mayrhofer]

Hi all,

[Please CC me in replies, I am currently not subscribed to this list.]

First a short introduction of the project I am currently working on: I 
am the main developer of Gibraltar, a Debian GNU/Linux based firewall 
bootable from a live CD-ROM. There is a commercial version with easy to 
use web interface, but also a free version (including commercial 
in-house uses) available for download.
For the next major release I would like to add HTTP content scanning 
support, including anti-virus scanning. Although there are many 
special-purpose proxies for that (e.g. privoxy), I decided that squid is 
definitely the better solution for a firewall. It's fast and lightweight 
enough in terms of memory usage and has many great features for 
authenticating users (e.g. NTLM). Unfortunately, in 2.5 there seems to 
be no support for content filtering.

Therefore, I am currently trying to forward-port the filter patches from
http://sites.inka.de/sites/bigred/devel/squid-filter.html and will put 
that work up on my server as soon as the porting is finished. It hasn't 
been updated since about a year and he last post I could locate is
http://www1.cn.squid-cache.org/mail-archive/squid-dev/200203/0137.html . 
Olaf, are you already working on a port ? I could not find a notice on 
the webpage.
If necessary, I would also be willing to act as a maintainer for the 
filtering code and update it for new squid releases (if Olaf is no 
longer interested or does currently not have time for it - thanks for 
the good work until now!) or integrate it upstream if that is desired.

Now, after a lengthy intro, my real problem :)
Although I have adapted everything to the new cbdata interface and have 
it building and loading correctly, I get a runtime assertion when at 
least one of the filter modules is loaded and it gets active (i.e. 
starting squid with a filter plugin and sitting there idle is ok, but 
the first requests will cause the assertion).

==> /var/log/squid/cache.log <==
2004/01/28 20:05:46| assertion failed: cbdata.c:185: "c->y == c"
It of course recovers by restarting. Before failing, a few requests are 
actually served and I have not yet tracked down what exactly triggers 
the assertion. However, I am quite sure that I have messed up badly when 
porting the code for the cbdata usage. I just tried to read other code 
that uses the CBDATA macros and mimic that usage. Attached is the 
module.c file with the commented out, old calls and my ported calls to 
the new interface. If any squid wizard/hacker/guru could give me a hint 
on how to use it correctly or where I have messed up, I would really 
appreciate it. If I have done something incredibly stupid, please 
forgive me as I just had my first 3 hours with squid source code. 
Slapping with a clue bat is ok :)

The modified lines around 79ff, 87, 206 and 532.

with best regards,
Rene
/*
 * DEBUG: section 92 Module loader and hooks
 * AUTHOR: Olaf Titz
 * MODIFIED BY: Rene Mayrhofer (ported to squid 2.5X, 2004-01)
 *
 * SQUID Internet Object Cache  http://squid.nlanr.net/Squid/
 * --
 *
 *  Squid is the result of efforts by numerous individuals from the
 *  Internet community.  Development is led by Duane Wessels of the
 *  National Laboratory for Applied Network Research and funded by the
 *  National Science Foundation.  Squid is Copyrighted (C) 1998 by
 *  Duane Wessels and the University of California San Diego.  Please
 *  see the COPYRIGHT file for full details.  Squid incorporates
 *  software developed and/or copyrighted by other sources.  Please see
 *  the CREDITS file for full details.
 *
 *  This program is free software; you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation; either version 2 of the License, or
 *  (at your option) any later version.
 *
 *  This program is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with this program; if not, write to the Free Software
 *  Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111, USA.
 *
 */

#include "squid.h"
#include "module.h"

/* -- Module loader, definitions -- */

/* This defines a common API between the Sun libdl and HP libdld.
   We use shl_t for library handles and
   void xdlsym(void **result, shl_t handle, const char *name);
   instead of dlsym().
   The rest follows the Sun API.
*/

#ifdef HAVE_LIBDL
#include 

/* Solaris/Linux/etc. */
typedef void *shl_t;
#define xdlsym(r, h, s) (r)=dlsym((h), (s))

#else
#ifdef HAVE_LIBDLD
#include 

/* HPUX */
#define RTLD_NOWBIND_IMMEDIATE
#define RTLD_LAZY