Re: [squid-users] Anybody still using src_as and dst_as ACLs?
On 2024-06-16, Alex Rousskov wrote: > Does anybody still have src_as and dst_as ACLs configured in their > production Squids? There are several serious problems with those ACLs, > and those problems have been present in Squid for many years. I hope > that virtually nobody uses those ACLs today. In case anyone still does, replacing with a config file fragment included from the main squid.conf and generated by simple processing on output from bgpq4 or a similar tool would be fairly straightforward (and more featureful, as it can follow AS-SET macros). ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Anybody still using src_as and dst_as ACLs?
Is there a different type of directive for source and destination acts? Sent from my iPhone > On Jun 17, 2024, at 11:03, Alex Rousskov > wrote: > > On 2024-06-17 11:43, Jonathan Lee wrote: >> acl to_ipv6 dst ipv6 >> acl from_ipv6 src ipv6 > > > Glad I asked! The above configuration is not using "src_as" and "dst_as" ACL > types that I am asking about. It is using "src" and "dst" ACL types. > > > > I hope that helps our isp is ipv6 only > > Matching IPv6 addresses is completely unrelated to this thread topic, but you > may want to see the following commit message about "ipv6" problems recently > fixed in master/v7. If you want to discuss IPv6 matching, please start a new > mailing list thread! > https://github.com/squid-cache/squid/commit/51c518d5 > > > > Thank you, > > Alex. > > On Jun 17, 2024, at 08:17, Alex Rousskov wrote: >>> >>> On 2024-06-16 19:46, Jonathan Lee wrote: I use them for ipv6 blocks they seem to work that way in 5.8 >>> >>> Just to double check that we are on the same page here, please share an >>> example (or two) of your src_as or dst_as ACL definitions (i.e., "acl ... >>> dst_as ..." or similar lines). I do _not_ need the corresponding directives >>> that use those AS-based ACLs (e.g., "http_access deny..."), just the "acl" >>> lines themselves. >>> >>> As an added bonus, I may be able to confirm whether Squid v5.8 can grok >>> responses about Autonomous System Numbers used by your specific >>> configuration :-). >>> >>> >>> Thank you, >>> >>> Alex. >>> >>> > On Jun 16, 2024, at 17:00, Alex Rousskov > wrote: > > Hello, > >Does anybody still have src_as and dst_as ACLs configured in their > production Squids? There are several serious problems with those ACLs, > and those problems have been present in Squid for many years. I hope that > virtually nobody uses those ACLs today. > > If you do use them, please respond (publicly or privately) and, if > possible, please indicate whether you have verified that those ACLs are > working correctly in your deployment environment. > > > Thank you, > > Alex. > > >>acl aclname src_as number ... >>acl aclname dst_as number ... >> # [fast] >> # Except for access control, AS numbers can be used for >> # routing of requests to specific caches. Here's an >> # example for routing all requests for AS#1241 and only >> # those to mycache.mydomain.net: >> # acl asexample dst_as 1241 >> # cache_peer_access mycache.mydomain.net allow asexample >> # cache_peer_access mycache_mydomain.net deny all > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users >>> > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Anybody still using src_as and dst_as ACLs?
On 2024-06-17 11:43, Jonathan Lee wrote: acl to_ipv6 dst ipv6 acl from_ipv6 src ipv6 Glad I asked! The above configuration is not using "src_as" and "dst_as" ACL types that I am asking about. It is using "src" and "dst" ACL types. > I hope that helps our isp is ipv6 only Matching IPv6 addresses is completely unrelated to this thread topic, but you may want to see the following commit message about "ipv6" problems recently fixed in master/v7. If you want to discuss IPv6 matching, please start a new mailing list thread! https://github.com/squid-cache/squid/commit/51c518d5 Thank you, Alex. On Jun 17, 2024, at 08:17, Alex Rousskov wrote: On 2024-06-16 19:46, Jonathan Lee wrote: I use them for ipv6 blocks they seem to work that way in 5.8 Just to double check that we are on the same page here, please share an example (or two) of your src_as or dst_as ACL definitions (i.e., "acl ... dst_as ..." or similar lines). I do _not_ need the corresponding directives that use those AS-based ACLs (e.g., "http_access deny..."), just the "acl" lines themselves. As an added bonus, I may be able to confirm whether Squid v5.8 can grok responses about Autonomous System Numbers used by your specific configuration :-). Thank you, Alex. On Jun 16, 2024, at 17:00, Alex Rousskov wrote: Hello, Does anybody still have src_as and dst_as ACLs configured in their production Squids? There are several serious problems with those ACLs, and those problems have been present in Squid for many years. I hope that virtually nobody uses those ACLs today. If you do use them, please respond (publicly or privately) and, if possible, please indicate whether you have verified that those ACLs are working correctly in your deployment environment. Thank you, Alex. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Anybody still using src_as and dst_as ACLs?
acl to_ipv6 dst ipv6 acl from_ipv6 src ipv6 I after block them with terminate connections. I hope that helps our isp is ipv6 only Sent from my iPhone > On Jun 17, 2024, at 08:17, Alex Rousskov > wrote: > > On 2024-06-16 19:46, Jonathan Lee wrote: >> I use them for ipv6 blocks they seem to work that way in 5.8 > > Just to double check that we are on the same page here, please share an > example (or two) of your src_as or dst_as ACL definitions (i.e., "acl ... > dst_as ..." or similar lines). I do _not_ need the corresponding directives > that use those AS-based ACLs (e.g., "http_access deny..."), just the "acl" > lines themselves. > > As an added bonus, I may be able to confirm whether Squid v5.8 can grok > responses about Autonomous System Numbers used by your specific configuration > :-). > > > Thank you, > > Alex. > > On Jun 16, 2024, at 17:00, Alex Rousskov wrote: >>> >>> Hello, >>> >>>Does anybody still have src_as and dst_as ACLs configured in their >>> production Squids? There are several serious problems with those ACLs, and >>> those problems have been present in Squid for many years. I hope that >>> virtually nobody uses those ACLs today. >>> >>> If you do use them, please respond (publicly or privately) and, if >>> possible, please indicate whether you have verified that those ACLs are >>> working correctly in your deployment environment. >>> >>> >>> Thank you, >>> >>> Alex. >>> >>> acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all >>> ___ >>> squid-users mailing list >>> squid-users@lists.squid-cache.org >>> https://lists.squid-cache.org/listinfo/squid-users > ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Anybody still using src_as and dst_as ACLs?
On 2024-06-16 19:46, Jonathan Lee wrote: I use them for ipv6 blocks they seem to work that way in 5.8 Just to double check that we are on the same page here, please share an example (or two) of your src_as or dst_as ACL definitions (i.e., "acl ... dst_as ..." or similar lines). I do _not_ need the corresponding directives that use those AS-based ACLs (e.g., "http_access deny..."), just the "acl" lines themselves. As an added bonus, I may be able to confirm whether Squid v5.8 can grok responses about Autonomous System Numbers used by your specific configuration :-). Thank you, Alex. On Jun 16, 2024, at 17:00, Alex Rousskov wrote: Hello, Does anybody still have src_as and dst_as ACLs configured in their production Squids? There are several serious problems with those ACLs, and those problems have been present in Squid for many years. I hope that virtually nobody uses those ACLs today. If you do use them, please respond (publicly or privately) and, if possible, please indicate whether you have verified that those ACLs are working correctly in your deployment environment. Thank you, Alex. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
Re: [squid-users] Anybody still using src_as and dst_as ACLs?
I use them for ipv6 blocks they seem to work that way in 5.8 Sent from my iPhone > On Jun 16, 2024, at 17:00, Alex Rousskov > wrote: > > Hello, > >Does anybody still have src_as and dst_as ACLs configured in their > production Squids? There are several serious problems with those ACLs, and > those problems have been present in Squid for many years. I hope that > virtually nobody uses those ACLs today. > > If you do use them, please respond (publicly or privately) and, if possible, > please indicate whether you have verified that those ACLs are working > correctly in your deployment environment. > > > Thank you, > > Alex. > > >>acl aclname src_as number ... >>acl aclname dst_as number ... >> # [fast] >> # Except for access control, AS numbers can be used for >> # routing of requests to specific caches. Here's an >> # example for routing all requests for AS#1241 and only >> # those to mycache.mydomain.net: >> # acl asexample dst_as 1241 >> # cache_peer_access mycache.mydomain.net allow asexample >> # cache_peer_access mycache_mydomain.net deny all > ___ > squid-users mailing list > squid-users@lists.squid-cache.org > https://lists.squid-cache.org/listinfo/squid-users ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users
[squid-users] Anybody still using src_as and dst_as ACLs?
Hello, Does anybody still have src_as and dst_as ACLs configured in their production Squids? There are several serious problems with those ACLs, and those problems have been present in Squid for many years. I hope that virtually nobody uses those ACLs today. If you do use them, please respond (publicly or privately) and, if possible, please indicate whether you have verified that those ACLs are working correctly in your deployment environment. Thank you, Alex. acl aclname src_as number ... acl aclname dst_as number ... # [fast] # Except for access control, AS numbers can be used for # routing of requests to specific caches. Here's an # example for routing all requests for AS#1241 and only # those to mycache.mydomain.net: # acl asexample dst_as 1241 # cache_peer_access mycache.mydomain.net allow asexample # cache_peer_access mycache_mydomain.net deny all ___ squid-users mailing list squid-users@lists.squid-cache.org https://lists.squid-cache.org/listinfo/squid-users