Squid Package and use of "all-of" and "any-of" directives with concatenated ACL creation examples

JonathanLee

Hello Fellow Squid V7 pfSense users

I wanted to share a nice find with you and some emails to Squid Support

acl splice_only_ip src 192.168.1.8
acl splice_only_ip src 192.168.1.10
acl splice_only_ip src 192.168.1.11
acl splice_only_ip src 192.168.1.15
acl splice_only_ip src 192.168.1.16

acl splice_only_mac arp MAC
acl splice_only_mac arp MAC
acl splice_only_mac arp MAC
acl splice_only_mac arp MAC
acl splice_only_mac arp MAC

acl NoSSLIntercept ssl::server_name_regex -i "/usr/local/pkg/reg.url.nobump"
acl NoBumpDNS dstdomain "/usr/local/pkg/dns.nobump"
acl SSL_Intercept_Terminate dstdomain "/usr/local/pkg/url.bump"

acl active_use annotate_client active=true

acl bump_only_ip src 192.168.1.3
acl bump_only_ip src 192.168.1.4
acl bump_only_ip src 192.168.1.5
#acl bump_only_ip src 192.168.1.6
acl bump_only_ip src 192.168.1.9
acl bump_only_ip src 192.168.1.13

acl bump_only_mac arp MAC
acl bump_only_mac arp MAC
acl bump_only_mac arp MAC
acl bump_only_mac arp MAC
acl bump_only_mac arp MAC
#acl bump_only_mac arp MAC


----Parsed——>
#no concatenation used here
#acl splice_group any-of https_login NoBumpDNS NoSSLIntercept
#acl splice_only_local_group all-of splice_only_mac splice_only_ip
#acl splice_main any-of splice_group splice_only_local_group
#acl bump_main all-of bump_only_mac bump_only_ip

ssl_bump peek step1
ssl_bump terminate SSL_Intercept_Terminate
miss_access deny no_miss active_use
ssl_bump splice https_login active_use
ssl_bump splice splice_only_mac splice_only_ip active_use
ssl_bump splice NoBumpDNS active_use
ssl_bump splice NoSSLIntercept active_use
ssl_bump bump bump_only_mac bump_only_ip active_use
acl activated note active_use true
ssl_bump terminate !activated


-----Concatenated new version——>
acl splice_group any-of https_login NoBumpDNS NoSSLIntercept #any of the splice lists OR acl ||
acl splice_only_local_group all-of splice_only_mac splice_only_ip #MAC AND IP ADDRESS &&
acl splice_main any-of splice_group splice_only_local_group  #combine to OR acl ||
acl bump_main all-of bump_only_mac bump_only_ip #MAC AND IP ADDRESS &&


ssl_bump peek step1
ssl_bump terminate SSL_Intercept_Terminate
miss_access deny no_miss active_use
ssl_bump splice splice_main active_use
ssl_bump bump bump_main active_use
acl activated note active_use true
ssl_bump terminate !activated

Reply from Squid Support:

"To remove very distracting noise, I am posting an abridged version of your "before" and "after" configurations:

   # before
   ssl_bump splice A
   ssl_bump splice D E
   ssl_bump splice B
   ssl_bump splice C
   ssl_bump bump F G

   # after
   ssl_bump splice AorBorCorDE
   ssl_bump bump FG


The two versions differ only in evaluation order:

   before: ACLs D and E evaluate before ACLs B and C
   after:  ACLs D and E evaluate after ACLs B and C

Which version is faster depends on whether ACLs D and E match (together) more often than ACL B or ACL C matches (each) _and_ on the cost of evaluating the respective ACLs. I do not have enough information to do the math.

If the evaluation order is kept the same, then both configurations should have about the same performance. Internally, modern Squid interprets

   directive actionX a
   directive actionX b

almost as if it was written as

   acl AorB any-of a b
   directive actionX AorB

The latter configuration might consume slightly less memory in some cases, but that difference in memory consumption is unlikely to have a measurable effect on performance in most cases.


HTH,

Alex."

YEAH!!!
So you can use "all-of" and "any-of" in acls to create and or or clauses.