The Squid Team are pleased to announce the release of Squid-3.1.5.1
+The Squid Team are pleased to announce the release of Squid-3.1.6
This new release is available for download from http://www.squid-cache.org/Versions/v3/3.1/ or the mirrors.
@@ -85,11 +85,12 @@Although this release is deemed good enough for use in many setups, please note the existence of open bugs against Squid-3.1.
-Some issues to note as currently known in this release which are not able to be fixed in this 3.1 series are:
+Some issues to note as currently known in this release which are not able to be fixed in the 3.1 series are:
When one of these Squid-3.X.0.Z packages passes our bug-free standards a 3.X.Y numbered release will be made.
+When one of these Squid-3.X.0.Z packages passes those criteria a 3.X.Y numbered release will be made.
We can only hope enough testing has been done to consider these ready for production use. As always we are fully dependent on people testing the previous packages and reporting all bugs.
@@ -182,7 +183,7 @@squid.conf has undergone a facelift.
Don't worry, few operational changes have been made. -Older configs from Squdi 2.x and 3.0 are still expected to run in 3.1 with only the usual minor +Older configs from Squid 2.x and 3.0 are still expected to run in 3.1 with only the usual minor changes seen between major release. Details on those are listed below.
New users will be relieved to see a very short squid.conf on clean installs. @@ -231,8 +232,16 @@
In this release there is incomplete split-stack support. This means that OS which do not provide -IP stacks based on the KAME stack with Hybrid extensions to do IPv4-mapping cannot use IPv6 -with Squid.
+IP stacks based on the KAME stack with Hybrid extensions to do IPv4-mapping cannot use full IPv6 +with Squid. From 3.1.6 the automatic capability detection will enable these abilities: +NOTE: SNMP, ICP and HTCP are not yet opening double ports so they will only run as IPv4-only or IPv6-only.
Specify a specific tcp_outgoing_address and the clients who match its ACL are limited to the IPv4 or IPv6 network that address belongs to. They are not permitted over the @@ -241,12 +250,12 @@ See the squid.conf documentation for further details.
WCCP is not available (neither version 1 or 2). -It remains built into squid for use with IPv4 traffic but IPv6 cannot use it.
+It remains built into Squid for use with IPv4 traffic but IPv6 cannot use it.Pseudo-Transparent Interception is done via NAT at the OS level and is not available in IPv6. Squid will ensure that any port set with transparent or intercept options be an IPv4-only listening address. Wildcard can still be used but will not open as an IPv6. -To ensure that squid can accept IPv6 traffic on its default port, an alternative should +To ensure that Squid can accept IPv6 traffic on its default port, an alternative should be chosen to handle transparently intercepted traffic.
http_port 3128
@@ -274,7 +283,7 @@
Localization
-The error pages presented by squid may now be localized per-request to match the visitors local preferred language.
+The error pages presented by Squid may now be localized per-request to match the visitors local preferred language.
The error_directory option in squid.conf needs to be removed.
@@ -282,7 +291,7 @@
Updates can be downloaded from
www.squid-cache.org/Versions/langpack/
-The squid developers are interested in making squid available in a wide variety of languages.
+
The Squid developers are interested in making Squid available in a wide variety of languages.
Contribution of new languages is encouraged.
CSS Stylesheet controls
@@ -457,8 +466,9 @@
Squid-2 contained a hack using the update_http0.9 squid.conf option to work around the
unusual replies. This option is now obsolete.
-The proto ACL type matches ICY once the reply has been received, before that the processing
-is only aware on an HTTP request. So the ACL will match HTTP.
+The proto ACL type only matches ICY once the reply has been received, before that the processing
+is only aware on an HTTP request. So the ACL will match HTTP in http_access and ICY in
+http_reply_access.
3. Changes to squid.conf since Squid-3.0
@@ -672,21 +682,21 @@
New option to prevent squid from always looking up IPv4 regardless of whether IPv6 addresses are found. +
New option to prevent Squid from always looking up IPv4 regardless of whether IPv6 addresses are found. Squid will follow a policy of prefering IPv6 links, keeping the IPv4 only as a safety net behind IPv6.
Standard practice with DNS is to lookup either A or AAAA records
and use the results if it succeeds. Only looking up the other if
the first attempt fails or otherwise produces no results.
- That policy however will cause squid to produce error pages for some
+ That policy however will cause Squid to produce error pages for some
servers that advertise AAAA but are unreachable over IPv6.
- If this is ON squid will always lookup both AAAA and A, using both.
- If this is OFF squid will lookup AAAA and only try A if none found.
+ If this is ON Squid will always lookup both AAAA and A, using both.
+ If this is OFF Squid will lookup AAAA and only try A if none found.
WARNING: There are some possibly unwanted side-effects with this on:
- *) Doubles the load placed by squid on the DNS network.
+ *) Doubles the load placed by Squid on the DNS network.
*) May negatively impact connection delay times.
@@ -730,7 +740,7 @@
New option to replace the old configure option --enable-default-err-language New translations can be downloaded from http://www.squid-cache.org/Versions/langpack/
- Set the default language which squid will send error pages in
+ Set the default language which Squid will send error pages in
if no existing translation matches the clients language
preferences.
@@ -828,7 +838,7 @@
translation of the data portion of the segments will never be needed.
When a client only expects to do two-way FTP transfers this may be useful.
- If squid finds that it must do a three-way FTP transfer after issuing
+ If Squid finds that it must do a three-way FTP transfer after issuing
an EPSV ALL command, the FTP session will fail.
If you have any doubts about this option do not use it.
@@ -961,7 +971,7 @@
options are order-specific within the config as a whole.
A few layers of include are allowed, but too many are confusing and
- squid will enforce an include depth of 16 files.
+ Squid will enforce an include depth of 16 files.
Syntax:
include /path/to/file1 /path/to/file2
@@ -1145,14 +1155,14 @@
SMB LanManager authentication through the NTLM interface without the need for a domain controller. Thus the
new name is ntlm_smb_lm_auth.
WARNING: due to the name clash with Samba helper, admin should be careful to only update their squid.conf if the
-squid bundled binary is used and needed. If the Samba helper is in use, the squid.conf should not be altered.
+Squid bundled binary is used and needed. If the Samba helper is in use, the squid.conf should not be altered.
The previous default behavour (rotate per-request) of this setting causes failover clashes with IPv6 built-in mechanisms. It has thus been turned off by default. Making the 'best choice' IP continue in use for any hostname until it encounters a connection failure and failover drops to the next known IP.
- Modern IP resolvers in squid sort lookup results by preferred access.
- By default squid will use these IP in order and only rotates to
+ Modern IP resolvers in Squid sort lookup results by preferred access.
+ By default Squid will use these IP in order and only rotates to
the next listed when the most preffered fails.
Some load balancing servers based on round robin DNS have been
@@ -1235,7 +1245,7 @@
New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between squid and its helpers. +
New options 'ipv4' and 'ipv6' are added to set the IPv4/v6 protocol between Squid and its helpers. Please be aware of some limits to these options. These options only affet the transport protocol used to send data to and from the helpers. Squid in IPv6-mode may still send %SRC addresses in IPv4 or IPv6 format, so all helpers will need to be checked and converted to cope with such information cleanly. @@ -1581,7 +1591,7 @@ This only affects the building process, enabling it to complete despite some possibly serious issues. Please do not use lightly, and please report the build issues which make it needed -to the squid developers before doing so.
+to the Squid developers before doing so.Prevent Squid generating localized error page templates and manuals when built. @@ -1613,7 +1623,7 @@ Use --without-libxml2 to prevent it being auto-detected.
Allow build-time configuration of Default location for squid logs.
+Allow build-time configuration of Default location for Squid logs.
Allow build-time configuration of Default location and name of squid.pid file.
@@ -1640,7 +1650,7 @@This option now enables support for all three netfilter interception targets.
-Adding TPROXY version 4+ support to squid through the netfilter TPROXY target. +
Adding TPROXY version 4+ support to Squid through the netfilter TPROXY target. This options requires a linux kernel 2.6.25 or later for embeded netfilter TPROXY targets.
Older REDIRECT and DNAT targets work as before on HTTP ports marked 'intercept'.
diff -u -r -N squid-3.1.5.1/src/access_log.cc squid-3.1.6/src/access_log.cc --- squid-3.1.5.1/src/access_log.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/access_log.cc 2010-08-02 02:01:39.000000000 +1200 @@ -839,13 +839,13 @@ break; case LFT_ICAP_BYTES_SENT: - outint = al->icap.bytesSent; - doint = 1; + outoff = al->icap.bytesSent; + dooff = 1; break; case LFT_ICAP_BYTES_READ: - outint = al->icap.bytesRead; - doint = 1; + outoff = al->icap.bytesRead; + dooff = 1; break; case LFT_ICAP_REQ_HEADER: @@ -1133,6 +1133,7 @@ case LFT_REPLY_SIZE_HEADERS: outint = al->cache.replyHeadersSize; doint = 1; + break; /*case LFT_REPLY_SIZE_BODY: */ /*case LFT_REPLY_SIZE_BODY_NO_TE: */ diff -u -r -N squid-3.1.5.1/src/cf.data.pre squid-3.1.6/src/cf.data.pre --- squid-3.1.5.1/src/cf.data.pre 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/cf.data.pre 2010-08-02 02:01:38.000000000 +1200 @@ -1177,9 +1177,9 @@ the port specification (port or addr:port) tcpkeepalive[=idle,interval,timeout] - Enable TCP keepalive probes of idle connections - idle is the initial time before TCP starts probing - the connection, interval how often to probe, and + Enable TCP keepalive probes of idle connections. + In seconds; idle is the initial time before TCP starts + probing the connection, interval how often to probe, and timeout the time before giving up. If you run Squid on a dual-homed machine with an internal @@ -6320,7 +6320,7 @@ NAME: memory_pools_limit COMMENT: (bytes) -TYPE: b_size_t +TYPE: b_int64_t DEFAULT: 5 MB LOC: Config.MemPools.limit DOC_START @@ -6339,7 +6339,7 @@ will be no limit on the total amount of memory used for safe-keeping. To disable memory allocation optimization, do not set - memory_pools_limit to 0. Set memory_pools to "off" instead. + memory_pools_limit to 0 or none. Set memory_pools to "off" instead. An overhead for maintaining memory pools is not taken into account when the limit is checked. This overhead is close to four bytes per diff -u -r -N squid-3.1.5.1/src/client_side.cc squid-3.1.6/src/client_side.cc --- squid-3.1.5.1/src/client_side.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/client_side.cc 2010-08-02 02:01:37.000000000 +1200 @@ -2425,7 +2425,8 @@ request->setContentLength(conn->in.dechunked.contentSize()); request->header.delById(HDR_TRANSFER_ENCODING); conn->finishDechunkingRequest(hp); - } + } else + conn->cleanDechunkingRequest(); unsupportedTe = tePresent && !deChunked; if (!urlCheckRequest(request) || unsupportedTe) { @@ -3655,9 +3656,6 @@ debugs(33, 5, HERE << "finish dechunking; content: " << in.dechunked.contentSize()); assert(in.dechunkingState == chunkReady); - assert(in.bodyParser); - delete in.bodyParser; - in.bodyParser = NULL; const mb_size_t headerSize = HttpParserRequestLen(hp); @@ -3679,8 +3677,19 @@ in.notYetUsed = end - in.buf; - in.chunked.clean(); - in.dechunked.clean(); + cleanDechunkingRequest(); +} + +/// cleanup dechunking state, get ready for the next request +void +ConnStateData::cleanDechunkingRequest() +{ + if (in.dechunkingState > chunkNone) { + delete in.bodyParser; + in.bodyParser = NULL; + in.chunked.clean(); + in.dechunked.clean(); + } in.dechunkingState = chunkUnknown; } diff -u -r -N squid-3.1.5.1/src/client_side.h squid-3.1.6/src/client_side.h --- squid-3.1.5.1/src/client_side.h 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/client_side.h 2010-08-02 02:01:38.000000000 +1200 @@ -268,6 +268,7 @@ void startDechunkingRequest(HttpParser *hp); bool parseRequestChunks(HttpParser *hp); void finishDechunkingRequest(HttpParser *hp); + void cleanDechunkingRequest(); private: int connReadWasError(comm_err_t flag, int size, int xerrno); diff -u -r -N squid-3.1.5.1/src/comm.cc squid-3.1.6/src/comm.cc --- squid-3.1.5.1/src/comm.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/comm.cc 2010-08-02 02:01:37.000000000 +1200 @@ -1878,8 +1878,8 @@ int flags; int dummy = 0; - if ((flags = fcntl(fd, F_GETFL, dummy)) < 0) { - debugs(50, 0, "FD " << fd << ": fcntl F_GETFL: " << xstrerror()); + if ((flags = fcntl(fd, F_GETFD, dummy)) < 0) { + debugs(50, 0, "FD " << fd << ": fcntl F_GETFD: " << xstrerror()); return; } diff -u -r -N squid-3.1.5.1/src/forward.cc squid-3.1.6/src/forward.cc --- squid-3.1.5.1/src/forward.cc 2010-07-28 20:10:05.000000000 +1200 +++ squid-3.1.6/src/forward.cc 2010-08-02 02:01:37.000000000 +1200 @@ -47,6 +47,7 @@ #include "Store.h" #include "icmp/net_db.h" #include "ip/IpIntercept.h" +#include "ip/tools.h" static PSC fwdStartCompleteWrapper; static PF fwdServerClosedWrapper; @@ -867,6 +868,24 @@ outgoing = getOutgoingAddr(request, fs->_peer); + // if IPv6 is disabled try to force IPv4-only outgoing. + if (!Ip::EnableIpv6 && !outgoing.SetIPv4()) { + debugs(50, 4, "fwdConnectStart: " << xstrerror()); + ErrorState *anErr = errorCon(ERR_CONNECT_FAIL, HTTP_SERVICE_UNAVAILABLE, request); + anErr->xerrno = errno; + fail(anErr); + self = NULL; // refcounted + return; + } + + // if IPv6 is split-stack, prefer IPv4 + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK) { + // NP: This is not a great choice of default, + // but with the current Internet being IPv4-majority has a higher success rate. + // if setting to IPv4 fails we dont care, that just means to use IPv6 outgoing. + outgoing.SetIPv4(); + } + tos = getOutgoingTOS(request); debugs(17, 3, "fwdConnectStart: got outgoing addr " << outgoing << ", tos " << tos); diff -u -r -N squid-3.1.5.1/src/htcp.cc squid-3.1.6/src/htcp.cc --- squid-3.1.5.1/src/htcp.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/htcp.cc 2010-08-02 02:01:38.000000000 +1200 @@ -37,6 +37,7 @@ #include "htcp.h" #include "acl/FilledChecklist.h" #include "acl/Acl.h" +#include "ip/tools.h" #include "SquidTime.h" #include "Store.h" #include "StoreClient.h" @@ -1493,6 +1494,15 @@ IpAddress incomingAddr = Config.Addrs.udp_incoming; incomingAddr.SetPort(Config.Port.htcp); + if (!Ip::EnableIpv6 && !incomingAddr.SetIPv4()) { + debugs(31, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << incomingAddr << " is not an IPv4 address."); + fatal("HTCP port cannot be opened."); + } + /* split-stack for now requires default IPv4-only HTCP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && incomingAddr.IsAnyAddr()) { + incomingAddr.SetIPv4(); + } + enter_suid(); htcpInSocket = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, @@ -1512,6 +1522,15 @@ IpAddress outgoingAddr = Config.Addrs.udp_outgoing; outgoingAddr.SetPort(Config.Port.htcp); + if (!Ip::EnableIpv6 && !outgoingAddr.SetIPv4()) { + debugs(31, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << outgoingAddr << " is not an IPv4 address."); + fatal("HTCP port cannot be opened."); + } + /* split-stack for now requires default IPv4-only HTCP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && outgoingAddr.IsAnyAddr()) { + outgoingAddr.SetIPv4(); + } + enter_suid(); htcpOutSocket = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, diff -u -r -N squid-3.1.5.1/src/http.h squid-3.1.6/src/http.h --- squid-3.1.5.1/src/http.h 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/http.h 2010-08-02 02:01:39.000000000 +1200 @@ -70,7 +70,7 @@ http_state_flags flags; size_t read_sz; int header_bytes_read; // to find end of response, - int reply_bytes_read; // without relying on StoreEntry + int64_t reply_bytes_read; // without relying on StoreEntry int body_bytes_truncated; // positive when we read more than we wanted MemBuf *readBuf; bool ignoreCacheControl; diff -u -r -N squid-3.1.5.1/src/icp_v2.cc squid-3.1.6/src/icp_v2.cc --- squid-3.1.5.1/src/icp_v2.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/icp_v2.cc 2010-08-02 02:01:37.000000000 +1200 @@ -48,6 +48,7 @@ #include "SwapDir.h" #include "icmp/net_db.h" #include "ip/IpAddress.h" +#include "ip/tools.h" #include "rfc1738.h" /// \ingroup ServerProtocolICPInternal2 @@ -665,6 +666,16 @@ addr = Config.Addrs.udp_incoming; addr.SetPort(port); + + if (!Ip::EnableIpv6 && !addr.SetIPv4()) { + debugs(12, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << addr << " is not an IPv4 address."); + fatal("ICP port cannot be opened."); + } + /* split-stack for now requires default IPv4-only ICP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && addr.IsAnyAddr()) { + addr.SetIPv4(); + } + theInIcpConnection = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, addr, @@ -691,6 +702,16 @@ if ( !addr.IsNoAddr() ) { enter_suid(); addr.SetPort(port); + + if (!Ip::EnableIpv6 && !addr.SetIPv4()) { + debugs(49, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << addr << " is not an IPv4 address."); + fatal("ICP port cannot be opened."); + } + /* split-stack for now requires default IPv4-only ICP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && addr.IsAnyAddr()) { + addr.SetIPv4(); + } + theOutIcpConnection = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, addr, diff -u -r -N squid-3.1.5.1/src/ip/tools.cc squid-3.1.6/src/ip/tools.cc --- squid-3.1.5.1/src/ip/tools.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/ip/tools.cc 2010-08-02 02:01:37.000000000 +1200 @@ -65,9 +65,7 @@ EnableIpv6 |= IPV6_SPECIAL_V4MAPPING; } else { debugs(3, 2, "Detected split IPv4 and IPv6 stacks ..."); - // EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK; - // TODO: remove death when split-stack is supported. - EnableIpv6 = IPV6_OFF; + EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK; } close(s); diff -u -r -N squid-3.1.5.1/src/mem.cc squid-3.1.6/src/mem.cc --- squid-3.1.5.1/src/mem.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/mem.cc 2010-08-02 02:01:39.000000000 +1200 @@ -346,7 +346,7 @@ void memConfigure(void) { - ssize_t new_pool_limit; + int64_t new_pool_limit; /** Set to configured value first */ if (!Config.onoff.mem_pools) diff -u -r -N squid-3.1.5.1/src/snmp_core.cc squid-3.1.6/src/snmp_core.cc --- squid-3.1.5.1/src/snmp_core.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/snmp_core.cc 2010-08-02 02:01:37.000000000 +1200 @@ -286,6 +286,17 @@ if (Config.Port.snmp > 0) { Config.Addrs.snmp_incoming.SetPort(Config.Port.snmp); + + if (!Ip::EnableIpv6 && !Config.Addrs.snmp_incoming.SetIPv4()) { + debugs(49, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << Config.Addrs.snmp_incoming << " is not an IPv4 address."); + fatal("SNMP port cannot be opened."); + } + + /* split-stack for now requires IPv4-only SNMP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && Config.Addrs.snmp_incoming.IsAnyAddr()) { + Config.Addrs.snmp_incoming.SetIPv4(); + } + enter_suid(); theInSnmpConnection = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, @@ -303,6 +314,17 @@ if (!Config.Addrs.snmp_outgoing.IsNoAddr()) { Config.Addrs.snmp_outgoing.SetPort(Config.Port.snmp); + + if (!Ip::EnableIpv6 && !Config.Addrs.snmp_outgoing.SetIPv4()) { + debugs(49, DBG_CRITICAL, "ERROR: IPv6 is disabled. " << Config.Addrs.snmp_outgoing << " is not an IPv4 address."); + fatal("SNMP port cannot be opened."); + } + + /* split-stack for now requires IPv4-only SNMP */ + if (Ip::EnableIpv6&IPV6_SPECIAL_SPLITSTACK && Config.Addrs.snmp_outgoing.IsAnyAddr()) { + Config.Addrs.snmp_outgoing.SetIPv4(); + } + enter_suid(); theOutSnmpConnection = comm_open_listener(SOCK_DGRAM, IPPROTO_UDP, diff -u -r -N squid-3.1.5.1/src/structs.h squid-3.1.6/src/structs.h --- squid-3.1.5.1/src/structs.h 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/structs.h 2010-08-02 02:01:37.000000000 +1200 @@ -530,7 +530,7 @@ } retry; struct { - size_t limit; + int64_t limit; } MemPools; #if DELAY_POOLS diff -u -r -N squid-3.1.5.1/src/stub_debug.cc squid-3.1.6/src/stub_debug.cc --- squid-3.1.5.1/src/stub_debug.cc 2010-07-28 20:10:04.000000000 +1200 +++ squid-3.1.6/src/stub_debug.cc 2010-08-02 02:01:37.000000000 +1200 @@ -5,6 +5,10 @@ #include "config.h" #include "Debug.h" +#if HAVE_STDIO_H +#include