net-proxy/squid: add 6.9

Fix some gcc-14 compilation issues, add upstream memleak fix patch, init script & logrotate/cron fixes. Closes: https://bugs.gentoo.org/932742 Closes: https://bugs.gentoo.org/931123 Closes: https://bugs.gentoo.org/932744 Closes: https://bugs.gentoo.org/932750 Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://github.com/gentoo/gentoo/pull/36815 Signed-off-by: Joonas Niilola <juippis@gentoo.org>
author: Hank Leininger <hlein@korelogic.com> 2024-05-25 11:44:57 -0600
committer: Joonas Niilola <juippis@gentoo.org> 2024-07-03 16:26:37 +0300
commit: e3a9968929b0dbb164a56bcb18db0a5a86839a78 (patch)
tree: 5f8e770aca24a0fef7a28f5c2e7b6a27eb508c88 /net-proxy
parent: net-proxy/squid: drop 6.5 (diff)
download: gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.tar.gz
gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.tar.bz2
gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.zip
6 files changed, 1115 insertions, 0 deletions
diff --git a/net-proxy/squid/Manifest b/net-proxy/squid/Manifest
index 320eecdf2f0e..e577ed2f01bb 100644
--- a/net-proxy/squid/Manifest
+++ b/net-proxy/squid/Manifest
@@ -2,3 +2,5 @@ DIST squid-6.6.tar.xz 2554824 BLAKE2B 7c3c96f5cd5f819f6f020fb3e63ee8d9bb26b7fb4f
 DIST squid-6.6.tar.xz.asc 1193 BLAKE2B c37a400c51c30de35c6fe52123389c134d05670a36b1ffae4d67e7d06981bbf94788343daf2fdeafb782d464a977ee31bc601e3b1b92b45cd40ba6a6725b9a16 SHA512 08550569759c403a1a9747d08ea7055751fbf251355691074f6d09baca76a0987c5dff36e1f01b64edd446d568c7244b14124f6f8a1b19ccfc30293eed83a297
 DIST squid-6.7.tar.xz 2427468 BLAKE2B 0cd892213085326d1f4cc065778d95d74c03edaaf98b839b4422397fdcd449716b022e74adcbac636ca98e9d5c45a8f7aa156c3edc9f306fb13fc5cc21125dd6 SHA512 6221437056c600119fe9ff1ceeeaa9955cf9f21df481ad29a3515f8439a41b779d51f37b820b75641d0d4d6de54554f6f924dbd347834bf4a6ad6b5b317084a0
 DIST squid-6.7.tar.xz.asc 646 BLAKE2B 6d4e6075b261f54269577fc31b28e7cb74b835c851741542c322b226d29325128cdbaadd156070e9fe6c5af5c33149c78f71b01272934a62676e08f3f75f8628 SHA512 4a1f9d123ce6b5a600d9d2dd3af95a7ce98bfe28ba42d1281ab1f3d7f220f8738a4320afb85eeba1bf9d31e722ffaccd2d89cbefcd11e6b6ea31fe237ccf9a8c
+DIST squid-6.9.tar.xz 2557992 BLAKE2B cac10d3a16fe31a9becfcd0fc278413d53c52285cdca9ece897ca4e3a0e50806e186960091f9050243180996382c6b5209360d9fff249d26b20d1e529285a038 SHA512 2666551caca39fa6ca49b56b537645dd043ee0c99b805c433cf714172e6062590fd6ed942043df1a3b543f30c039f3ab701493187dc6a0a4a8311217417c366e
+DIST squid-6.9.tar.xz.asc 646 BLAKE2B fafa49d40af849103d04c0f07e19e5b9007306ba0f85bcabed761b53f94015aefc65ec2035963c95fd938cb04dfdb878363fcf5150a06889b563fa48922ef289 SHA512 ccd053476e91544bf797cf38a7e57acdc1c02c1edb2804230f061d9b24abbbd2e06abbaaa0fe2b209951631c0369510f60f0b7137fe950f3ccf59e8a212bc0fa
diff --git a/net-proxy/squid/files/squid-6.9-memleak_fix.patch b/net-proxy/squid/files/squid-6.9-memleak_fix.patch
new file mode 100644
index 000000000000..797489ac4136
--- /dev/null
+++ b/net-proxy/squid/files/squid-6.9-memleak_fix.patch
@@ -0,0 +1,563 @@
+Backport of fixes in master/v7
+
+https://bugs.squid-cache.org/show_bug.cgi?id=5322
+https://bugs.squid-cache.org/attachment.cgi?id=3891
+diff -aurN a/src/AclRegs.cc b/src/AclRegs.cc
+--- a/src/AclRegs.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/AclRegs.cc	2024-05-02 14:39:02.842264552 +0300
+@@ -130,8 +130,8 @@
+     RegisterMaker("dstdom_regex", [](TypeName name)->ACL* { return new ACLStrategised<char const *>(new ACLRegexData, new ACLDestinationDomainStrategy, name); });
+     RegisterMaker("dst", [](TypeName)->ACL* { return new ACLDestinationIP; }); // XXX: Add name parameter to ctor
+     RegisterMaker("hier_code", [](TypeName name)->ACL* { return new ACLStrategised<hier_code>(new ACLHierCodeData, new ACLHierCodeStrategy, name); });
+-    RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised<HttpHeader*>(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); });
+-    RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised<HttpHeader*>(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); });
++    RegisterMaker("rep_header", [](TypeName name)->ACL* { return new ACLStrategised<const HttpHeader &>(new ACLHTTPHeaderData, new ACLHTTPRepHeaderStrategy, name); });
++    RegisterMaker("req_header", [](TypeName name)->ACL* { return new ACLStrategised<const HttpHeader &>(new ACLHTTPHeaderData, new ACLHTTPReqHeaderStrategy, name); });
+     RegisterMaker("http_status", [](TypeName name)->ACL* { return new ACLHTTPStatus(name); });
+     RegisterMaker("maxconn", [](TypeName name)->ACL* { return new ACLMaxConnection(name); });
+     RegisterMaker("method", [](TypeName name)->ACL* { return new ACLStrategised<HttpRequestMethod>(new ACLMethodData, new ACLMethodStrategy, name); });
+diff -aurN a/src/DelayId.cc b/src/DelayId.cc
+--- a/src/DelayId.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/DelayId.cc	2024-05-02 13:14:06.529560559 +0300
+@@ -87,10 +87,7 @@
+ 
+         ACLFilledChecklist ch(DelayPools::delay_data[pool].access, r, nullptr);
+         clientAclChecklistFill(ch, http);
+-        if (!ch.reply && reply) {
+-            ch.reply = reply;
+-            HTTPMSGLOCK(reply);
+-        }
++	ch.updateReply(reply);
+         // overwrite ACLFilledChecklist acl_uses_indirect_client-based decision
+ #if FOLLOW_X_FORWARDED_FOR
+         if (Config.onoff.delay_pool_uses_indirect_client)
+diff -aurN a/src/HttpHeaderTools.cc b/src/HttpHeaderTools.cc
+--- a/src/HttpHeaderTools.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/HttpHeaderTools.cc	2024-05-02 13:15:05.133567028 +0300
+@@ -289,11 +289,7 @@
+ 
+     ACLFilledChecklist checklist(hm->access_list, request, nullptr);
+ 
+-    checklist.al = al;
+-    if (al && al->reply) {
+-        checklist.reply = al->reply.getRaw();
+-        HTTPMSGLOCK(checklist.reply);
+-    }
++    checklist.updateAle(al);
+ 
+     // XXX: The two "It was denied" clauses below mishandle cases with no
+     // matching rules, violating the "If no rules within the set have matching
+@@ -489,11 +485,7 @@
+ {
+     ACLFilledChecklist checklist(nullptr, request, nullptr);
+ 
+-    checklist.al = al;
+-    if (al && al->reply) {
+-        checklist.reply = al->reply.getRaw();
+-        HTTPMSGLOCK(checklist.reply);
+-    }
++    checklist.updateAle(al);
+ 
+     for (HeaderWithAclList::const_iterator hwa = headersAdd.begin(); hwa != headersAdd.end(); ++hwa) {
+         if (!hwa->aclList || checklist.fastCheck(hwa->aclList).allowed()) {
+diff -aurN a/src/HttpReply.cc b/src/HttpReply.cc
+--- a/src/HttpReply.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/HttpReply.cc	2024-05-02 13:15:39.572584896 +0300
+@@ -596,8 +596,7 @@
+ 
+     ACLFilledChecklist ch(nullptr, &request, nullptr);
+     // XXX: cont-cast becomes irrelevant when checklist is HttpReply::Pointer
+-    ch.reply = const_cast<HttpReply *>(this);
+-    HTTPMSGLOCK(ch.reply);
++    ch.updateReply(this);
+     for (AclSizeLimit *l = Config.ReplyBodySize; l; l = l -> next) {
+         /* if there is no ACL list or if the ACLs listed match use this size value */
+         if (!l->aclList || ch.fastCheck(l->aclList).allowed()) {
+diff -aurN a/src/Notes.cc b/src/Notes.cc
+--- a/src/Notes.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/Notes.cc	2024-05-02 13:54:09.664336645 +0300
+@@ -70,11 +70,9 @@
+ Note::match(HttpRequest *request, HttpReply *reply, const AccessLogEntry::Pointer &al, SBuf &matched)
+ {
+     ACLFilledChecklist ch(nullptr, request, nullptr);
+-    ch.al = al;
+-    ch.reply = reply;
++    ch.updateAle(al);
++    ch.updateReply(reply);
+     ch.syncAle(request, nullptr);
+-    if (reply)
+-        HTTPMSGLOCK(ch.reply);
+ 
+     for (const auto &v: values) {
+         assert(v->aclList);
+diff -aurN a/src/acl/ConnectionsEncrypted.cc b/src/acl/ConnectionsEncrypted.cc
+--- a/src/acl/ConnectionsEncrypted.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/ConnectionsEncrypted.cc	2024-05-02 14:11:23.059165031 +0300
+@@ -55,8 +55,8 @@
+ 
+     const bool safeRequest =
+         !(filled->request->sources & Http::Message::srcUnsafe);
+-    const bool safeReply = !filled->reply ||
+-                           !(filled->reply->sources & Http::Message::srcUnsafe);
++    const bool safeReply = !filled->hasReply() ||
++                           !(filled->reply().sources & Http::Message::srcUnsafe);
+ 
+     return (safeRequest && safeReply) ? 1 : 0;
+ }
+diff -aurN a/src/acl/FilledChecklist.cc b/src/acl/FilledChecklist.cc
+--- a/src/acl/FilledChecklist.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/FilledChecklist.cc	2024-05-02 14:07:41.297685699 +0300
+@@ -27,7 +27,6 @@
+ ACLFilledChecklist::ACLFilledChecklist() :
+     dst_rdns(nullptr),
+     request (nullptr),
+-    reply (nullptr),
+ #if USE_AUTH
+     auth_user_request (nullptr),
+ #endif
+@@ -54,8 +53,6 @@
+ 
+     HTTPMSGUNLOCK(request);
+ 
+-    HTTPMSGUNLOCK(reply);
+-
+     cbdataReferenceDone(conn_);
+ 
+     debugs(28, 4, "ACLFilledChecklist destroyed " << this);
+@@ -107,9 +104,9 @@
+         }
+     }
+ 
+-    if (reply && !al->reply) {
++    if (hasReply() && !al->reply) {
+         showDebugWarning("HttpReply object");
+-        al->reply = reply;
++	al->reply = reply_;
+     }
+ 
+ #if USE_IDENT
+@@ -214,7 +211,6 @@
+ ACLFilledChecklist::ACLFilledChecklist(const acl_access *A, HttpRequest *http_request, const char *ident):
+     dst_rdns(nullptr),
+     request(nullptr),
+-    reply(nullptr),
+ #if USE_AUTH
+     auth_user_request(nullptr),
+ #endif
+@@ -268,3 +264,21 @@
+ #endif
+ }
+ 
++void
++ACLFilledChecklist::updateAle(const AccessLogEntry::Pointer &a)
++{
++    if (!a)
++        return;
++
++    al = a; // could have been set already (to a different value)
++    if (!request)
++        setRequest(a->request);
++    updateReply(a->reply);
++}
++
++void
++ACLFilledChecklist::updateReply(const HttpReply::Pointer &r)
++{
++    if (r)
++        reply_ = r; // may already be set, including to r
++}
+diff -aurN a/src/acl/FilledChecklist.h b/src/acl/FilledChecklist.h
+--- a/src/acl/FilledChecklist.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/FilledChecklist.h	2024-05-02 13:45:57.773923228 +0300
+@@ -14,6 +14,8 @@
+ #include "acl/forward.h"
+ #include "base/CbcPointer.h"
+ #include "error/forward.h"
++#include "HttpReply.h"
++#include "HttpRequest.h"
+ #include "ip/Address.h"
+ #if USE_AUTH
+ #include "auth/UserRequest.h"
+@@ -42,6 +44,7 @@
+     void setRequest(HttpRequest *);
+     /// configure rfc931 user identity for the first time
+     void setIdent(const char *userIdentity);
++    void updateAle(const AccessLogEntry::Pointer &);
+ 
+ public:
+     /// The client connection manager
+@@ -57,6 +60,14 @@
+ 
+     //int authenticated();
+ 
++    /// response added by updateReply()
++    /// \prec hasReply()
++    const HttpReply &reply() const { return *reply_; }
++
++    /// Remembers the given response (if it is not nil) or does nothing
++    /// (otherwise).
++    void updateReply(const HttpReply::Pointer &);
++
+     bool destinationDomainChecked() const;
+     void markDestinationDomainChecked();
+     bool sourceDomainChecked() const;
+@@ -64,7 +75,7 @@
+ 
+     // ACLChecklist API
+     bool hasRequest() const override { return request != nullptr; }
+-    bool hasReply() const override { return reply != nullptr; }
++    bool hasReply() const override { return reply_ != nullptr; }
+     bool hasAle() const override { return al != nullptr; }
+     void syncAle(HttpRequest *adaptedRequest, const char *logUri) const override;
+     void verifyAle() const override;
+@@ -77,7 +88,6 @@
+     char *dst_rdns;
+ 
+     HttpRequest *request;
+-    HttpReply *reply;
+ 
+     char rfc931[USER_IDENT_SZ];
+ #if USE_AUTH
+@@ -108,6 +118,9 @@
+ private:
+     ConnStateData * conn_;          /**< hack for ident and NTLM */
+     int fd_;                        /**< may be available when conn_ is not */
++
++    HttpReply::Pointer reply_; ///< response added by updateReply() or nil
++
+     bool destinationDomainChecked_;
+     bool sourceDomainChecked_;
+     /// not implemented; will cause link failures if used
+diff -aurN a/src/acl/HttpHeaderData.cc b/src/acl/HttpHeaderData.cc
+--- a/src/acl/HttpHeaderData.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpHeaderData.cc	2024-05-02 13:39:44.260625713 +0300
+@@ -36,20 +36,18 @@
+ }
+ 
+ bool
+-ACLHTTPHeaderData::match(HttpHeader* hdr)
++ACLHTTPHeaderData::match(const HttpHeader &hdr)
+ {
+-    if (hdr == nullptr)
+-        return false;
+ 
+     debugs(28, 3, "aclHeaderData::match: checking '" << hdrName << "'");
+ 
+     String value;
+     if (hdrId != Http::HdrType::BAD_HDR) {
+-        if (!hdr->has(hdrId))
++	if (!hdr.has(hdrId))
+             return false;
+-        value = hdr->getStrOrList(hdrId);
++	value = hdr.getStrOrList(hdrId);
+     } else {
+-        if (!hdr->hasNamed(hdrName, &value))
++	if (!hdr.hasNamed(hdrName, &value))
+             return false;
+     }
+ 
+diff -aurN a/src/acl/HttpHeaderData.h b/src/acl/HttpHeaderData.h
+--- a/src/acl/HttpHeaderData.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpHeaderData.h	2024-05-02 13:40:26.326492200 +0300
+@@ -14,14 +14,14 @@
+ #include "sbuf/SBuf.h"
+ #include "SquidString.h"
+ 
+-class ACLHTTPHeaderData : public ACLData<HttpHeader*>
++class ACLHTTPHeaderData: public ACLData<const HttpHeader &>
+ {
+     MEMPROXY_CLASS(ACLHTTPHeaderData);
+ 
+ public:
+     ACLHTTPHeaderData();
+     ~ACLHTTPHeaderData() override;
+-    bool match(HttpHeader* hdr) override;
++    bool match(const HttpHeader &) override;
+     SBufList dump() const override;
+     void parse() override;
+     bool empty() const override;
+diff -aurN a/src/acl/HttpRepHeader.cc b/src/acl/HttpRepHeader.cc
+--- a/src/acl/HttpRepHeader.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpRepHeader.cc	2024-05-02 14:22:13.208427916 +0300
+@@ -13,8 +13,9 @@
+ #include "HttpReply.h"
+ 
+ int
+-ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
++ACLHTTPRepHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist * const ch)
+ {
+-    return data->match (&checklist->reply->header);
++    const auto checklist = Filled(ch);
++    return data->match(checklist->reply().header);
+ }
+ 
+diff -aurN a/src/acl/HttpRepHeader.h b/src/acl/HttpRepHeader.h
+--- a/src/acl/HttpRepHeader.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpRepHeader.h	2024-05-02 14:26:12.634833092 +0300
+@@ -14,7 +14,7 @@
+ #include "HttpHeader.h"
+ 
+ /// \ingroup ACLAPI
+-class ACLHTTPRepHeaderStrategy : public ACLStrategy<HttpHeader*>
++class ACLHTTPRepHeaderStrategy : public ACLStrategy<const HttpHeader &>
+ {
+ 
+ public:
+diff -aurN a/src/acl/HttpReqHeader.cc b/src/acl/HttpReqHeader.cc
+--- a/src/acl/HttpReqHeader.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpReqHeader.cc	2024-05-02 14:22:47.381726897 +0300
+@@ -13,8 +13,9 @@
+ #include "HttpRequest.h"
+ 
+ int
+-ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist *checklist)
++ACLHTTPReqHeaderStrategy::match (ACLData<MatchType> * &data, ACLFilledChecklist * const ch)
+ {
+-    return data->match (&checklist->request->header);
++    const auto checklist = Filled(ch);
++    return data->match (checklist->request->header);
+ }
+ 
+diff -aurN a/src/acl/HttpReqHeader.h b/src/acl/HttpReqHeader.h
+--- a/src/acl/HttpReqHeader.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpReqHeader.h	2024-05-02 14:26:59.730191970 +0300
+@@ -13,7 +13,7 @@
+ #include "HttpHeader.h"
+ 
+ /// \ingroup ACLAPI
+-class ACLHTTPReqHeaderStrategy : public ACLStrategy<HttpHeader*>
++class ACLHTTPReqHeaderStrategy : public ACLStrategy<const HttpHeader &>
+ {
+ 
+ public:
+diff -aurN a/src/acl/HttpStatus.cc b/src/acl/HttpStatus.cc
+--- a/src/acl/HttpStatus.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/HttpStatus.cc	2024-05-02 13:48:12.200714068 +0300
+@@ -116,7 +116,7 @@
+ int
+ ACLHTTPStatus::match(ACLChecklist *checklist)
+ {
+-    return aclMatchHTTPStatus(&data, Filled(checklist)->reply->sline.status());
++    return aclMatchHTTPStatus(&data, Filled(checklist)->reply().sline.status());
+ }
+ 
+ int
+diff -aurN a/src/acl/ReplyHeaderStrategy.h b/src/acl/ReplyHeaderStrategy.h
+--- a/src/acl/ReplyHeaderStrategy.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/ReplyHeaderStrategy.h	2024-05-02 13:48:40.981219348 +0300
+@@ -28,7 +28,7 @@
+ int
+ ACLReplyHeaderStrategy<header>::match (ACLData<char const *> * &data, ACLFilledChecklist *checklist)
+ {
+-    char const *theHeader = checklist->reply->header.getStr(header);
++    char const *theHeader = checklist->reply().header.getStr(header);
+ 
+     if (nullptr == theHeader)
+         return 0;
+diff -aurN a/src/acl/ReplyMimeType.h b/src/acl/ReplyMimeType.h
+--- a/src/acl/ReplyMimeType.h	2024-04-08 08:02:07.000000000 +0300
++++ b/src/acl/ReplyMimeType.h	2024-05-02 13:51:50.684699376 +0300
+@@ -19,7 +19,8 @@
+ inline int
+ ACLReplyHeaderStrategy<Http::HdrType::CONTENT_TYPE>::match(ACLData<char const *> * &data, ACLFilledChecklist *checklist)
+ {
+-    char const *theHeader = checklist->reply->header.getStr(Http::HdrType::CONTENT_TYPE);
++    char const *theHeader = checklist->reply().header.getStr(Http::HdrType::CONTENT_TYPE);
++
+ 
+     if (nullptr == theHeader)
+         theHeader = "";
+diff -aurN a/src/adaptation/AccessCheck.cc b/src/adaptation/AccessCheck.cc
+--- a/src/adaptation/AccessCheck.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/adaptation/AccessCheck.cc	2024-05-02 13:56:05.309606789 +0300
+@@ -131,9 +131,8 @@
+             /* BUG 2526: what to do when r->acl is empty?? */
+             // XXX: we do not have access to conn->rfc931 here.
+             acl_checklist = new ACLFilledChecklist(r->acl, filter.request, dash_str);
+-            if ((acl_checklist->reply = filter.reply))
+-                HTTPMSGLOCK(acl_checklist->reply);
+-            acl_checklist->al = filter.al;
++            acl_checklist->updateAle(filter.al);
++	    acl_checklist->updateReply(filter.reply);
+             acl_checklist->syncAle(filter.request, nullptr);
+             acl_checklist->nonBlockingCheck(AccessCheckCallbackWrapper, this);
+             return;
+diff -aurN a/src/adaptation/icap/Launcher.cc b/src/adaptation/icap/Launcher.cc
+--- a/src/adaptation/icap/Launcher.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/adaptation/icap/Launcher.cc	2024-05-02 13:25:41.483439412 +0300
+@@ -142,8 +142,7 @@
+ 
+     ACLFilledChecklist *cl =
+         new ACLFilledChecklist(TheConfig.repeat, info.icapRequest, dash_str);
+-    cl->reply = info.icapReply;
+-    HTTPMSGLOCK(cl->reply);
++    cl->updateReply(info.icapReply);
+ 
+     bool result = cl->fastCheck().allowed();
+     delete cl;
+diff -aurN a/src/adaptation/icap/icap_log.cc b/src/adaptation/icap/icap_log.cc
+--- a/src/adaptation/icap/icap_log.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/adaptation/icap/icap_log.cc	2024-05-02 13:26:09.810655898 +0300
+@@ -61,10 +61,7 @@
+ {
+     if (IcapLogfileStatus == LOG_ENABLE) {
+         ACLFilledChecklist checklist(nullptr, al->adapted_request, nullptr);
+-        if (al->reply) {
+-            checklist.reply = al->reply.getRaw();
+-            HTTPMSGLOCK(checklist.reply);
+-        }
++	checklist.updateAle(al);
+         accessLogLogTo(Config.Log.icaplogs, al, &checklist);
+     }
+ }
+diff -aurN a/src/auth/UserRequest.cc b/src/auth/UserRequest.cc
+--- a/src/auth/UserRequest.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/auth/UserRequest.cc	2024-05-02 13:26:56.382746257 +0300
+@@ -466,8 +466,7 @@
+ {
+     if (!Auth::TheConfig.schemeLists.empty() && Auth::TheConfig.schemeAccess) {
+         ACLFilledChecklist ch(nullptr, request, nullptr);
+-        ch.reply = rep;
+-        HTTPMSGLOCK(ch.reply);
++	ch.updateReply(rep);
+         const auto answer = ch.fastCheck(Auth::TheConfig.schemeAccess);
+         if (answer.allowed())
+             return Auth::TheConfig.schemeLists.at(answer.kind).authConfigs;
+diff -aurN a/src/client_side.cc b/src/client_side.cc
+--- a/src/client_side.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/client_side.cc	2024-05-02 13:32:24.247196027 +0300
+@@ -446,31 +446,19 @@
+         }
+         // The al->notes and request->notes must point to the same object.
+         al->syncNotes(request);
+-    }
+-
+-    ACLFilledChecklist checklist(nullptr, request, nullptr);
+-    if (al->reply) {
+-        checklist.reply = al->reply.getRaw();
+-        HTTPMSGLOCK(checklist.reply);
+-    }
+-
+-    if (request) {
+         HTTPMSGUNLOCK(al->adapted_request);
+         al->adapted_request = request;
+         HTTPMSGLOCK(al->adapted_request);
+     }
++    ACLFilledChecklist checklist(nullptr, request, nullptr);
++    checklist.updateAle(al);
+     // no need checklist.syncAle(): already synced
+-    checklist.al = al;
+     accessLogLog(al, &checklist);
+ 
+     bool updatePerformanceCounters = true;
+     if (Config.accessList.stats_collection) {
+         ACLFilledChecklist statsCheck(Config.accessList.stats_collection, request, nullptr);
+-        statsCheck.al = al;
+-        if (al->reply) {
+-            statsCheck.reply = al->reply.getRaw();
+-            HTTPMSGLOCK(statsCheck.reply);
+-        }
++	statsCheck.updateAle(al);
+         updatePerformanceCounters = statsCheck.fastCheck().allowed();
+     }
+ 
+@@ -3546,12 +3534,8 @@
+         checklist.setRequest(http->request);
+ 
+     if (!checklist.al && http->al) {
+-        checklist.al = http->al;
++        checklist.updateAle(http->al);
+         checklist.syncAle(http->request, http->log_uri);
+-        if (!checklist.reply && http->al->reply) {
+-            checklist.reply = http->al->reply.getRaw();
+-            HTTPMSGLOCK(checklist.reply);
+-        }
+     }
+ 
+     if (const auto conn = http->getConn())
+diff -aurN a/src/client_side_reply.cc b/src/client_side_reply.cc
+--- a/src/client_side_reply.cc	2024-05-02 14:48:58.863528254 +0300
++++ b/src/client_side_reply.cc	2024-05-02 13:33:55.668212735 +0300
+@@ -843,11 +843,9 @@
+     if (http->flags.internal)
+         return false; // internal content "hits" cannot be blocked
+ 
+-    const auto &rep = http->storeEntry()->mem().freshestReply();
+     {
+         std::unique_ptr<ACLFilledChecklist> chl(clientAclChecklistCreate(Config.accessList.sendHit, http));
+-        chl->reply = const_cast<HttpReply*>(&rep); // ACLChecklist API bug
+-        HTTPMSGLOCK(chl->reply);
++	chl->updateReply(&http->storeEntry()->mem().freshestReply());
+         return !chl->fastCheck().allowed(); // when in doubt, block
+     }
+ }
+@@ -1850,8 +1848,7 @@
+     /** Process http_reply_access lists */
+     ACLFilledChecklist *replyChecklist =
+         clientAclChecklistCreate(Config.accessList.reply, http);
+-    replyChecklist->reply = reply;
+-    HTTPMSGLOCK(replyChecklist->reply);
++    replyChecklist->updateReply(reply);
+     replyChecklist->nonBlockingCheck(ProcessReplyAccessResult, this);
+ }
+ 
+diff -aurN a/src/clients/Client.cc b/src/clients/Client.cc
+--- a/src/clients/Client.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/clients/Client.cc	2024-05-02 13:56:57.931087748 +0300
+@@ -555,9 +555,8 @@
+         // This relatively expensive check is not in StoreEntry::checkCachable:
+         // That method lacks HttpRequest and may be called too many times.
+         ACLFilledChecklist ch(acl, originalRequest().getRaw());
+-        ch.reply = const_cast<HttpReply*>(&entry->mem().freshestReply()); // ACLFilledChecklist API bug
+-        HTTPMSGLOCK(ch.reply);
+-        ch.al = fwd->al;
++	ch.updateAle(fwd->al);
++	ch.updateReply(&entry->mem().freshestReply());
+         if (!ch.fastCheck().allowed()) { // when in doubt, block
+             debugs(20, 3, "store_miss prohibits caching");
+             return true;
+diff -aurN a/src/http/Stream.cc b/src/http/Stream.cc
+--- a/src/http/Stream.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/http/Stream.cc	2024-05-02 13:35:57.062950806 +0300
+@@ -294,8 +294,7 @@
+     for (const auto &pool: MessageDelayPools::Instance()->pools) {
+         if (pool->access) {
+             std::unique_ptr<ACLFilledChecklist> chl(clientAclChecklistCreate(pool->access, http));
+-            chl->reply = rep;
+-            HTTPMSGLOCK(chl->reply);
++	    chl->updateReply(rep);
+             const auto answer = chl->fastCheck();
+             if (answer.allowed()) {
+                 writeQuotaHandler = pool->createBucket();
+diff -aurN a/src/http.cc b/src/http.cc
+--- a/src/http.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/http.cc	2024-05-02 13:35:29.522323694 +0300
+@@ -773,10 +773,9 @@
+     // check whether the 1xx response forwarding is allowed by squid.conf
+     if (Config.accessList.reply) {
+         ACLFilledChecklist ch(Config.accessList.reply, originalRequest().getRaw());
+-        ch.al = fwd->al;
+-        ch.reply = reply;
++	ch.updateAle(fwd->al);
++	ch.updateReply(reply);
+         ch.syncAle(originalRequest().getRaw(), nullptr);
+-        HTTPMSGLOCK(ch.reply);
+         if (!ch.fastCheck().allowed()) // TODO: support slow lookups?
+             return drop1xx("http_reply_access blocked it");
+     }
+diff -aurN a/src/neighbors.cc b/src/neighbors.cc
+--- a/src/neighbors.cc	2024-04-08 08:02:07.000000000 +0300
++++ b/src/neighbors.cc	2024-05-02 13:36:27.203322463 +0300
+@@ -170,11 +170,7 @@
+         return true;
+ 
+     ACLFilledChecklist checklist(p->access, request, nullptr);
+-    checklist.al = ps->al;
+-    if (ps->al && ps->al->reply) {
+-        checklist.reply = ps->al->reply.getRaw();
+-        HTTPMSGLOCK(checklist.reply);
+-    }
++    checklist.updateAle(ps->al);
+     checklist.syncAle(request, nullptr);
+     return checklist.fastCheck().allowed();
+ }
diff --git a/net-proxy/squid/files/squid.cron-r1 b/net-proxy/squid/files/squid.cron-r1
new file mode 100644
index 000000000000..f0fa84ed2cb3
--- /dev/null
+++ b/net-proxy/squid/files/squid.cron-r1
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# OpenRC init script supports multiple Squid instances, and exposes 'rotate'.
+if command -v rc-service >/dev/null; then
+	SQUID_SERVICES=$(rc-status | awk '/ *squid.* started /{print $1}')
+	for SQUID_SERVICE in $SQUID_SERVICES ; do
+		rc-service "${SQUID_SERVICE}" rotate
+	done
+
+# Systemd unit file supports only a single default squid instance,
+# and no 'rotate' support, so call squid directly.
+elif command -v systemctl >/dev/null; then
+	SQUID_ACTIVE=$(systemctl --type=service --state=active | awk '/^ *squid\.service / {print $1}')
+	[ -n "${SQUID_ACTIVE}" ] && squid -k rotate
+fi
diff --git a/net-proxy/squid/files/squid.initd-r7 b/net-proxy/squid/files/squid.initd-r7
new file mode 100644
index 000000000000..7215b774736d
--- /dev/null
+++ b/net-proxy/squid/files/squid.initd-r7
@@ -0,0 +1,133 @@
+#!/sbin/openrc-run
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+SQUID_SVCNAME=$( echo "${RC_SVCNAME}" | tr -cd '[a-zA-Z0-9]' )
+
+extra_started_commands="reload rotate"
+
+depend() {
+	use dns net
+}
+
+_getconfig() {
+	# Make PIDFILE, CHROOTDIR, and CACHE_SWAP visible to other functions
+	local CONFFILES="/etc/squid/${RC_SVCNAME}.conf /etc/squid/${RC_SVCNAME}.include /etc/squid/${RC_SVCNAME}.include.*"
+	if [ ! -f /etc/squid/${RC_SVCNAME}.conf ]; then
+		eerror "You need to create /etc/squid/${RC_SVCNAME}.conf first."
+		eerror "The main configuration file and all included file names should have the following format:"
+		eerror "${CONFFILES}"
+		eerror "An example can be found in /etc/squid/squid.conf.default"
+		return 1
+	fi
+	PIDFILE=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*pid_filename[ \t]+/ { print $2 }')
+	CHROOTDIR=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*chroot[ \t]+/ { print $2 }')
+	if [ -n "${CHROOTDIR}" ] && [ -n "${PIDFILE}" ]; then
+		CHROOTDIR="${CHROOTDIR%/}"
+		PIDFILE="${CHROOTDIR}${PIDFILE}"
+	fi
+	[ -z ${PIDFILE} ] && PIDFILE=/run/squid.pid
+	if [ "${CHROOTDIR}/run/${RC_SVCNAME}.pid" != ${PIDFILE} ]; then
+		eerror "/etc/squid/${RC_SVCNAME}.conf must set pid_filename to"
+		eerror "   /run/${RC_SVCNAME}.pid"
+		if [ -n "${CHROOTDIR}" ]; then
+			eerror "with chrootdir ${CHROOTDIR} set."
+		fi
+		eerror "CAUTION: http_port, cache_dir and *_log parameters must be different than"
+		eerror "         in any other instance of squid."
+		eerror "Make sure the main configuration file and all included file names have the following format:"
+		eerror "${CONFFILES}"
+		return 1
+	fi
+	CACHE_SWAP=$(cat ${CONFFILES} 2>/dev/null 3>/dev/null | awk '/^[ \t]*cache_dir[ \t]+/ { if ( $2 == "rock" ) printf "%s/rock ", $3; else if ( $2 == "coss" ) printf "%s/stripe ", $3; else printf "%s/00 ", $3; }')
+	[ -z "$CACHE_SWAP" ] && CACHE_SWAP="/var/cache/squid/00"
+
+	return 0
+}
+
+checkconfig() {
+	_getconfig || return 1
+	local x
+	for x in $CACHE_SWAP ; do
+		if [ ! -e $x ] ; then
+			ebegin "Initializing cache directory ${x%/*}"
+			local ORIG_UMASK=$(umask)
+			umask 027
+
+			if ! (mkdir -p ${x%/*} && chown squid ${x%/*}) ; then
+				eend 1
+				return 1
+			fi
+
+			local INIT_CACHE_RESPONSE="$(/usr/sbin/squid -z -N -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} 2>&1)"
+			if [ $? != 0 ] || echo "$INIT_CACHE_RESPONSE" | grep -q "erminated abnormally" ; then
+				umask $ORIG_UMASK
+				eend 1
+				echo "$INIT_CACHE_RESPONSE"
+				return 1
+			fi
+
+			umask $ORIG_UMASK
+			eend 0
+			break
+		fi
+	done
+
+	return 0
+}
+
+start() {
+	checkconfig || return 1
+	checkpath -d -q -m 0750 -o squid:squid /run/${RC_SVCNAME}
+
+	# see https://wiki.squid-cache.org/MultipleInstances
+	ebegin "Starting ${RC_SVCNAME} (service name ${SQUID_SVCNAME}) with KRB5_KTNAME=\"${SQUID_KEYTAB}\" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	KRB5_KTNAME="${SQUID_KEYTAB}" /usr/sbin/squid ${SQUID_OPTS} -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $? && sleep 1
+}
+
+stop() {
+	_getconfig || return 1
+	ebegin "Stopping ${RC_SVCNAME} with /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	if /usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME} ; then
+		if [ "x${SQUID_FAST_SHUTDOWN}" = "xyes" ]; then
+			einfo "Attempting fast shutdown."
+			/usr/sbin/squid -k shutdown -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+		fi
+		# Now we have to wait until squid has _really_ stopped.
+		sleep 1
+		if [ -f ${PIDFILE} ] ; then
+			einfon "Waiting for squid to shutdown ."
+			cnt=0
+			while [ -f ${PIDFILE} ] ; do
+				cnt=$(expr $cnt + 1)
+				if [ $cnt -gt 90 ] ; then
+					# Waited 180 seconds now. Fail.
+					echo
+					eend 1 "Failed."
+					break
+				fi
+				sleep 2
+				printf "."
+			done
+			echo
+		fi
+	else
+		eerror "Squid shutdown failed, probably service is already down."
+	fi
+	eend 0
+}
+
+reload() {
+	checkconfig || return 1
+	ebegin "Reloading ${RC_SVCNAME} with /usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	/usr/sbin/squid -k reconfigure -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $?
+}
+
+rotate() {
+	service_started ${RC_SVCNAME} || return 1
+	ebegin "Rotating ${RC_SVCNAME} logs with /usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}"
+	/usr/sbin/squid -k rotate -f /etc/squid/${RC_SVCNAME}.conf -n ${SQUID_SVCNAME}
+	eend $?
+}
diff --git a/net-proxy/squid/files/squid.logrotate-r1 b/net-proxy/squid/files/squid.logrotate-r1
new file mode 100644
index 000000000000..03cbca9b5f4a
--- /dev/null
+++ b/net-proxy/squid/files/squid.logrotate-r1
@@ -0,0 +1,11 @@
+/var/log/squid/*.log {
+    copytruncate
+    compress
+    notifempty
+    missingok
+    sharedscripts
+    postrotate
+      squid -k rotate 2>/dev/null
+    endscript
+}
+
diff --git a/net-proxy/squid/squid-6.9.ebuild b/net-proxy/squid/squid-6.9.ebuild
new file mode 100644
index 000000000000..7f6845704afe
--- /dev/null
+++ b/net-proxy/squid/squid-6.9.ebuild
@@ -0,0 +1,391 @@
+# Copyright 1999-2024 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/squid.gpg
+inherit autotools flag-o-matic linux-info pam systemd toolchain-funcs verify-sig
+
+DESCRIPTION="Full-featured web proxy cache"
+HOMEPAGE="https://www.squid-cache.org/"
+
+MY_PV_MAJOR=$(ver_cut 1)
+# Upstream patch ID for the most recent bug-fixed update to the formal release.
+#r=-20181117-r0022167
+r=
+if [[ -z ${r} ]]; then
+	SRC_URI="
+		http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz
+		verify-sig? ( http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}.tar.xz.asc )
+	"
+else
+	SRC_URI="http://static.squid-cache.org/Versions/v${MY_PV_MAJOR}/${P}${r}.tar.bz2"
+	S="${S}${r}"
+fi
+
+LICENSE="GPL-2+"
+SLOT="0"
+KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~riscv ~sparc ~x86"
+IUSE="caps gnutls pam ldap samba sasl kerberos nis radius ssl snmp selinux logrotate test ecap"
+IUSE+=" esi ssl-crtd mysql postgres sqlite systemd perl qos tproxy +htcp valgrind +wccp +wccpv2"
+RESTRICT="!test? ( test )"
+REQUIRED_USE="tproxy? ( caps ) qos? ( caps ) ssl-crtd? ( ssl )"
+
+DEPEND="
+	acct-group/squid
+	acct-user/squid
+	dev-libs/libltdl
+	sys-libs/tdb
+	virtual/libcrypt:=
+	caps? ( >=sys-libs/libcap-2.16 )
+	ecap? ( net-libs/libecap:1 )
+	esi? (
+		dev-libs/expat
+		dev-libs/libxml2
+	)
+	ldap? ( net-nds/openldap:= )
+	gnutls? ( >=net-libs/gnutls-3.1.5:= )
+	logrotate? ( app-admin/logrotate )
+	nis? (
+		net-libs/libtirpc:=
+		net-libs/libnsl:=
+	)
+	kerberos? ( virtual/krb5 )
+	pam? ( sys-libs/pam )
+	qos? ( net-libs/libnetfilter_conntrack )
+	ssl? (
+		dev-libs/nettle:=
+		!gnutls? (
+			dev-libs/openssl:=
+		)
+	)
+	sasl? ( dev-libs/cyrus-sasl )
+	systemd? ( sys-apps/systemd:= )
+"
+RDEPEND="
+	${DEPEND}
+	mysql? ( dev-perl/DBD-mysql )
+	postgres? ( dev-perl/DBD-Pg )
+	perl? ( dev-lang/perl )
+	samba? ( net-fs/samba )
+	selinux? ( sec-policy/selinux-squid )
+	sqlite? ( dev-perl/DBD-SQLite )
+"
+DEPEND+=" valgrind? ( dev-debug/valgrind )"
+BDEPEND="
+	dev-lang/perl
+	ecap? ( virtual/pkgconfig )
+	test? ( dev-util/cppunit )
+	verify-sig? ( sec-keys/openpgp-keys-squid )
+"
+
+PATCHES=(
+	"${FILESDIR}"/${PN}-6.2-gentoo.patch
+	"${FILESDIR}"/${PN}-4.17-use-system-libltdl.patch
+	"${FILESDIR}"/${PN}-6.9-memleak_fix.patch
+)
+
+pkg_pretend() {
+	if use tproxy; then
+		local CONFIG_CHECK="~NF_CONNTRACK ~NETFILTER_XT_MATCH_SOCKET ~NETFILTER_XT_TARGET_TPROXY"
+		linux-info_pkg_setup
+	fi
+}
+
+src_prepare() {
+	default
+
+	# Fixup various paths
+	sed -i -e 's:/usr/local/squid/etc:/etc/squid:' \
+		INSTALL QUICKSTART \
+		scripts/fileno-to-pathname.pl \
+		scripts/check_cache.pl \
+		tools/cachemgr.cgi.8 \
+		tools/purge/conffile.hh \
+		tools/purge/purge.1 || die
+	sed -i -e 's:/usr/local/squid/sbin:/usr/sbin:' \
+		INSTALL QUICKSTART || die
+	sed -i -e 's:/usr/local/squid/var/cache:/var/cache/squid:' \
+		QUICKSTART || die
+	sed -i -e 's:/usr/local/squid/var/logs:/var/log/squid:' \
+		QUICKSTART \
+		src/log/access_log.cc || die
+	sed -i -e 's:/usr/local/squid/logs:/var/log/squid:' \
+		src/log/access_log.cc || die
+	sed -i -e 's:/usr/local/squid/libexec:/usr/libexec/squid:' \
+		src/acl/external/unix_group/ext_unix_group_acl.8 \
+		src/acl/external/session/ext_session_acl.8 || die
+	sed -i -e 's:/usr/local/squid/cache:/var/cache/squid:' \
+		scripts/check_cache.pl || die
+	# /var/run/squid to /run/squid
+	sed -i -e 's:$(localstatedir)::' \
+		src/ipc/Makefile.am || die
+	sed -i 's:/var/run/:/run/:g' tools/systemd/squid.service || die
+
+	sed -i -e 's:_LTDL_SETUP:LTDL_INIT([installable]):' \
+		libltdl/configure.ac || die
+
+	eautoreconf
+}
+
+src_configure() {
+	local myeconfargs=(
+		--cache-file="${S}"/config.cache
+
+		--datadir=/usr/share/squid
+		--libexecdir=/usr/libexec/squid
+		--localstatedir=/var
+		--sysconfdir=/etc/squid
+		--with-default-user=squid
+		--with-logdir=/var/log/squid
+		--with-pidfile=/run/squid.pid
+
+		--enable-build-info="Gentoo ${PF} (r: ${r:-NONE})"
+		--enable-log-daemon-helpers
+		--enable-url-rewrite-helpers
+		--enable-cache-digests
+		--enable-delay-pools
+		--enable-disk-io
+		--enable-eui
+		--enable-icmp
+		--enable-ipv6
+		--enable-follow-x-forwarded-for
+		--enable-removal-policies="lru,heap"
+		--disable-strict-error-checking
+		--disable-arch-native
+
+		--with-large-files
+		--with-build-environment=default
+
+		--with-tdb
+
+		--without-included-ltdl
+		--with-ltdl-include="${ESYSROOT}"/usr/include
+		--with-ltdl-lib="${ESYSROOT}"/usr/$(get_libdir)
+
+		$(use_with caps cap)
+		$(use_enable snmp)
+		$(use_with ssl openssl)
+		$(use_with ssl nettle)
+		$(use_with gnutls)
+		$(use_with ldap)
+		$(use_enable ssl-crtd)
+		$(use_with systemd)
+		$(use_with test cppunit)
+		$(use_enable ecap)
+		$(use_enable esi)
+		$(use_enable esi expat)
+		$(use_enable esi xml2)
+		$(use_enable htcp)
+		$(use_with valgrind valgrind-debug)
+		$(use_enable wccp)
+		$(use_enable wccpv2)
+	)
+
+	# Basic modules
+	local basic_modules=(
+		NCSA
+		POP3
+		getpwnam
+
+		$(usev samba 'SMB')
+		$(usev ldap 'SMB_LM LDAP')
+		$(usev pam 'PAM')
+		$(usev sasl 'SASL')
+		$(usev nis 'NIS')
+		$(usev radius 'RADIUS')
+	)
+
+	use nis && append-cppflags "-I${ESYSROOT}/usr/include/tirpc"
+
+	if use mysql || use postgres || use sqlite; then
+		basic_modules+=( DB )
+	fi
+
+	# Digests
+	local digest_modules=(
+		file
+
+		$(usev ldap 'LDAP eDirectory')
+	)
+
+	# Kerberos
+	local negotiate_modules=( none )
+
+	myeconfargs+=( --without-mit-krb5 --without-heimdal-krb5 )
+
+	if use kerberos; then
+		# We intentionally overwrite negotiate_modules here to lose
+		# the 'none'.
+		negotiate_modules=( kerberos wrapper )
+
+		if has_version app-crypt/heimdal; then
+			myeconfargs+=(
+				--without-mit-krb5
+				--with-heimdal-krb5
+			)
+		else
+			myeconfargs+=(
+				--with-mit-krb5
+				--without-heimdal-krb5
+			)
+		fi
+	fi
+
+	# NTLM modules
+	local ntlm_modules=( none )
+
+	if use samba ; then
+		# We intentionally overwrite ntlm_modules here to lose
+		# the 'none'.
+		ntlm_modules=( SMB_LM )
+	fi
+
+	# External helpers
+	local ext_helpers=(
+		file_userip
+		session
+		unix_group
+		delayer
+		time_quota
+
+		$(usev samba 'wbinfo_group')
+		$(usev ldap 'LDAP_group eDirectory_userip')
+	)
+
+	use ldap && use kerberos && ext_helpers+=( kerberos_ldap_group )
+	if use mysql || use postgres || use sqlite; then
+		ext_helpers+=( SQL_session )
+	fi
+
+	# Storage modules
+	local storeio_modules=(
+		aufs
+		diskd
+		rock
+		ufs
+	)
+
+	#
+	local transparent
+	if use kernel_linux; then
+		myeconfargs+=(
+			--enable-linux-netfilter
+			$(usev qos '--enable-zph-qos --with-netfilter-conntrack')
+		)
+	fi
+
+	tc-export_build_env BUILD_CXX
+	export BUILDCXX="${BUILD_CXX}"
+	export BUILDCXXFLAGS="${BUILD_CXXFLAGS}"
+	tc-export CC AR
+
+	# Should be able to drop this workaround with newer versions.
+	# https://bugs.squid-cache.org/show_bug.cgi?id=4224
+	tc-is-cross-compiler && export squid_cv_gnu_atomics=no
+
+	# Bug #719662
+	append-atomic-flags
+
+	print_options_without_comma() {
+		# IFS as ',' will cut off any trailing commas
+		(
+			IFS=','
+			options=( $(printf "%s," "${@}") )
+			echo "${options[*]}"
+		)
+	}
+
+	myeconfargs+=(
+		--enable-storeio=$(print_options_without_comma "${storeio_modules[@]}")
+		--enable-auth-basic=$(print_options_without_comma "${basic_modules[@]}")
+		--enable-auth-digest=$(print_options_without_comma "${digest_modules[@]}")
+		--enable-auth-ntlm=$(print_options_without_comma "${ntlm_modules[@]}")
+		--enable-auth-negotiate=$(print_options_without_comma "${negotiate_modules[@]}")
+		--enable-external-acl-helpers=$(print_options_without_comma "${ext_helpers[@]}")
+	)
+
+	econf "${myeconfargs[@]}"
+}
+
+src_install() {
+	default
+
+	systemd_dounit tools/systemd/squid.service
+
+	# Need suid root for looking into /etc/shadow
+	fowners root:squid /usr/libexec/squid/basic_ncsa_auth
+	fperms 4750 /usr/libexec/squid/basic_ncsa_auth
+
+	if use pam; then
+		fowners root:squid /usr/libexec/squid/basic_pam_auth
+		fperms 4750 /usr/libexec/squid/basic_pam_auth
+	fi
+
+	# Pinger needs suid as well
+	fowners root:squid /usr/libexec/squid/pinger
+	fperms 4750 /usr/libexec/squid/pinger
+
+	# These scripts depend on perl
+	if ! use perl; then
+		local perl_scripts=(
+			basic_pop3_auth ext_delayer_acl helper-mux
+			log_db_daemon security_fake_certverify
+			storeid_file_rewrite url_lfs_rewrite
+		)
+
+		local script
+		for script in "${perl_scripts[@]}"; do
+			rm "${ED}"/usr/libexec/squid/${script} || die
+		done
+	fi
+
+	# Cleanup
+	rm -r "${D}"/run "${D}"/var/cache || die
+
+	dodoc CONTRIBUTORS CREDITS ChangeLog INSTALL QUICKSTART README SPONSORS doc/*.txt
+	newdoc src/auth/negotiate/kerberos/README README.kerberos
+	newdoc src/auth/basic/RADIUS/README README.RADIUS
+	newdoc src/acl/external/kerberos_ldap_group/README README.kerberos_ldap_group
+	dodoc RELEASENOTES.html
+
+	if use pam; then
+		newpamd "${FILESDIR}"/squid.pam squid
+	fi
+
+	newconfd "${FILESDIR}"/squid.confd-r2 squid
+	newinitd "${FILESDIR}"/squid.initd-r7 squid
+
+	if use logrotate ; then
+		insinto /etc/logrotate.d
+		newins "${FILESDIR}"/squid.logrotate-r1 squid
+	else
+		exeinto /etc/cron.weekly
+		newexe "${FILESDIR}"/squid.cron-r1 squid.cron
+	fi
+
+	diropts -m0750 -o squid -g squid
+	keepdir /var/log/squid /etc/ssl/squid /var/lib/squid
+
+	# Hack for bug #834503 (see also bug #664940)
+	# Please keep this for a few years until it's no longer plausible
+	# someone is upgrading from < squid 5.7.
+	mv "${ED}"/usr/share/squid/errors{,.new} || die
+}
+
+pkg_preinst() {
+	# Remove file in EROOT that the directory collides with.
+	rm -rf "${EROOT}"/usr/share/squid/errors || die
+
+	# Following the collision protection check, reverse
+	# src_install's rename in ED.
+	mv "${ED}"/usr/share/squid/errors{.new,} || die
+}
+
+pkg_postinst() {
+	elog "A good starting point to debug Squid issues is to use 'squidclient mgr:' commands such as 'squidclient mgr:info'."
+
+	if [[ ${#r} -gt 0 ]]; then
+		elog "You are using a release with the official ${r} patch! Make sure you mention that, or send the output of 'squidclient mgr:info' when asking for support."
+	fi
+}
author	Hank Leininger <hlein@korelogic.com>	2024-05-25 11:44:57 -0600
committer	Joonas Niilola <juippis@gentoo.org>	2024-07-03 16:26:37 +0300
commit	e3a9968929b0dbb164a56bcb18db0a5a86839a78 (patch)
tree	5f8e770aca24a0fef7a28f5c2e7b6a27eb508c88 /net-proxy
parent	net-proxy/squid: drop 6.5 (diff)
download	gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.tar.gz gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.tar.bz2 gentoo-e3a9968929b0dbb164a56bcb18db0a5a86839a78.zip