wheezy squid 3.1.20-2.2 external_type_acl

порет чушь, похоже на баг, но не могу найти подобного

правила в конфиге:

external_acl_type auth_helper ttl=2 %SRC %DST /etc/squid3/python/1.sh
acl IP external auth_helper IP
acl A src X.X.X.X
http_access allow IP
http_access deny all

внешний хелпер был заменен на простой баш-скрипт, на любой запрос выдает OK
все работает ровно до тех пор, пока не придет время сквиду сделать очередной запрос к внешнему скрипту, и тогда происходит следующее:

2014/06/04 00:26:18.158| ACLChecklist::preCheck: 0x7ffe36f530b8 checking 'http_access allow IP'
2014/06/04 00:26:18.158| ACLList::matches: checking IP
2014/06/04 00:26:18.158| ACL::checklistMatches: checking 'IP'
2014/06/04 00:26:18.158| aclMatchExternal: acl=«auth_helper»
2014/06/04 00:26:18.158| aclMatchExternal: auth_helper(«X.X.X.X http://www.hulu.com IP») = lookup needed
2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: entry=@0x7ffe36f2cb28, age=2
2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: queueing a call.
2014/06/04 00:26:18.158| aclMatchExternal: «X.X.X.X http://www.hulu.com IP»: return -1.
2014/06/04 00:26:18.158| ACL::ChecklistMatches: result for 'IP' is -1
2014/06/04 00:26:18.158| ACLList::matches: result is false
2014/06/04 00:26:18.158| aclmatchAclList: 0x7ffe36f530b8 returning false (AND list entry failed to match)
2014/06/04 00:26:18.158| ACL::FindByName 'IP'
2014/06/04 00:26:18.158| ACLChecklist::asyncInProgress: 0x7ffe36f530b8 async set to 1
2014/06/04 00:26:18.158| externalAclLookup: lookup in 'auth_helper' for 'X.X.X.X http://www.hulu.com IP'
2014/06/04 00:26:18.158| externalAclLookup: looking up for 'X.X.X.X http://www.hulu.com IP' in 'auth_helper'.
2014/06/04 00:26:18.158| externalAclLookup: no need to wait for the result of 'X.X.X.X http://www.hulu.com IP' in 'auth_helper' (ch=0x7ffe36f530b8).
2014/06/04 00:26:18.158| externalAclLookup: using cached entry 0x7ffe36f2cb28
2014/06/04 00:26:18.158| externalAclLookup: entry = { date=1401855976, result=1, user= tag= log= }
2014/06/04 00:26:18.158| ACLChecklist::asyncInProgress: 0x7ffe36f530b8 async set to 0
2014/06/04 00:26:18.158| aclmatchAclList: async=1 nodeMatched=0 async_in_progress=0 lastACLResult() = 0 finished() = 0
2014/06/04 00:26:18.158| ACLChecklist::preCheck: 0x7ffe36f530b8 checking 'http_access deny all'
2014/06/04 00:26:18.158| ACLList::matches: checking all
2014/06/04 00:26:18.158| ACL::checklistMatches: checking 'all'
2014/06/04 00:26:18.158| aclIpAddrNetworkCompare: compare: X.X.X.X:35387/[::] ([::]:35387)  vs [::]-[::]/[::]
2014/06/04 00:26:18.158| aclIpMatchIp: 'X.X.X.X:35387' found
2014/06/04 00:26:18.158| ACL::ChecklistMatches: result for 'all' is 1
2014/06/04 00:26:18.158| ACLList::matches: result is true
2014/06/04 00:26:18.158| aclmatchAclList: 0x7ffe36f530b8 returning true (AND list satisfied)
2014/06/04 00:26:18.158| ACLChecklist::markFinished: 0x7ffe36f530b8 checklist processing finished
2014/06/04 00:26:18.158| ACLChecklist::check: 0x7ffe36f530b8 match found, calling back with 0
2014/06/04 00:26:18.158| ACLFilledChecklist::checkCallback: 0x7ffe36f530b8 answer=0
2014/06/04 00:26:18.158| ACLChecklist::checkCallback: 0x7ffe36f530b8 answer=0

Как видим, забил он на внешний acl и отработал http_access deny all. Клиент получил TCP_DENIED/403. Я его не понимаю...