Saurabh Agarwal wrote:
Thanks Amos, I have one follow up question though on your reply
src - performs an OS call to retrieve the IP of the other end of the TCP
connection socket its been given.
dst - retrieves the FQDN being looked up from the request headers, and
performs a DNS lookup on it to retrieve the address.
To determine the dst IP address, why do we don't perform an OS call
to retrieve the destination IP address. Is it technically possible? If
yes how? IF we can do it, then we can save some time in the DNS lookup
that squid performs.
It's possible. Most OS provide sgetsockopt() calls to retrieve them.
Squid does not use these in order to protect its cache against
compromised users.
When trusting the users requested dst-IP a single infected web client
retrieving a bad web page could poison the cache and pass the infection
on to all other users.
Amos
Thanks
Saurabh
-----Original Message-----
From: Amos Jeffries [mailto:squid3@xxxxxxxxxxxxx]
Sent: Monday, March 17, 2008 4:01 PM
To: Saurabh Agarwal
Cc: squid-users@xxxxxxxxxxxxxxx
Subject: Re: How squid does Src/Dst IP address matching
Saurabh Agarwal wrote:
Hi
Can someone please tell how does squid does the acl evaluation related
to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0"
As I understand squid does not get to know the IP layer information
which has the destination IP address field.
But in the HTTP header we have the name of the server like
"Host mail.yahoo.com", which can be used to determine the destination
IP
Address.
Does squid resolves the IP address of mail.yahoo.com before it does
the
Dst Address acls matching or evaluation?
With src and dst it differs in the methods of attaining the IP. But the
evaluation is identical.
src - performs an OS call to retrieve the IP of the other end of the TCP
connection socket its been given.
dst - retrieves the FQDN being looked up from the request headers, and
performs a DNS lookup on it to retrieve the address.
Both then pass the IP to the ACL processing to be checked.
Amos
--
Please use Squid 2.6STABLE17+ or 3.0STABLE1+
There are serious security advisories out on all earlier releases.