On 16/02/20 12:42 am, Scott wrote:
>> Date: Fri, 14 Feb 2020 11:03:50 -0500
>> From: Alex Rousskov
>>
>> On 2/14/20 10:36 AM, Scott wrote:
>>
>>> I know it's derivable by other means, but it would be nice to have a
>>> logformat format code that provided the client and server IP version numbers.
>>
>>> eg: >v for Client IP version (4 or 6) and <v for Server
>>
>>
>> Other than client and server, Squid can log a few other IP addresses,
>> including:
>>
>> >a Client source IP address
>> >la Local IP address the client connected to
>> la Local listening IP address the client connection was...
>> <a Server IP address of the last server or peer connection
>> <la Local IP address of the last server or peer connection
>> icap::<A ICAP server IP address. Similar to <A.
>>
>>
>> If we add support for automated IP version extraction, it should be
>> supported as a single new parameter for all existing %codes that log IP
>> addresses rather than new %codes (one %code for each of the existing
>> %codes that log IP addresses). For example:
>>
>> %>a{version}
>>
>> FWIW, personally, I am not sure we should add such a %code option
>> because, I presume, the same information can be obtained simply by
>> checking the first character of the logged IP address for being '['.
>> Said that, I am open to hearing arguments why it should be added.
>>
>>
>> Cheers,
>>
>> Alex.
>>
>
> Thanks Alex,
>
> bear in mind that normally Squid handles but two connections (c->squid,
> squid->peer/origin), despite the fact that there are normally four addresses
> (client, squid-inside, squid-outside, peer/origin). If it were agreed to
> support such a logging function, why would one bother having >a{version} and
>> la{version} when both MUST be the same? Same goes for <a and <la.
>
If you are using an IPv6 enabled Squid on a Hybrid-stack machine you may
notice that it does not have IPv4 listeners at all. Squid talks to IPv4
clients through IPv6 :: or a v4-mapping address.
> That's the whole point of "<" and ">". These two qualifiers are linked to
> the inside and outside IP versions, not the "l" in ">la" and "<la". That's
> why I suggested a new variable "v" with two sides/directions (>/<).
>
> As to the suggestion that one differentiate IP versions by the signifier '[',
> from my experience "%>a" in logformat does NOT provide surrounding square
> brackets.
For Squid %<a / %>a codes the more correct sign is when the IP contains
a ':' it is IPv6 or later.
>
> The argument I would make (and I do appreciate you hearing it) is that
> programmatically (think grep/awk or pcre filtering) it's much easier to
> determine how much traffic (client/server) is either v4 or v6 is by using a
> fixed field rather than positive/negative lookaheads in the address codes
> (given the lack of []).
IMO it would be better to implement the long outstanding request for
SNMP counters providing that information. No need to parse the logs then.
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users
