Saurabh Agarwal wrote:
> Hi
>
> Can someone please tell how does squid does the acl evaluation related
> to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0"
>
> As I understand squid does not get to know the IP layer information
> which has the destination IP address field.
>
> But in the HTTP header we have the name of the server like
> "Host mail.yahoo.com", which can be used to determine the destination IP
> Address.
>
> Does squid resolves the IP address of mail.yahoo.com before it does the
> Dst Address acls matching or evaluation?
With src and dst it differs in the methods of attaining the IP. But the
evaluation is identical.
src - performs an OS call to retrieve the IP of the other end of the TCP
connection socket its been given.
dst - retrieves the FQDN being looked up from the request headers, and
performs a DNS lookup on it to retrieve the address.
Both then pass the IP to the ACL processing to be checked.
Amos
-- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.Received on Mon Mar 17 2008 - 04:30:26 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Apr 01 2008 - 13:00:05 MDT