Thanks Amos, I have one follow up question though on your reply src - performs an OS call to retrieve the IP of the other end of the TCP
connection socket its been given. dst - retrieves the FQDN being looked up from the request headers, and performs a DNS lookup on it to retrieve the address. >> To determine the dst IP address, why do we don't perform an OS call to retrieve the destination IP address. Is it technically possible? If yes how? IF we can do it, then we can save some time in the DNS lookup that squid performs. Thanks Saurabh -----Original Message----- From: Amos Jeffries [mailto:[EMAIL PROTECTED] Sent: Monday, March 17, 2008 4:01 PM To: Saurabh Agarwal Cc: squid-users@squid-cache.org Subject: Re: [squid-users] How squid does Src/Dst IP address matching Saurabh Agarwal wrote: > Hi > > Can someone please tell how does squid does the acl evaluation related > to Src/Dst IP address? Like "acl myNet dst 10.0.0.0/255.255.0.0" > > As I understand squid does not get to know the IP layer information > which has the destination IP address field. > > But in the HTTP header we have the name of the server like > "Host mail.yahoo.com", which can be used to determine the destination IP > Address. > > Does squid resolves the IP address of mail.yahoo.com before it does the > Dst Address acls matching or evaluation? With src and dst it differs in the methods of attaining the IP. But the evaluation is identical. src - performs an OS call to retrieve the IP of the other end of the TCP connection socket its been given. dst - retrieves the FQDN being looked up from the request headers, and performs a DNS lookup on it to retrieve the address. Both then pass the IP to the ACL processing to be checked. Amos -- Please use Squid 2.6STABLE17+ or 3.0STABLE1+ There are serious security advisories out on all earlier releases.
