On 01/07/2011 06:04 PM, Amos Jeffries wrote: > Note that a great many hostnames are "localhost" or > "localhost.localdomain" or "localhost.local" due to certain distros > hard-coding "localhost" into their packages. > > We also use "localhost" as a backup when the gethostname() call fails to > provide anything with rDNS. (IMO that hard rDNS requirement is a bit naive)
Good point! On 01/11/2011 01:16 AM, Henrik Nordström wrote: > A proposal is to always return an error if Via indicates > that we have already processed this request twice > (on third time the same request is received). This will break actual > loops, while keeping sibling loops silent. Sounds like a good approach to me. I would even take it a few steps further to address Amos concern using the same technique. How about this plan: If we have detected a forwarding loop and our name appeared N times, then respond with an error provided at least one of the conditions below is true: 1) N > 2 and our name is not localhost or similar. 2) N > 10. No checks for the port mode or transaction flags (intercepted, accelerated, etc.). In addition to the above, do a startup check for the name and warn the user if our name is localhost or similar. Would that address all the concerns voiced so far? Thank you, Alex. P.S. I would propose to just use "N > 10" always, but I am worried that allowing 10 loop iterations by default would make it easier to "amplify" some attacks on/using Squid.
