On 28/01/2013 12:04 a.m., Tsantilas Christos wrote:
On 01/26/2013 12:11 PM, Amos Jeffries wrote:
This patch has passed the 10-day standown period and has no audit objects.
I had forgot it. Thank you.
I only note that it uses class member dynamic array definitions (foo[];)
definitions. The C++ feature will break build on some compilers we need
to support (clang for FreeBSD9).
Are you referenced to the definitions like the followings?
ACLFlag DestinationDomainFlags[] = {ACL_F_NO_LOOKUP, ACL_F_END};
const ACLFlag ACLFlags::NoFlags[] = {ACL_F_END};
Will the clang work if I convert them to:
ACLFlag DestinationDomainFlags[64] = {ACL_F_NO_LOOKUP, ACL_F_END};
const ACLFlag ACLFlags::NoFlags[64] = {ACL_F_END};
or even better use the following:
typedef ACLFlag ACLFlagsSupported[64];
ACLFlagsSupported DestinationDomainFlags = {ACL_F_NO_LOOKUP, ACL_F_END};
const ACLFlagsSupported ACLFlags::NoFlags = {ACL_F_END};
Opinion on this?
No these all have size and definitions.
Sorry should not have used plural. The problem is likely to be:
static const ACLFlag NoFlags[];
defined as [] but with no size.
Amos
Once that is fixed this patch can go in.
Amos
On 25/12/2012 9:08 a.m., Tsantilas Christos wrote:
No-lookup DNS ACLs
Currently, dst, dstdom, dstdom_regex (and other?) DNS-related ACLs do
DNS lookups if such a lookup is needed to convert an IP address into a
domain name or vice versa. This creates two kinds of problems:
- It is difficult to identify requests that use raw IP addresses in
Request-URI or Host headers. One would have to use something like
url_regex and possibly req_header to identify those before using dst
ACLs to match the request destination against a known IP subnet. IPv6
would only make this harder.
- It is difficult to use dst* ACLs in options that support fast ACLs
only. If an async lookup is required, the answer will be unpredictable
(now) or DUNNO (when the ACL bugs are fixed), possibly with warnings and
other complications.
This patch adds a -n option to dst, dstdom, dstdom_regex and other
DNS-related ACLs. The option disable lookups and address type
conversions. If lookup or conversion is required because the parameter
type (IP or domain name) does not match the message address type (domain
name or IP), then the ACL with a -n option would immediately declare a
mismatch without any warnings or lookups.
Please note that -n prohibits lookups in Squid's DNS caches as well.
This patch also adds an ACL flags mechanism to help us easily add new
flags for acls. The supported flags for an acl type configured in ACL
constructor.
Extra care taken for the -i/+i regex flags. These flags are not normal
flags because they can be applied everywhere in acls values:
acl dstdomain_regex -i dom1 dom2 +i dom3 -i dom4
This is a Measurement Factory project.
Regards,
Christos
