[squid-users] squid-users Digest, Vol 66, Issue 17

Sat Feb 15 11:42:36 UTC 2020

> Date: Fri, 14 Feb 2020 11:03:50 -0500
> From: Alex Rousskov <rousskov at measurement-factory.com>
> To: squid-users at lists.squid-cache.org
> Subject: Re: [squid-users] [Feature request] add IP version to logformat
>  format codes
> 
> On 2/14/20 10:36 AM, Scott wrote:
> 
> > I know it's derivable by other means, but it would be nice to have a 
> > logformat format code that provided the client and server IP version numbers.
> 
> > eg: >v for Client IP version (4 or 6) and <v for Server
> 
> 
> Other than client and server, Squid can log a few other IP addresses,
> including:
> 
>     >a      Client source IP address
>     >la     Local IP address the client connected to
>     la      Local listening IP address the client connection was...
>     <a      Server IP address of the last server or peer connection
>     <la     Local IP address of the last server or peer connection
>     icap::<A        ICAP server IP address. Similar to <A.
> 
> 
> If we add support for automated IP version extraction, it should be
> supported as a single new parameter for all existing %codes that log IP
> addresses rather than new %codes (one %code for each of the existing
> %codes that log IP addresses). For example:
> 
>     %>a{version}
> 
> FWIW, personally, I am not sure we should add such a %code option
> because, I presume, the same information can be obtained simply by
> checking the first character of the logged IP address for being '['.
> Said that, I am open to hearing arguments why it should be added.
> 
> 
> Cheers,
> 
> Alex.
> 

Thanks Alex,

bear in mind that normally Squid handles but two connections (c->squid, 
squid->peer/origin), despite the fact that there are normally four addresses 
(client, squid-inside, squid-outside, peer/origin).  If it were agreed to 
support such a logging function, why would one bother having >a{version} and 
>la{version} when both MUST be the same?  Same goes for <a and <la.

That's the whole point of "<" and ">".  These two qualifiers are linked to 
the inside and outside IP versions, not the "l" in ">la" and "<la". That's 
why I suggested a new variable "v" with two sides/directions (>/<).

As to the suggestion that one differentiate IP versions by the signifier '[', 
from my experience "%>a" in logformat does NOT provide surrounding square 
brackets.

The argument I would make (and I do appreciate you hearing it) is that 
programmatically (think grep/awk or pcre filtering) it's much easier to 
determine how much traffic (client/server) is either v4 or v6 is by using a 
fixed field rather than positive/negative lookaheads in the address codes 
(given the lack of []).

Scott