[squid-users] squid-users Digest, Vol 66, Issue 17

Sat Feb 15 12:50:19 UTC 2020

On 16/02/20 12:42 am, Scott wrote:
>> Date: Fri, 14 Feb 2020 11:03:50 -0500
>> From: Alex Rousskov
>>
>> On 2/14/20 10:36 AM, Scott wrote:
>>
>>> I know it's derivable by other means, but it would be nice to have a 
>>> logformat format code that provided the client and server IP version numbers.
>>
>>> eg: >v for Client IP version (4 or 6) and <v for Server
>>
>>
>> Other than client and server, Squid can log a few other IP addresses,
>> including:
>>
>>     >a      Client source IP address
>>     >la     Local IP address the client connected to
>>     la      Local listening IP address the client connection was...
>>     <a      Server IP address of the last server or peer connection
>>     <la     Local IP address of the last server or peer connection
>>     icap::<A        ICAP server IP address. Similar to <A.
>>
>>
>> If we add support for automated IP version extraction, it should be
>> supported as a single new parameter for all existing %codes that log IP
>> addresses rather than new %codes (one %code for each of the existing
>> %codes that log IP addresses). For example:
>>
>>     %>a{version}
>>
>> FWIW, personally, I am not sure we should add such a %code option
>> because, I presume, the same information can be obtained simply by
>> checking the first character of the logged IP address for being '['.
>> Said that, I am open to hearing arguments why it should be added.
>>
>>
>> Cheers,
>>
>> Alex.
>>
> 
> Thanks Alex,
> 
> bear in mind that normally Squid handles but two connections (c->squid, 
> squid->peer/origin), despite the fact that there are normally four addresses 
> (client, squid-inside, squid-outside, peer/origin).  If it were agreed to 
> support such a logging function, why would one bother having >a{version} and 
>> la{version} when both MUST be the same?  Same goes for <a and <la.
> 

If you are using an IPv6 enabled Squid on a Hybrid-stack machine you may
notice that it does not have IPv4 listeners at all. Squid talks to IPv4
clients through IPv6 :: or a v4-mapping address.

> That's the whole point of "<" and ">".  These two qualifiers are linked to 
> the inside and outside IP versions, not the "l" in ">la" and "<la". That's 
> why I suggested a new variable "v" with two sides/directions (>/<).
> 
> As to the suggestion that one differentiate IP versions by the signifier '[', 
> from my experience "%>a" in logformat does NOT provide surrounding square 
> brackets.

For Squid %<a / %>a codes the more correct sign is when the IP contains
a ':' it is IPv6 or later.

> 
> The argument I would make (and I do appreciate you hearing it) is that 
> programmatically (think grep/awk or pcre filtering) it's much easier to 
> determine how much traffic (client/server) is either v4 or v6 is by using a 
> fixed field rather than positive/negative lookaheads in the address codes 
> (given the lack of []).

IMO it would be better to implement the long outstanding request for
SNMP counters providing that information. No need to parse the logs then.

Amos