Description: Bug #3769: client_netmask not evaluated since Comm redesign This bug caused the client_netmask directive in Squid-3.2 and Squid-3.3 releases to have no effect. The designed behaviour of masking client IPs in logs is now restored. . squid3 (3.3.8-1ubuntu6.7) UNRELEASED; urgency=medium . * Fix Bug #3769 Author: Lukas Erlacher --- The information above should follow the Patch Tagging Guidelines, please checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here are templates for supplementary fields that you might want to add: Origin: , Bug: Bug-Debian: http://bugs.debian.org/ Bug-Ubuntu: https://launchpad.net/bugs/ Forwarded: Reviewed-By: Last-Update: --- squid3-3.3.8.orig/src/AccessLogEntry.cc +++ squid3-3.3.8/src/AccessLogEntry.cc @@ -15,17 +15,30 @@ AccessLogEntry::SslDetails::SslDetails() void AccessLogEntry::getLogClientIp(char *buf, size_t bufsz) const { + Ip::Address log_ip; + #if FOLLOW_X_FORWARDED_FOR if (Config.onoff.log_uses_indirect_client && request) - request->indirect_client_addr.NtoA(buf, bufsz); + log_ip = request->indirect_client_addr; else #endif if (tcpClient != NULL) - tcpClient->remote.NtoA(buf, bufsz); - else if (cache.caddr.IsNoAddr()) // e.g., ICAP OPTIONS lack client + log_ip = tcpClient->remote; + else if (cache.caddr.IsNoAddr()) { // e.g., ICAP OPTIONS lack client strncpy(buf, "-", bufsz); - else - cache.caddr.NtoA(buf, bufsz); + return; + } else + log_ip = cache.caddr; + + // Apply so-called 'privacy masking' to IPv4 clients + // - localhost IP is always shown in full + // - IPv4 clients masked with client_netmask + // - IPv6 clients use 'privacy addressing' instead. + + if (!log_ip.isLocalhost() && log_ip.isIPv4()) + log_ip.applyMask(Config.Addrs.client_netmask); + + log_ip.NtoA(buf, bufsz); } AccessLogEntry::~AccessLogEntry()