Kinkie wrote:
> On Sun, Aug 9, 2009 at 12:45 AM, Henrik
> Nordstrom<henrik_at_henriknordstrom.net> wrote:
>> lör 2009-08-08 klockan 00:44 +1200 skrev Amos Jeffries:
>>
>>> Docs: dstdomain is a 'FAST' group ACL.
>> Actually it's both.. for domain based requests it's fast.
>>
>> but for IP based requests it's a slow ACL trying to reverse-lookup the
>> hostname of the requested ip,
>
> Hm.. gah!
> For documentation purposes it's probably safer to either document this
> split personality disorder, or to just consider it fast.
> I checked the code, and it seems "slow" at first glance.
>
> For 3.3+ what would you guys think about splitting dstdomain up into
> two, to make the behaviour clearer? Something like dstname (always
> fast) and dstdomain (always slow)?
>
I don't think so. That pushes the complexity into peoples faces.
dstdomain is only slow if:
a) the rDNS not already cached by a prior lookup
b) the IP is not listed as text in the list
There are a few other things like CVE-2009-0801 which now require the
dstdomain IP lookup gets triggered on first sight of the domain. Which
will push the false-negatives down a lot.
IMO the fact that we actually accept IPs and rDNS them for the lookup is
a sugar feature. We don't really want to encourage the use of raw-IPs in
URLs.
Amos
-- Please be using Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18 Current Beta Squid 3.1.0.13Received on Sun Aug 09 2009 - 00:34:30 MDT
This archive was generated by hypermail 2.2.0 : Sun Aug 09 2009 - 12:00:04 MDT