Re: /bzr/squid3/trunk/ r9907: Add 0.0.0.0 as an to_localhost address

From: Amos Jeffries <squid3_at_treenet.co.nz>
Date: Mon, 17 Aug 2009 14:08:54 +1200

Henrik Nordstrom wrote:
> sön 2009-08-16 klockan 19:17 +1200 skrev Amos Jeffries:
>
>> Aha. Just connect() then? not really bind() or listen()?
>
> Correct. Bind to 0.0.0.0 is "any address".
>
>> I'm thinking that aliasing has already been done before Squid gets such
>> packets at the 'other end'. So that we only see the real localhost IP if
>> its intercepted. Right?
>
> 0.0.0.0 is not valid for use on the wire. I would expect stacks to
> discard such packets.
>
>> Problem might be DNS on forward proxy traffic, but thats validated out
>> of existence to a NXDOMAIN.
>
> ?
>
>> Leaving only hosts file entries. I know 0.0.0.0 is used to boganize
>> domain names at times. Because it doesn't resolve!
>
>> For the intended use of the ACL as you highlight, yes I agree it's a
>> good change. It may not be good for the reality situation though.
>
> Well, it's the same thing so doesn't matter really.
>
>> What about a bogons ACL for less confusion?
>
> dst 0.0.0.0 is not more bogon than dst 127.0.0.1.
>

Yes it is.

Consider the virtual host setup with DNS views:

   foo.example.com -> 1.2.3.4 (when the public checks)
   foo.example.com -> 127.0.0.1 (when Squid checks)

  Squid listening on 1.2.3.4.:80
  Apache listening on 127.0.0.1:80

Based on what ACL the admin can see in the config file and what they
need to do squid.conf very often gets this:

   http_access allow to_localhost
   cache_peer_access apache allow to_localhost

For this usage 127.* is not a bogon at all.
Yet 0.0.0.0 in it's place would be completely insane despite any
trickery the TCP stack might do to cope.

Amos

-- 
Please be using
   Current Stable Squid 2.7.STABLE6 or 3.0.STABLE18
   Current Beta Squid 3.1.0.13
Received on Mon Aug 17 2009 - 02:09:08 MDT

This archive was generated by hypermail 2.2.0 : Mon Aug 17 2009 - 12:00:05 MDT