No-lookup DNS ACLs

No-lookup DNS ACLs

Currently, dst, dstdom, dstdom_regex (and other?) DNS-related ACLs do DNS
lookups if such a lookup is needed to convert an IP address into a domain name
or vice versa. This creates two kinds of problems:

 - It is difficult to identify requests that use raw IP addresses in Request-URI
   or Host headers. One would have to use something like url_regex and possibly
   req_header to identify those before using dst ACLs to match the request
   destination against a known IP subnet. IPv6 would only make this harder.

 - It is difficult to use dst* ACLs in options that support fast ACLs only.
   If an async lookup is required, the answer will be unpredictable (now)
   or DUNNO (when the ACL bugs are fixed), possibly with warnings and other
   complications.

This patch adds a -n option to dst, dstdom, dstdom_regex and other DNS-related
ACLs. The option disable lookups and address type conversions. If lookup or
conversion is required because the parameter type (IP or domain name) does not
match the message address type (domain name or IP), then the ACL with a -n
option would immediately declare a mismatch without any warnings or lookups.

The "--" option can be used to stop processing all options, in the case the
first acl value has '-' character as first character (for example the '-' is
a valid domain name)

For example:

    # Matches requests with full URI host set to localhost
    # but not requests with full URI host set to 127.0.0.1
    acl toLocalRawName dstdom -n localhost
    http_access allow toLocalRawName

    # Use -- option to stop processing flags
    acl AnACL dst_domain -n -- -cream-and-sugar.tumblr.com

    # Matches requests with full URI host set to 127.0.0.1
    # but not requests with full URI host set to localhost
    acl toLocalRawIp dst -n 127.0.0.1/32
    cache_peer_access peer1 allow toLocalRawIp

Please note that -n prohibits lookups in Squid's DNS caches as well.

This is a Measurement Factory project