Regression Bug 3769: client_netmask not evaluated since Comm redesign

diff --git a/src/AccessLogEntry.cc b/src/AccessLogEntry.cc
index d8c41efa6d600e32ef0dc6f003b61dc4e93a1286..45cf014e02ac5d83f27ec18a2ac162c16041a900 100644 (file)
--- a/src/AccessLogEntry.cc
+++ b/src/AccessLogEntry.cc
@@ -15,17 +15,30 @@ AccessLogEntry::SslDetails::SslDetails(): user(NULL), bumpMode(::Ssl::bumpEnd)
 void
 AccessLogEntry::getLogClientIp(char *buf, size_t bufsz) const
 {
+    Ip::Address log_ip;
+
 #if FOLLOW_X_FORWARDED_FOR
     if (Config.onoff.log_uses_indirect_client && request)
-        request->indirect_client_addr.toStr(buf, bufsz);
+        log_ip = request->indirect_client_addr;
     else
 #endif
         if (tcpClient != NULL)
-            tcpClient->remote.toStr(buf, bufsz);
-        else if (cache.caddr.isNoAddr()) // e.g., ICAP OPTIONS lack client
+            log_ip = tcpClient->remote;
+        else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
             strncpy(buf, "-", bufsz);
-        else
-            cache.caddr.toStr(buf, bufsz);
+            return;
+        } else
+            log_ip = cache.caddr;
+
+    // Apply so-called 'privacy masking' to IPv4 clients
+    // - localhost IP is always shown in full
+    // - IPv4 clients masked with client_netmask
+    // - IPv6 clients use 'privacy addressing' instead.
+
+    if (!log_ip.isLocalhost() && log_ip.isIPv4())
+        log_ip.applyMask(Config.Addrs.client_netmask);
+
+    log_ip.toStr(buf, bufsz);
 }
 
 AccessLogEntry::~AccessLogEntry()