From ca03e8b7731dee4eaf2d94723210631a3fe6a3e4 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Wed, 12 Feb 2014 01:52:29 -0700
Subject: [PATCH] Regression Bug 3769: client_netmask not evaluated since Comm
 redesign

---
 src/AccessLogEntry.cc | 23 ++++++++++++++++++-----
 1 file changed, 18 insertions(+), 5 deletions(-)

diff --git a/src/AccessLogEntry.cc b/src/AccessLogEntry.cc
index d8c41efa6d..45cf014e02 100644
--- a/src/AccessLogEntry.cc
+++ b/src/AccessLogEntry.cc
@@ -15,17 +15,30 @@ AccessLogEntry::SslDetails::SslDetails(): user(NULL), bumpMode(::Ssl::bumpEnd)
 void
 AccessLogEntry::getLogClientIp(char *buf, size_t bufsz) const
 {
+    Ip::Address log_ip;
+
 #if FOLLOW_X_FORWARDED_FOR
     if (Config.onoff.log_uses_indirect_client && request)
-        request->indirect_client_addr.toStr(buf, bufsz);
+        log_ip = request->indirect_client_addr;
     else
 #endif
         if (tcpClient != NULL)
-            tcpClient->remote.toStr(buf, bufsz);
-        else if (cache.caddr.isNoAddr()) // e.g., ICAP OPTIONS lack client
+            log_ip = tcpClient->remote;
+        else if (cache.caddr.isNoAddr()) { // e.g., ICAP OPTIONS lack client
             strncpy(buf, "-", bufsz);
-        else
-            cache.caddr.toStr(buf, bufsz);
+            return;
+        } else
+            log_ip = cache.caddr;
+
+    // Apply so-called 'privacy masking' to IPv4 clients
+    // - localhost IP is always shown in full
+    // - IPv4 clients masked with client_netmask
+    // - IPv6 clients use 'privacy addressing' instead.
+
+    if (!log_ip.isLocalhost() && log_ip.isIPv4())
+        log_ip.applyMask(Config.Addrs.client_netmask);
+
+    log_ip.toStr(buf, bufsz);
 }
 
 AccessLogEntry::~AccessLogEntry()
-- 
2.47.2