[prev in list] [next in list] [prev in thread] [next in thread]
List: squid-cvs
Subject: /bzr/squid3/trunk/ r9521: Bug 2601: Hack. Convert IPv4 netmasks to CIDR in
From: Amos Jeffries <squid3 () treenet ! co ! nz>
Date: 2009-02-21 3:56:39
Message-ID: 20090221040005.70304.qmail () squid-cache ! org
[Download RAW message or body]
--===============1707342994==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
------------------------------------------------------------
revno: 9521
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Sat 2009-02-21 16:56:39 +1300
message:
Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode
se bug 2601 for trace demonstrating the effect of masking an IPv6 address
with and IPv4 netmask intead of a CIDR mask.
This hack, locates what CIDR mask was _probably_ meant to be in its
native protocol format. Then resets the mask to that CIDR form.
This will completely crap out with a security fail-open if the admin is
playing mask tricks. However, thats their fault, and we do warn loudly.
modified:
src/ACLIP.cc
--===============1707342994==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; name="r9521.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
=== modified file 'src/ACLIP.cc'
--- a/src/ACLIP.cc 2009-02-20 09:54:09 +0000
+++ b/src/ACLIP.cc 2009-02-21 03:56:39 +0000
@@ -215,8 +215,24 @@
/* dotted notation */
/* assignment returns true if asc contained an IP address as text */
- if ((mask = asc))
+ if ((mask = asc)) {
+#if USE_IPV6
+ /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */
+ debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR \
masks instead."); + if(mask.IsIPv4()) {
+ /* locate what CIDR mask was _probably_ meant to be in its native \
protocol format. */ + /* this will completely crap out with a security \
fail-open if the admin is playing mask tricks */ + /* however, thats their \
fault, and we do warn. see bug 2601 for the effects if we don't do this. */ + \
unsigned int m = mask.GetCIDR(); + debugs(28, DBG_CRITICAL, "WARNING: IPv4 \
netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges."); + \
debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m); + \
/* reset the mask completely, and crop to the CIDR boundary back properly. */ + \
mask.NoAddr(); + return mask.ApplyMask(m,AF_INET);
+ }
+#endif /* USE_IPV6 */
return true;
+ }
return false;
}
--===============1707342994==--
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic