'/bzr/squid3/trunk/ r9521: Bug 2601: Hack. Convert IPv4 netmasks to CIDR in'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-cvs
Subject:    /bzr/squid3/trunk/ r9521: Bug 2601: Hack. Convert IPv4 netmasks to CIDR in
From:       Amos Jeffries <squid3 () treenet ! co ! nz>
Date:       2009-02-21 3:56:39
Message-ID: 20090221040005.70304.qmail () squid-cache ! org
[Download RAW message or body]

--===============1707342994==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

------------------------------------------------------------
revno: 9521
committer: Amos Jeffries <squid3@treenet.co.nz>
branch nick: trunk
timestamp: Sat 2009-02-21 16:56:39 +1300
message:
  Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode
  
  se bug 2601 for trace demonstrating the effect of masking an IPv6 address
  with and IPv4 netmask intead of a CIDR mask.
  
  This hack, locates what CIDR mask was _probably_ meant to be in its
  native protocol format. Then resets the mask to that CIDR form.
  
  This will completely crap out with a security fail-open if the admin is
  playing mask tricks.  However, thats their fault, and we do warn loudly.
modified:
  src/ACLIP.cc

--===============1707342994==
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; name="r9521.diff"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

=== modified file 'src/ACLIP.cc'
--- a/src/ACLIP.cc	2009-02-20 09:54:09 +0000
+++ b/src/ACLIP.cc	2009-02-21 03:56:39 +0000
@@ -215,8 +215,24 @@
 
     /* dotted notation */
     /* assignment returns true if asc contained an IP address as text */
-    if ((mask = asc))
+    if ((mask = asc)) {
+#if USE_IPV6
+        /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */
+        debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR \
masks instead."); +        if(mask.IsIPv4()) {
+            /* locate what CIDR mask was _probably_ meant to be in its native \
protocol format. */ +            /* this will completely crap out with a security \
fail-open if the admin is playing mask tricks */ +            /* however, thats their \
fault, and we do warn. see bug 2601 for the effects if we don't do this. */ +         \
unsigned int m = mask.GetCIDR(); +            debugs(28, DBG_CRITICAL, "WARNING: IPv4 \
netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges."); +        \
debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m); +   \
/* reset the mask completely, and crop to the CIDR boundary back properly. */ +       \
mask.NoAddr(); +            return mask.ApplyMask(m,AF_INET);
+        }
+#endif /* USE_IPV6 */
         return true;
+    }
 
     return false;
 }


--===============1707342994==--


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic