'[squid-dev] acl dst ipv6 doesnot matches all IPv6 addresses'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       squid-dev
Subject:    [squid-dev] acl dst ipv6 doesnot matches all IPv6 addresses
From:       john jacob <john.rmesi () gmail ! com>
Date:       2023-03-07 13:38:33
Message-ID: CAGMRTB3GoFJ74YEd3aXMf3_qt1x_POgBNZrtLCb1rfDD4DOvwA () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Hi,

I am facing the same issue as described in
https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal URLs
are casuing squid, v5.7, to restart. As a work around I am testing the
below to deny ipv6 requests.

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

# Prevent ipv6 requests to avoid crash in squid > 5.x
http_access deny to_ipv6
http_access deny from_ipv6

While this works for most of the ipv6 URLs , some of the cases like
http://[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:80/index.html
, ACL is not matched.

2023/03/06 20:01:03.049 kid1| 28,3| Checklist.cc(70) preCheck: 0x15c1278
checking slow rules
2023/03/06 20:01:03.049 kid1| 28,5| Acl.cc(124) matches: checking
http_access
2023/03/06 20:01:03.049 kid1| 28,5| Checklist.cc(398) bannedAction: Action
'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking
http_access#1
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking to_ipv6
2023/03/06 20:01:03.050 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
[fedc:ba98:7654:3210:fedc:ba98:7654:3210]/[ffc0::] ([fec0::])  vs
[fe80::]-[::]/[ffc0::]
2023/03/06 20:01:03.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp:
'[fedc:ba98:7654:3210:fedc:ba98:7654:3210]' NOT found
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: to_ipv6 =
0
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked:
http_access#1 = 0
2023/03/06 20:01:03.050 kid1| 28,5| Checklist.cc(398) bannedAction: Action
'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking
http_access#2

I could not find any reference which mentions
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am
wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6
check.

Regards,
John

[Attachment #5 (text/html)]

<div dir="ltr">Hi,<br><br>I am facing the same issue as described in <a \
href="https://bugs.squid-cache.org/show_bug.cgi?id=5154">https://bugs.squid-cache.org/show_bug.cgi?id=5154</a> \
where ipv6 literal URLs are casuing squid, v5.7, to restart. As a work around I am \
testing the below to deny ipv6 requests.<br><br>acl to_ipv6 dst ipv6<br>acl from_ipv6 \
src ipv6<br><br># Prevent ipv6 requests to avoid crash in squid &gt; \
5.x<br>http_access deny to_ipv6<br>http_access deny from_ipv6<br><br>While this works \
for most of the ipv6 URLs , some of the cases like \
http://[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:80/index.html , ACL is not \
matched.<br><br>2023/03/06 20:01:03.049 kid1| 28,3| Checklist.cc(70) preCheck: \
0x15c1278 checking slow rules<br>2023/03/06 20:01:03.049 kid1| 28,5| Acl.cc(124) \
matches: checking http_access<br>2023/03/06 20:01:03.049 kid1| 28,5| \
Checklist.cc(398) bannedAction: Action &#39;DENIED/0&#39; is not banned<br>2023/03/06 \
20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking http_access#1<br>2023/03/06 \
20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking to_ipv6<br>2023/03/06 \
20:01:03.050 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: \
compare: [fedc:ba98:7654:3210:fedc:ba98:7654:3210]/[ffc0::] ([fec0::])   vs \
[fe80::]-[::]/[ffc0::]<br>2023/03/06 20:01:03.050 kid1| 28,3| Ip.cc(538) match: \
aclIpMatchIp: &#39;[fedc:ba98:7654:3210:fedc:ba98:7654:3210]&#39; NOT \
found<br>2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: to_ipv6 = \
0<br>2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 \
= 0<br>2023/03/06 20:01:03.050 kid1| 28,5| Checklist.cc(398) bannedAction: Action \
&#39;DENIED/0&#39; is not banned<br>2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) \
matches: checking http_access#2<br><br>I could not find any reference which mentions \
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am wondering why \
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6 \
check.<br><br>Regards,<br>John<br></div>



_______________________________________________
squid-dev mailing list
squid-dev@lists.squid-cache.org
http://lists.squid-cache.org/listinfo/squid-dev


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic