Re: IPv6 interception crash: Ip::Address::getInAddr : Cannot convert non-IPv4 to IPv4.

Amos Jeffries <squid3@xxxxxxxxxxxxx> · Tue, 4 Oct 2016 23:56:15 +1300

On 4/10/2016 10:52 p.m., Egerváry Gergely wrote:
>> Is there another defined somewhere else? For some reason your Squid is
>> managing to build with just "nl_inip" (no 'addr') in the field name.
> 
> There's a copy in /usr/include/netinet, but it's the same:
> 
> typedef	struct	natlookup {
> 	i6addr_t	nl_inipaddr;
> 	i6addr_t	nl_outipaddr;
> 	i6addr_t	nl_realipaddr;
> 	int		nl_v;
> 	int		nl_flags;
> 	u_short		nl_inport;
> 	u_short		nl_outport;
> 	u_short		nl_realport;
> } natlookup_t;
> 
> #define	nl_inip		nl_inipaddr.in4
> #define	nl_outip	nl_outipaddr.in4
> #define	nl_realip	nl_realipaddr.in4
> #define	nl_inip6	nl_inipaddr.in6
> #define	nl_outip6	nl_outipaddr.in6
> #define	nl_realip6	nl_realipaddr.in6
> 
> ... so "nl_inip" is a simple #define to nl_inipaddr.in4
> 
> This is from Squid's Intercept.cc:
> 
>     natLookup.nl_inport = htons(newConn->local.port());
>     newConn->local.getInAddr(natLookup.nl_inip);
>     natLookup.nl_outport = htons(newConn->remote.port());
>     newConn->remote.getInAddr(natLookup.nl_outip);
> 
> Is this correct?
> Should we have this in the "else" section of
>   if (newConn->remote.isIPv6()) ... instead?
> 

Aha. Damn macros.

There are a few changes needed, for both v4/v6 inputs and 'realip'
processing. This attached patch should be what you need for Squid-3.5 to
work.

Amos
=== modified file 'src/ip/Intercept.cc'

--- src/ip/Intercept.cc	2016-04-12 06:52:39 +0000
+++ src/ip/Intercept.cc	2016-10-04 10:35:52 +0000
@@ -207,16 +207,21 @@
         debugs(89, warningLevel, "IPF (IPFilter v4) NAT does not support IPv6. Please upgrade to IPFilter v5.1");
         warningLevel = (warningLevel + 1) % 10;
         return false;
+    }
+    newConn->local.getInAddr(natLookup.nl_inip);
+    newConn->remote.getInAddr(natLookup.nl_outip);
 #else
         natLookup.nl_v = 6;
+        newConn->local.getInAddr(natLookup.nl_inipaddr.in6);
+        newConn->remote.getInAddr(natLookup.nl_outipaddr.in6);
     } else {
         natLookup.nl_v = 4;
+        newConn->local.getInAddr(natLookup.nl_inipaddr.in4);
+        newConn->remote.getInAddr(natLookup.nl_outipaddr.in4);
+    }
 #endif
-    }
     natLookup.nl_inport = htons(newConn->local.port());
-    newConn->local.getInAddr(natLookup.nl_inip);
     natLookup.nl_outport = htons(newConn->remote.port());
-    newConn->remote.getInAddr(natLookup.nl_outip);
     // ... and the TCP flag
     natLookup.nl_flags = IPN_TCP;
 
@@ -281,7 +286,14 @@
         debugs(89, 9, HERE << "address: " << newConn);
         return false;
     } else {
+#if IPFILTER_VERSION < 5000003
         newConn->local = natLookup.nl_realip;
+#else
+        if (newConn->remote.isIPv6())
+            newConn->local = natLookup.nl_realipaddr.in6;
+        else
+            newConn->local = natLookup.nl_realipaddr.in4;
+#endif
         newConn->local.port(ntohs(natLookup.nl_realport));
         debugs(89, 5, HERE << "address NAT: " << newConn);
         return true;

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




