Hi,
I am facing the same issue as described in https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal URLs are casuing squid, v5.7, to restart. As a work around I am testing the below to deny ipv6 requests.
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
# Prevent ipv6 requests to avoid crash in squid > 5.x
http_access deny to_ipv6
http_access deny from_ipv6
While this works for most of the ipv6 URLs , some of the cases like http://[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:80/index.html , ACL is not matched.
2023/03/06 20:01:03.049 kid1| 28,3| Checklist.cc(70) preCheck: 0x15c1278 checking slow rules
2023/03/06 20:01:03.049 kid1| 28,5| Acl.cc(124) matches: checking http_access
2023/03/06 20:01:03.049 kid1| 28,5| Checklist.cc(398) bannedAction: Action 'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking http_access#1
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking to_ipv6
2023/03/06 20:01:03.050 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: [fedc:ba98:7654:3210:fedc:ba98:7654:3210]/[ffc0::] ([fec0::]) vs [fe80::]-[::]/[ffc0::]
2023/03/06 20:01:03.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[fedc:ba98:7654:3210:fedc:ba98:7654:3210]' NOT found
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: to_ipv6 = 0
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 0
2023/03/06 20:01:03.050 kid1| 28,5| Checklist.cc(398) bannedAction: Action 'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking http_access#2
I could not find any reference which mentions FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6 check.
Regards,
John
I am facing the same issue as described in https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal URLs are casuing squid, v5.7, to restart. As a work around I am testing the below to deny ipv6 requests.
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
# Prevent ipv6 requests to avoid crash in squid > 5.x
http_access deny to_ipv6
http_access deny from_ipv6
While this works for most of the ipv6 URLs , some of the cases like http://[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:80/index.html , ACL is not matched.
2023/03/06 20:01:03.049 kid1| 28,3| Checklist.cc(70) preCheck: 0x15c1278 checking slow rules
2023/03/06 20:01:03.049 kid1| 28,5| Acl.cc(124) matches: checking http_access
2023/03/06 20:01:03.049 kid1| 28,5| Checklist.cc(398) bannedAction: Action 'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking http_access#1
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking to_ipv6
2023/03/06 20:01:03.050 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare: aclIpAddrNetworkCompare: compare: [fedc:ba98:7654:3210:fedc:ba98:7654:3210]/[ffc0::] ([fec0::]) vs [fe80::]-[::]/[ffc0::]
2023/03/06 20:01:03.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp: '[fedc:ba98:7654:3210:fedc:ba98:7654:3210]' NOT found
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: to_ipv6 = 0
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: http_access#1 = 0
2023/03/06 20:01:03.050 kid1| 28,5| Checklist.cc(398) bannedAction: Action 'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking http_access#2
I could not find any reference which mentions FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6 check.
Regards,
John
_______________________________________________ squid-users mailing list squid-users@xxxxxxxxxxxxxxxxxxxxx http://lists.squid-cache.org/listinfo/squid-users
