On 8/03/2023 3:00 am, john jacob wrote:
Hi,
I am facing the same issue as described in
https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal
URLs are casuing squid, v5.7, to restart. As a work around I am
testing the below to deny ipv6 requests.
acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6
...
I could not find any reference which mentions
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I
am wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not
match ipv6 check.
TL;DR: it is not an IPv6 address.
The "ipv6" magic name is not the same as the ::/0 address range. The
IPv6 addresses have sections carved out for mapping other IP protocol
addresses. eg several ways to map IPv4, some ranges for IPv5, and some
IPv7+ experimental ranges. Most of the F000::/4 addresses fall into that
experimental future IP versions category.
Thanks for the reminder of this particular carve-out. It is probably
long overdue removing these F-range exceptions from Squid.
I will get onto that right now.
Meanwhile, the patterns you can set in your ACLs are:
acl to_ipv6 dst ipv6
::1:0:0-::EFFF:0:0/32 ::1:0:0:0/17 \
F000:/7 FE00::/9 FEC0::/10 \
FF00::-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFE/128
(note the 'E' on that last long one)
Or you could switch from "block IPv6" to "only allow IPv4", eg:
acl to_ipv4 dst ipv4
http_access deny !ipv4
HTH
Amos
_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users