Search squid archive

Re: acl dst ipv6 does not matches all IPv6 addresses

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 8/03/2023 3:00 am, john jacob wrote:
Hi,

I am facing the same issue as described in https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal URLs are casuing squid, v5.7, to restart. As a work around I am testing the below to deny ipv6 requests.

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

...
I could not find any reference which mentions FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6 check.

TL;DR: it is not an IPv6 address.

The "ipv6" magic name is not the same as the ::/0 address range. The IPv6 addresses have sections carved out for mapping other IP protocol addresses. eg several ways to map IPv4, some ranges for IPv5, and some IPv7+ experimental ranges. Most of the F000::/4 addresses fall into that experimental future IP versions category.

Thanks for the reminder of this particular carve-out. It is probably long overdue removing these F-range exceptions from Squid.
I will get onto that right now.

Meanwhile, the patterns you can set in your ACLs are:

  acl to_ipv6 dst ipv6
    ::1:0:0-::EFFF:0:0/32 ::1:0:0:0/17 \
    F000:/7 FE00::/9 FEC0::/10 \
    FF00::-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFE/128

(note the 'E' on that last long one)

Or you could switch from "block IPv6" to "only allow IPv4", eg:

   acl to_ipv4 dst ipv4
   http_access deny !ipv4



HTH
Amos

_______________________________________________
squid-users mailing list
squid-users@xxxxxxxxxxxxxxxxxxxxx
http://lists.squid-cache.org/listinfo/squid-users




[Index of Archives]     [Linux Audio Users]     [Samba]     [Big List of Linux Books]     [Linux USB]     [Yosemite News]

  Powered by Linux