[squid-dev] acl dst ipv6 doesnot matches all IPv6 addresses

john jacob john.rmesi at gmail.com
Tue Mar 7 13:26:33 UTC 2023


Hi,

I am facing the same issue as described in
https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal URLs
are casuing squid, v5.7, to restart. As a work around I am testing the
below to deny ipv6 requests.

acl to_ipv6 dst ipv6
acl from_ipv6 src ipv6

# Prevent ipv6 requests to avoid crash in squid > 5.x
http_access deny to_ipv6
http_access deny from_ipv6

While this works for most of the ipv6 URLs , some of the cases like
http://[FEDC:BA98:7654:3210:FEDC:BA98:7654:3210]:80/index.html
, ACL is not matched.

2023/03/06 20:01:03.049 kid1| 28,3| Checklist.cc(70) preCheck: 0x15c1278
checking slow rules
2023/03/06 20:01:03.049 kid1| 28,5| Acl.cc(124) matches: checking
http_access
2023/03/06 20:01:03.049 kid1| 28,5| Checklist.cc(398) bannedAction: Action
'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking
http_access#1
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking to_ipv6
2023/03/06 20:01:03.050 kid1| 28,9| Ip.cc(96) aclIpAddrNetworkCompare:
aclIpAddrNetworkCompare: compare:
[fedc:ba98:7654:3210:fedc:ba98:7654:3210]/[ffc0::] ([fec0::])  vs
[fe80::]-[::]/[ffc0::]
2023/03/06 20:01:03.050 kid1| 28,3| Ip.cc(538) match: aclIpMatchIp:
'[fedc:ba98:7654:3210:fedc:ba98:7654:3210]' NOT found
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked: to_ipv6 =
0
2023/03/06 20:01:03.050 kid1| 28,3| Acl.cc(151) matches: checked:
http_access#1 = 0
2023/03/06 20:01:03.050 kid1| 28,5| Checklist.cc(398) bannedAction: Action
'DENIED/0' is not banned
2023/03/06 20:01:03.050 kid1| 28,5| Acl.cc(124) matches: checking
http_access#2

I could not find any reference which mentions
FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I am
wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not match ipv6
check.

Regards,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squid-cache.org/pipermail/squid-dev/attachments/20230307/e7f51d38/attachment.htm>


More information about the squid-dev mailing list