[squid-users] acl dst ipv6 does not matches all IPv6 addresses
Amos Jeffries
squid3 at treenet.co.nz
Wed Mar 8 07:18:04 UTC 2023
On 8/03/2023 3:00 am, john jacob wrote:
> Hi,
>
> I am facing the same issue as described in
> https://bugs.squid-cache.org/show_bug.cgi?id=5154 where ipv6 literal
> URLs are casuing squid, v5.7, to restart. As a work around I am
> testing the below to deny ipv6 requests.
>
> acl to_ipv6 dst ipv6
> acl from_ipv6 src ipv6
>
...
> I could not find any reference which mentions
> FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 as a special type of IPv6. I
> am wondering why FEDC:BA98:7654:3210:FEDC:BA98:7654:3210 does not
> match ipv6 check.
TL;DR: it is not an IPv6 address.
The "ipv6" magic name is not the same as the ::/0 address range. The
IPv6 addresses have sections carved out for mapping other IP protocol
addresses. eg several ways to map IPv4, some ranges for IPv5, and some
IPv7+ experimental ranges. Most of the F000::/4 addresses fall into that
experimental future IP versions category.
Thanks for the reminder of this particular carve-out. It is probably
long overdue removing these F-range exceptions from Squid.
I will get onto that right now.
Meanwhile, the patterns you can set in your ACLs are:
acl to_ipv6 dst ipv6
::1:0:0-::EFFF:0:0/32 ::1:0:0:0/17 \
F000:/7 FE00::/9 FEC0::/10 \
FF00::-FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF:FFFE/128
(note the 'E' on that last long one)
Or you could switch from "block IPv6" to "only allow IPv4", eg:
acl to_ipv4 dst ipv4
http_access deny !ipv4
HTH
Amos
More information about the squid-users
mailing list