if test "$use_ipng" = "yes"; then
AC_DEFINE(USE_IPV6,1,[Enable support for IPv6 ])
+ SET_IPV6_SETTINGS=""
use_v4mapped=yes
dnl Check for forced split-stack mode
AC_DEFINE(USE_IPV6,0,[Enable support for IPv6])
AC_DEFINE(IPV6_SPECIAL_SPLITSTACK,0,[Enable support for IPv6 on split-stack implementations])
AC_DEFINE(IPV6_SPECIAL_V4MAPPED,0,[Enable v4-mapping through v6 sockets])
+ SET_IPV6_SETTINGS="\#IPv6 Not Available: "
fi
+AC_SUBST(SET_IPV6_SETTINGS)
dnl Check whether this OS defines ss_len as a member of sockaddr_storage
AC_CACHE_CHECK([for ss_len field in struct sockaddr_storage],
/* Special ACL RHS "ipv6" matches IPv6-Unicast Internet */
if (strcasecmp(t, "ipv6") == 0) {
debugs(28, 9, "aclIpParseIpData: magic 'ipv6' found.");
- t = "2000::/3";
- /* AYJ: due to the nature os IPv6 this will not always work,
- * we may need to turn recursive to catch all the valid v6 sub-nets. */
+ r = q; // save head of the list for result.
+
+ /* 0000::/4 is a mix of localhost and obsolete IPv4-mapping space. Not valid outside this host. */
+
+ /* Future global unicast space: 1000::/4 */
+ q->addr1 = "1000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(4, AF_INET6);
+
+ /* Current global unicast space: 2000::/4 = (2000::/4 - 3000::/4) */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "2000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(3, AF_INET6);
+
+ /* Future global unicast space: 4000::/2 = (4000::/4 - 7000::/4) */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "4000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(2, AF_INET6);
+
+ /* Future global unicast space: 8000::/2 = (8000::/4 - B000::/4) */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "8000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(2, AF_INET6);
+
+ /* Future global unicast space: C000::/3 = (C000::/4 - D000::/4) */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "C000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(3, AF_INET6);
+
+ /* Future global unicast space: E000::/4 */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "E000::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(4, AF_INET6);
+
+ /* F000::/4 is mostly reserved non-unicast. With some exceptions ... */
+
+ /* RFC 4193 Unique-Local unicast space: FC00::/7 */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "FC00::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(7, AF_INET6);
+
+ /* Link-Local unicast space: FE80::/10 */
+ q->next = new acl_ip_data;
+ q = q->next;
+ q->addr1 = "FE80::";
+ q->mask.SetNoAddr();
+ q->mask.ApplyMask(10, AF_INET6);
+
+ return r;
}
#endif
acl_ip_data *q = acl_ip_data::FactoryParse(t);
while (q != NULL) {
+ /* pop each result off the list and add it to the data tree individually */
+ acl_ip_data *next = q->next;
+ q->next = NULL;
data = data->insert(q, acl_ip_data::NetworkCompare);
- q = q->next;
+ q = next;
}
}
}
#
acl manager proto cache_object
acl localhost src 127.0.0.1/32
+@IPV6_ONLY_SETTING@acl localhost src ::1/128
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
+@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128
# Example rule allowing access from your local networks.
# Adapt to list your (internal) IP networks from where browsing
acl localnet src 10.0.0.0/8 # RFC1918 possible internal network
acl localnet src 172.16.0.0/12 # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network
+@IPV6_ONLY_SETTING@acl localnet src fc00::/7 # RFC 4193 local private network range
+@IPV6_ONLY_SETTING@acl localnet src fe80::/10 # RFC 4291 link-local (directly plugged) machines
acl SSL_ports port 443
acl Safe_ports port 80 # http
projects / thirdparty / squid.git / commitdiff
