Bug 2601: pt 2: Mixed v4/v6 src acl leads to TCP_DENIED

 - Remove 'odd' netmask support from ACL.
 - Fully deprecate netmask support for ACL.

Earlier fix caused inconsistent handling between IPv4 and IPv6 builds of
Squid. Which has turned out to be a bad idea.
This fixes that by 'breaking' both build alternatives.

see also bug 2141 for long-term tracker.

diff --git a/src/acl/Ip.cc b/src/acl/Ip.cc
index 434b376e96c26e0f2c6ec74c1d3250617f2fcb83..c818ec47ad07cabe88abbe1cf2e0f1020212eb70 100644 (file)
--- a/src/acl/Ip.cc
+++ b/src/acl/Ip.cc
@@ -216,21 +216,21 @@ acl_ip_data::DecodeMask(const char *asc, IpAddress &mask, int ctype)
     /* dotted notation */
     /* assignment returns true if asc contained an IP address as text */
     if ((mask = asc)) {
-#if USE_IPV6
         /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */
-        debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR masks instead.");
+        debugs(28, DBG_CRITICAL, "WARNING: Netmasks are deprecated. Please use CIDR masks instead.");
         if (mask.IsIPv4()) {
             /* locate what CIDR mask was _probably_ meant to be in its native protocol format. */
             /* this will completely crap out with a security fail-open if the admin is playing mask tricks */
             /* however, thats their fault, and we do warn. see bug 2601 for the effects if we don't do this. */
             unsigned int m = mask.GetCIDR();
+#if USE_IPV6
             debugs(28, DBG_CRITICAL, "WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.");
-            debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m);
+#endif
+            debugs(28, DBG_CRITICAL, "WARNING: For now we will assume you meant to write /" << m);
             /* reset the mask completely, and crop to the CIDR boundary back properly. */
             mask.SetNoAddr();
             return mask.ApplyMask(m,AF_INET);
         }
-#endif /* USE_IPV6 */
         return true;
     }