Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode

se bug 2601 for trace demonstrating the effect of masking an IPv6 address
with and IPv4 netmask intead of a CIDR mask.

This hack, locates what CIDR mask was _probably_ meant to be in its
native protocol format. Then resets the mask to that CIDR form.

This will completely crap out with a security fail-open if the admin is
playing mask tricks.  However, thats their fault, and we do warn loudly.

diff --git a/src/ACLIP.cc b/src/ACLIP.cc
index 6746ca8d062880e00917b7a85cb0c859b57a927f..146f10d70f2e03013dd27394c5bad47ce915482d 100644 (file)
--- a/src/ACLIP.cc
+++ b/src/ACLIP.cc
@@ -215,8 +215,24 @@ acl_ip_data::DecodeMask(const char *asc, IpAddress &mask, int ctype)
 
     /* dotted notation */
     /* assignment returns true if asc contained an IP address as text */
-    if ((mask = asc))
+    if ((mask = asc)) {
+#if USE_IPV6
+        /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */
+        debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR masks instead.");
+        if(mask.IsIPv4()) {
+            /* locate what CIDR mask was _probably_ meant to be in its native protocol format. */
+            /* this will completely crap out with a security fail-open if the admin is playing mask tricks */
+            /* however, thats their fault, and we do warn. see bug 2601 for the effects if we don't do this. */
+            unsigned int m = mask.GetCIDR();
+            debugs(28, DBG_CRITICAL, "WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges.");
+            debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m);
+            /* reset the mask completely, and crop to the CIDR boundary back properly. */
+            mask.NoAddr();
+            return mask.ApplyMask(m,AF_INET);
+        }
+#endif /* USE_IPV6 */
         return true;
+    }
 
     return false;
 }