From: Amos Jeffries Date: Thu, 24 Jan 2019 16:43:47 +0000 (+0000) Subject: Bug 4915: Detect IPv6 loopback binding errors (#355) X-Git-Tag: M-staged-PR356~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4685e7ba556dd81facf98e6a8e5503211cff3f1a;p=thirdparty%2Fsquid.git Bug 4915: Detect IPv6 loopback binding errors (#355) Systems which have been partially 'IPv6 disabled' may allow sockets to be opened and used but missing the IPv6 loopback address. Implement the outstanding TODO to detect such failures and disable IPv6 support properly within Squid when they are found. This should fix bug 4915 auth_param helper startup and similar external_acl_type helper issues. For security such helpers are not permitted to use the machine default IP address which is globally accessible. --- diff --git a/src/ip/tools.cc b/src/ip/tools.cc index c7a8ac8b51..1ccf64f6ac 100644 --- a/src/ip/tools.cc +++ b/src/ip/tools.cc @@ -10,6 +10,7 @@ #include "squid.h" #include "Debug.h" +#include "ip/Address.h" #include "ip/tools.h" #if HAVE_UNISTD_H @@ -55,8 +56,21 @@ Ip::ProbeTransport() debugs(3, 2, "Missing RFC 3493 compliance - attempting split IPv4 and IPv6 stacks ..."); EnableIpv6 |= IPV6_SPECIAL_SPLITSTACK; #endif - // TODO: attempt to use the socket to connect somewhere ? - // needs to be safe to contact and with guaranteed working IPv6 at the other end. + + // Test for IPv6 loopback/localhost address binding + Ip::Address ip; + ip.setLocalhost(); + if (ip.isIPv6()) { // paranoid; always succeeds if we got this far + struct sockaddr_in6 sin; + ip.getSockAddr(sin); + if (bind(s, reinterpret_cast(&sin), sizeof(sin)) != 0) { + debugs(3, DBG_CRITICAL, "WARNING: BCP 177 violation. Detected non-functional IPv6 loopback."); + EnableIpv6 = IPV6_OFF; + } else { + debugs(3, 2, "Detected functional IPv6 loopback ..."); + } + } + close(s); #if USE_IPV6