From: Amos Jeffries Date: Sat, 21 Feb 2009 03:56:39 +0000 (+1300) Subject: Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode X-Git-Tag: SQUID_3_2_0_1~1175 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=dff9ee499065287c1c9e50c8b011660592bdf77d;p=thirdparty%2Fsquid.git Bug 2601: Hack. Convert IPv4 netmasks to CIDR in IPv6-enabled mode se bug 2601 for trace demonstrating the effect of masking an IPv6 address with and IPv4 netmask intead of a CIDR mask. This hack, locates what CIDR mask was _probably_ meant to be in its native protocol format. Then resets the mask to that CIDR form. This will completely crap out with a security fail-open if the admin is playing mask tricks. However, thats their fault, and we do warn loudly. --- diff --git a/src/ACLIP.cc b/src/ACLIP.cc index 6746ca8d06..146f10d70f 100644 --- a/src/ACLIP.cc +++ b/src/ACLIP.cc @@ -215,8 +215,24 @@ acl_ip_data::DecodeMask(const char *asc, IpAddress &mask, int ctype) /* dotted notation */ /* assignment returns true if asc contained an IP address as text */ - if ((mask = asc)) + if ((mask = asc)) { +#if USE_IPV6 + /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */ + debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR masks instead."); + if(mask.IsIPv4()) { + /* locate what CIDR mask was _probably_ meant to be in its native protocol format. */ + /* this will completely crap out with a security fail-open if the admin is playing mask tricks */ + /* however, thats their fault, and we do warn. see bug 2601 for the effects if we don't do this. */ + unsigned int m = mask.GetCIDR(); + debugs(28, DBG_CRITICAL, "WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges."); + debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m); + /* reset the mask completely, and crop to the CIDR boundary back properly. */ + mask.NoAddr(); + return mask.ApplyMask(m,AF_INET); + } +#endif /* USE_IPV6 */ return true; + } return false; }