From 4f6e327c7791517c3aac9ba16e29ccf39101a6e6 Mon Sep 17 00:00:00 2001
From: famfo <famfo@famfo.xyz>
Date: Sat, 22 Nov 2025 23:54:14 +0100
Subject: [PATCH] pdns/sstuff: convert mapped IPv4 addresses for ACL

When a mapped address does not get converted, ACLs do not match as
expected. For example ::ffff:127.0.0.1 did not match the ACL 127.0.0.1.

Signed-off-by: famfo <famfo@famfo.xyz>
---
 pdns/sstuff.hh                       |  8 ++-
 regression-tests.auth-py/test_acl.py | 82 ++++++++++++++++++++++++++++
 2 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 regression-tests.auth-py/test_acl.py

diff --git a/pdns/sstuff.hh b/pdns/sstuff.hh
index 4a30d0ad39..8174cc5fb3 100644
--- a/pdns/sstuff.hh
+++ b/pdns/sstuff.hh
@@ -121,7 +121,13 @@ public:
   {
     ComboAddress remote;
     if (getRemote(remote)) {
-      return netmaskGroup.match(remote);
+      if (netmaskGroup.match(remote)) {
+        return true;
+      }
+
+      if (remote.isMappedIPv4()) {
+        return netmaskGroup.match(remote.mapToIPv4());
+      }
     }
 
     return false;
diff --git a/regression-tests.auth-py/test_acl.py b/regression-tests.auth-py/test_acl.py
new file mode 100644
index 0000000000..812bdea672
--- /dev/null
+++ b/regression-tests.auth-py/test_acl.py
@@ -0,0 +1,82 @@
+import requests
+from authtests import AuthTest
+
+class TestBasic(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = 127.0.0.1
+    webserver-port = 8053
+    webserver-allow-from = 127.0.0.1
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestBasic, cls).setUpClass()
+
+    def test_basic(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestDualStack(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = 127.0.0.1
+    """
+
+    @classmethod
+    def setUpClass(cls):
+        super(TestDualStack, cls).setUpClass()
+
+    def test_ds(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestDualStackBackwardsCompat(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = ::ffff:127.0.0.1
+    """
+
+    def test_ds_compat(self):
+        r = requests.get('http://127.0.0.1:8053')
+        self.assertEqual(r.status_code, 200)
+
+class TestUnauthorized(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = 127.0.0.1
+    webserver-port = 8053
+    webserver-allow-from = 224.0.0.0
+    """
+
+    def test_unauthorized(self):
+        try:
+            requests.get('http://127.0.0.1:8053')
+            self.fail()
+        except requests.exceptions.ConnectionError:
+            pass
+
+class TestUnauthorizedDualStack(AuthTest):
+    _config_template = """
+    launch = {backend}
+    webserver = yes
+    webserver-address = [::]
+    webserver-port = 8053
+    webserver-allow-from = 224.0.0.0
+    """
+
+    def test_unauthorized(self):
+        try:
+            requests.get('http://127.0.0.1:8053')
+            self.fail()
+        except requests.exceptions.ConnectionError:
+            pass
+
-- 
2.47.3