From: Amos Jeffries Date: Sun, 20 Sep 2009 21:06:24 +0000 (+1200) Subject: Bug 2601: pt 2: Mixed v4/v6 src acl leads to TCP_DENIED X-Git-Tag: SQUID_3_2_0_1~700 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=4f875552d84a5c9548fe64e92e4e510f4eec55f3;p=thirdparty%2Fsquid.git Bug 2601: pt 2: Mixed v4/v6 src acl leads to TCP_DENIED - Remove 'odd' netmask support from ACL. - Fully deprecate netmask support for ACL. Earlier fix caused inconsistent handling between IPv4 and IPv6 builds of Squid. Which has turned out to be a bad idea. This fixes that by 'breaking' both build alternatives. see also bug 2141 for long-term tracker. --- diff --git a/src/acl/Ip.cc b/src/acl/Ip.cc index 434b376e96..c818ec47ad 100644 --- a/src/acl/Ip.cc +++ b/src/acl/Ip.cc @@ -216,21 +216,21 @@ acl_ip_data::DecodeMask(const char *asc, IpAddress &mask, int ctype) /* dotted notation */ /* assignment returns true if asc contained an IP address as text */ if ((mask = asc)) { -#if USE_IPV6 /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */ - debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR masks instead."); + debugs(28, DBG_CRITICAL, "WARNING: Netmasks are deprecated. Please use CIDR masks instead."); if (mask.IsIPv4()) { /* locate what CIDR mask was _probably_ meant to be in its native protocol format. */ /* this will completely crap out with a security fail-open if the admin is playing mask tricks */ /* however, thats their fault, and we do warn. see bug 2601 for the effects if we don't do this. */ unsigned int m = mask.GetCIDR(); +#if USE_IPV6 debugs(28, DBG_CRITICAL, "WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges."); - debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m); +#endif + debugs(28, DBG_CRITICAL, "WARNING: For now we will assume you meant to write /" << m); /* reset the mask completely, and crop to the CIDR boundary back properly. */ mask.SetNoAddr(); return mask.ApplyMask(m,AF_INET); } -#endif /* USE_IPV6 */ return true; }