From 91ffacf61d74bce96c2720ac0172107fa0b8333c Mon Sep 17 00:00:00 2001 From: Amos Jeffries Date: Sat, 16 Jan 2010 17:33:11 +1300 Subject: [PATCH] Bug 2601: pt 2: Mixed v4/v6 src acl leads to TCP_DENIED - Remove 'odd' netmask support from ACL. - Fully deprecate netmask support for ACL. Earlier fix caused inconsistent handling between IPv4 and IPv6 builds of Squid. Which has turned out to be a bad idea. This fixes that by 'breaking' both build alternatives. see also bug 2141 for long-term tracker. --- src/acl/Ip.cc | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/acl/Ip.cc b/src/acl/Ip.cc index 2c517ed5d5..982293be44 100644 --- a/src/acl/Ip.cc +++ b/src/acl/Ip.cc @@ -217,21 +217,21 @@ acl_ip_data::DecodeMask(const char *asc, IpAddress &mask, int ctype) /* dotted notation */ /* assignment returns true if asc contained an IP address as text */ if ((mask = asc)) { -#if USE_IPV6 /* HACK: IPv4 netmasks don't cleanly map to IPv6 masks. */ - debugs(28, DBG_IMPORTANT, "WARNING: Netmasks are deprecated. Please use CIDR masks instead."); + debugs(28, DBG_CRITICAL, "WARNING: Netmasks are deprecated. Please use CIDR masks instead."); if (mask.IsIPv4()) { /* locate what CIDR mask was _probably_ meant to be in its native protocol format. */ /* this will completely crap out with a security fail-open if the admin is playing mask tricks */ /* however, thats their fault, and we do warn. see bug 2601 for the effects if we don't do this. */ unsigned int m = mask.GetCIDR(); +#if USE_IPV6 debugs(28, DBG_CRITICAL, "WARNING: IPv4 netmasks are particularly nasty when used to compare IPv6 to IPv4 ranges."); - debugs(28, DBG_CRITICAL, "WARNING: For now we assume you meant to write /" << m); +#endif + debugs(28, DBG_CRITICAL, "WARNING: For now we will assume you meant to write /" << m); /* reset the mask completely, and crop to the CIDR boundary back properly. */ mask.SetNoAddr(); return mask.ApplyMask(m,AF_INET); } -#endif /* USE_IPV6 */ return true; } -- 2.47.3