From f760409d8dba0f83d4fd749b386df7d9d89c0fc6 Mon Sep 17 00:00:00 2001
From: Amos Jeffries <squid3@treenet.co.nz>
Date: Fri, 13 Nov 2009 01:49:09 +1300
Subject: [PATCH] Polish several outstanding IPv6 settings

 * Makes 'ipv6' magic monkier cover full IPv6 unicast space
   (previously just current active global)

 * Makes squid.conf default settings which require IPv6 content
   auto-enable/disable to match the IPv6 built support.
---
 configure.in    |  3 +++
 src/Makefile.am |  1 +
 src/acl/Ip.cc   | 69 ++++++++++++++++++++++++++++++++++++++++++++++---
 src/cf.data.pre |  4 +++
 4 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/configure.in b/configure.in
index ae0ca32e3f..03601d0c0f 100644
--- a/configure.in
+++ b/configure.in
@@ -2679,6 +2679,7 @@ fi
 
 if test "$use_ipng" = "yes"; then
   AC_DEFINE(USE_IPV6,1,[Enable support for IPv6 ])
+  SET_IPV6_SETTINGS=""
   use_v4mapped=yes
 
 dnl Check for forced split-stack mode
@@ -2752,7 +2753,9 @@ else
   AC_DEFINE(USE_IPV6,0,[Enable support for IPv6])
   AC_DEFINE(IPV6_SPECIAL_SPLITSTACK,0,[Enable support for IPv6 on split-stack implementations])
   AC_DEFINE(IPV6_SPECIAL_V4MAPPED,0,[Enable v4-mapping through v6 sockets])
+  SET_IPV6_SETTINGS="\#IPv6 Not Available: "
 fi
+AC_SUBST(SET_IPV6_SETTINGS)
 
 dnl Check whether this OS defines ss_len as a member of sockaddr_storage
 AC_CACHE_CHECK([for ss_len field in struct sockaddr_storage],
diff --git a/src/Makefile.am b/src/Makefile.am
index ed0c092ec1..8e792992dc 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -782,6 +782,7 @@ cf.data: cf.data.pre Makefile
 	s%@DEFAULT_CONFIG_DIR@%$(DEFAULT_CONFIG_DIR)%g;\
 	s%@DEFAULT_PREFIX@%$(DEFAULT_PREFIX)%g;\
 	s%@DEFAULT_HOSTS@%$(DEFAULT_HOSTS)%g;\
+	s%@IPV6_ONLY_SETTING@%$(SET_IPV6_SETTINGS)%g;\
 	s%@SQUID@%SQUID\ $(VERSION)%g;"\
 	< $(srcdir)/cf.data.pre >$@
 
diff --git a/src/acl/Ip.cc b/src/acl/Ip.cc
index 426c00710b..aa2de1c539 100644
--- a/src/acl/Ip.cc
+++ b/src/acl/Ip.cc
@@ -277,9 +277,67 @@ acl_ip_data::FactoryParse(const char *t)
     /* Special ACL RHS "ipv6" matches IPv6-Unicast Internet */
     if (strcasecmp(t, "ipv6") == 0) {
         debugs(28, 9, "aclIpParseIpData: magic 'ipv6' found.");
-        t = "2000::/3";
-        /* AYJ: due to the nature os IPv6 this will not always work,
-         *      we may need to turn recursive to catch all the valid v6 sub-nets. */
+        r = q; // save head of the list for result.
+
+        /* 0000::/4 is a mix of localhost and obsolete IPv4-mapping space. Not valid outside this host. */
+
+        /* Future global unicast space: 1000::/4 */
+        q->addr1 = "1000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(4, AF_INET6);
+
+        /* Current global unicast space: 2000::/4 = (2000::/4 - 3000::/4) */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "2000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(3, AF_INET6);
+
+        /* Future global unicast space: 4000::/2 = (4000::/4 - 7000::/4) */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "4000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(2, AF_INET6);
+
+        /* Future global unicast space: 8000::/2 = (8000::/4 - B000::/4) */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "8000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(2, AF_INET6);
+
+        /* Future global unicast space: C000::/3 = (C000::/4 - D000::/4) */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "C000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(3, AF_INET6);
+
+        /* Future global unicast space: E000::/4 */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "E000::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(4, AF_INET6);
+
+        /* F000::/4 is mostly reserved non-unicast. With some exceptions ... */
+
+        /* RFC 4193 Unique-Local unicast space: FC00::/7 */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "FC00::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(7, AF_INET6);
+
+        /* Link-Local unicast space: FE80::/10 */
+        q->next = new acl_ip_data;
+        q = q->next;
+        q->addr1 = "FE80::";
+        q->mask.SetNoAddr();
+        q->mask.ApplyMask(10, AF_INET6);
+
+        return r;
     }
 #endif
 
@@ -449,8 +507,11 @@ ACLIP::parse()
         acl_ip_data *q = acl_ip_data::FactoryParse(t);
 
         while (q != NULL) {
+            /* pop each result off the list and add it to the data tree individually */
+            acl_ip_data *next = q->next;
+            q->next = NULL;
             data = data->insert(q, acl_ip_data::NetworkCompare);
-            q = q->next;
+            q = next;
         }
     }
 }
diff --git a/src/cf.data.pre b/src/cf.data.pre
index 5059c1e320..b7756c3215 100644
--- a/src/cf.data.pre
+++ b/src/cf.data.pre
@@ -694,7 +694,9 @@ NOCOMMENT_START
 #
 acl manager proto cache_object
 acl localhost src 127.0.0.1/32
+@IPV6_ONLY_SETTING@acl localhost src ::1/128
 acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
+@IPV6_ONLY_SETTING@acl to_localhost dst ::1/128
 
 # Example rule allowing access from your local networks.
 # Adapt to list your (internal) IP networks from where browsing
@@ -702,6 +704,8 @@ acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
 acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
 acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
 acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
+@IPV6_ONLY_SETTING@acl localnet src fc00::/7   # RFC 4193 local private network range
+@IPV6_ONLY_SETTING@acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines
 
 acl SSL_ports port 443
 acl Safe_ports port 80		# http
-- 
2.47.3