ando@sys-net.it wrote:
Damon.Groenveld@ca.com wrote:
Given that the code (in aclparse.c) calls inet_addr() with the peername.ip parameter, I can't see how it could will work with IPv6.
The only possible workaround is using a regex instead of ip type which by passes the inet_addr() call.
I raised it as a bug since the latest version (as far as I can tell) is meant to support IPv6 and there is no way that peername.ip does and there isn't an alternative.
The peername.ip was designed with IPv4 in mind. A patch to support IPv6 in ACLs would be welcome, though. In the meanwhile, I believe a regex style would be the solution, but note that I have no idea of how IPv6 would be stringified in the peername. Note that the whole issue is of questionable relevance, since IP-based access checking is not considered trustable.
Yes, peername.regex works fine.
Currently IPv6 peernames are reported as colon-separated hex octets followed by a space, then the port number: "xxxx:....:zzzz ppppp". It strikes me that we should be using URL format instead, which uses square brackets: "[xxxx:....:zzzz]:ppppp".