Debian Bug report logs - #659669
apt-cacher: ipv4 formatted allowed_hosts parameter not matched

version graph

Package: apt-cacher; Maintainer for apt-cacher is Mark Hindley <mark@hindley.org.uk>; Source for apt-cacher is src:apt-cacher.

Reported by: Leopold BAILLY <leo.bailly@infonie.fr>

Date: Sun, 12 Feb 2012 23:21:01 UTC

Severity: normal

Found in version apt-cacher/1.7.2

Fixed in version apt-cacher/1.7.4

Done: Mark Hindley <mark@hindley.org.uk>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Mark Hindley <mark@hindley.org.uk>:
Bug#659669; Package apt-cacher. (Sun, 12 Feb 2012 23:21:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leopold BAILLY <leo.bailly@infonie.fr>:
New Bug report received and forwarded. Copy sent to Mark Hindley <mark@hindley.org.uk>. (Sun, 12 Feb 2012 23:21:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Leopold BAILLY <leo.bailly@infonie.fr>
To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: apt-cacher: ipv4 formatted allowed_hosts parameter not matched
Date: Mon, 13 Feb 2012 00:19:21 +0100
Package: apt-cacher
Version: 1.7.2
Severity: normal

Dear Maintainer,

for example, allowed_hosts = 192.168.1.0/24 does not work because ipv6 host address does not match this ipv4 formatted rule :
Sun Feb 12 23:53:15 2012|debug [16668]: Test client 0:0:0:0:0:FFFF:C0A8:101/128 against allowed: 192.168.1.0/24
Sun Feb 12 23:53:15 2012|debug [16668]: Alert: client ::ffff:192.168.1.1 disallowed by access control
Sun Feb 12 23:53:15 2012|debug [16668]: Response: 403 Access to cache prohibited

But I don't use ipv6 on my network.

Note that if allowed_hosts is not set, no access is allowed as well :
Sun Feb 12 23:48:39 2012|debug [16575]: Alert: client ::ffff:192.168.1.1 disallowed by access control
Sun Feb 12 23:48:39 2012|debug [16575]: Response: 403 Access to cache prohibited

Only allowed_hosts = * is working with ipv4.

-- System Information:
Debian Release: wheezy/sid
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-1-686-pae (SMP w/1 CPU core)
Locale: LANG=fr_FR@euro, LC_CTYPE=fr_FR@euro (charmap=ISO-8859-15)
Shell: /bin/sh linked to /bin/dash

Versions of packages apt-cacher depends on:
ii  debconf [debconf-2.0]  1.5.41
ii  dpkg                   1.16.1.2
ii  ed                     1.6-1
ii  libfilesys-df-perl     0.92-4+b1
ii  libfreezethaw-perl     0.5001-1
ii  libio-interface-perl   1.06-1+b1
ii  libnetaddr-ip-perl     4.058+dfsg-2
ii  libwww-curl-perl       4.15-1+b2
ii  libwww-perl            6.03-1
ii  lsb-base               3.2-28.1
ii  perl                   5.14.2-7
ii  update-inetd           4.41

Versions of packages apt-cacher recommends:
ii  libberkeleydb-perl  0.49-1

Versions of packages apt-cacher suggests:
ii  libio-socket-inet6-perl  2.69-2

-- Configuration Files:
/etc/apt-cacher/apt-cacher.conf changed [not included]
/etc/default/apt-cacher changed [not included]

-- debconf information excluded




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659669; Package apt-cacher. (Mon, 13 Feb 2012 22:51:05 GMT) Full text and rfc822 format available.

Message #8 received at 659669@bugs.debian.org (full text, mbox):

From: Mark Hindley <mark@hindley.org.uk>
To: Leopold BAILLY <leo.bailly@infonie.fr>, 659669@bugs.debian.org
Subject: Re: Bug#659669: apt-cacher: ipv4 formatted allowed_hosts parameter not matched
Date: Mon, 13 Feb 2012 22:15:05 +0000
On Mon, Feb 13, 2012 at 12:19:21AM +0100, Leopold BAILLY wrote:
> Package: apt-cacher
> Version: 1.7.2
> Severity: normal
> 
> Dear Maintainer,
> 
> for example, allowed_hosts = 192.168.1.0/24 does not work because ipv6 host address does not match this ipv4 formatted rule :
> Sun Feb 12 23:53:15 2012|debug [16668]: Test client 0:0:0:0:0:FFFF:C0A8:101/128 against allowed: 192.168.1.0/24
> Sun Feb 12 23:53:15 2012|debug [16668]: Alert: client ::ffff:192.168.1.1 disallowed by access control
> Sun Feb 12 23:53:15 2012|debug [16668]: Response: 403 Access to cache prohibited
> 
> But I don't use ipv6 on my network.

Although you only use IPv4, I think you have an IPv6 enabled kernel which is 
why the client address is shown as an IPv4 mapped IPv6 address. 

Could you see if the ipv6 module is loaded and if it is remove it 
(http://www.debian-administration.org/articles/409). I think the IPv4 
only configuration will work then.

Let me know how you get on.

Mark




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659669; Package apt-cacher. (Thu, 16 Feb 2012 00:21:09 GMT) Full text and rfc822 format available.

Message #11 received at 659669@bugs.debian.org (full text, mbox):

From: Mark Hindley <mark@hindley.org.uk>
To: Leopold BAILLY <leo.bailly@infonie.fr>, 659669@bugs.debian.org
Subject: Re: Bug#659669: apt-cacher: ipv4 formatted allowed_hosts parameter not matched
Date: Thu, 16 Feb 2012 00:19:27 +0000
On Mon, Feb 13, 2012 at 10:15:05PM +0000, Mark Hindley wrote:
> On Mon, Feb 13, 2012 at 12:19:21AM +0100, Leopold BAILLY wrote:
> > Package: apt-cacher
> > Version: 1.7.2
> > Severity: normal
> > 
> > Dear Maintainer,
> > 
> > for example, allowed_hosts = 192.168.1.0/24 does not work because ipv6 host address does not match this ipv4 formatted rule :
> > Sun Feb 12 23:53:15 2012|debug [16668]: Test client 0:0:0:0:0:FFFF:C0A8:101/128 against allowed: 192.168.1.0/24
> > Sun Feb 12 23:53:15 2012|debug [16668]: Alert: client ::ffff:192.168.1.1 disallowed by access control
> > Sun Feb 12 23:53:15 2012|debug [16668]: Response: 403 Access to cache prohibited
> > 
> > But I don't use ipv6 on my network.
> 
> Although you only use IPv4, I think you have an IPv6 enabled kernel which is 
> why the client address is shown as an IPv4 mapped IPv6 address. 

I have done a patch to transparently support IPv6 mapped IPv4 addresses. 
I would be grateful if you could apply this patch and let me know how it 
works for you.

Many thanks

Mark


diff --git a/apt-cacher b/apt-cacher
index fc8cb73..81985cf 100755
--- a/apt-cacher
+++ b/apt-cacher
@@ -47,6 +47,7 @@ use Sys::Hostname;
 use Filesys::Df;
 use Time::HiRes qw(sleep);
 use NetAddr::IP;
+use NetAddr::IP::Util;
 use List::Util;
 use Getopt::Long qw(:config no_ignore_case bundling);
 
@@ -354,12 +356,21 @@ sub client_permitted {
 	    return;
 	}
 
-	if ($client->within(NetAddr::IP->new('127.1')) || # IPv4
-	    $client->within(NetAddr::IP->new6('::7f00:1')) || # IPv4 compatible IPv6
-	    $client->within(NetAddr::IP->new6('::ffff:7f00:1')) || # IPv4 mapped to IPv6
-	    $client->within(NetAddr::IP->new6('::1'))) { # IPv6
-	    debug_message('client is localhost');
-	    return 1
+	my $map_ipv4_mask = NetAddr::IP::inet_any2n('::ffff:0:');
+	my $map_ipv4 = $client->{isv6} && ($client->aton & $map_ipv4_mask) eq $map_ipv4_mask;
+	if ($map_ipv4) {
+	    debug_message('client is IPv4 mapped IPv6 address: mapping IPv4 configuration items to IPv6');
+	}
+
+	foreach (qw(127.0.0.1/8 ::1)) { # localhost: IPv4 and IPv6
+	    my $check = NetAddr::IP->new($_);
+	    $check = NetAddr::IP->new(NetAddr::IP::Util::ipv6_n2d(NetAddr::IP::inet_any2n($check->addr) | $map_ipv4_mask), $check->mask)
+	      if !$check->{isv6} && $map_ipv4;
+	    debug_message("Test client  $client against localhost: $check");
+	    if ($client->within($check)) {
+		debug_message('Client is localhost');
+		return 1;
+	    }
 	}
 
 	# Now check if the client address falls within the permitted ranges.
@@ -369,7 +380,9 @@ sub client_permitted {
 	if ((($cfg->{allowed_hosts} eq '*') ||
 	     List::Util::first {
 		 if (my $check = eval{NetAddr::IP->new($_)}) {
-		     debug_message("Test client $client against allowed: $_");
+		     $check = NetAddr::IP->new(NetAddr::IP::Util::ipv6_n2d(NetAddr::IP::inet_any2n($check->addr) | $map_ipv4_mask), $check->mask)
+		       if !$check->{isv6} && $map_ipv4;
+		     debug_message("Test client $client against allowed: $check");
 		     $client->within($check);
 		 }
 		 else {
@@ -380,7 +393,9 @@ sub client_permitted {
 	    ) &&
 	    !grep {
 		if (my $check = eval{NetAddr::IP->new($_)}) {
-		    debug_message("Test client $client against denied: $_");
+		    $check = NetAddr::IP->new(NetAddr::IP::Util::ipv6_n2d(NetAddr::IP::inet_any2n($check->addr) | $map_ipv4_mask), $check->mask)
+		      if !$check->{isv6} && $map_ipv4;
+		    debug_message("Test client $client against denied: $check");
 		    $client->within($check);
 		}
 		else {




Information forwarded to debian-bugs-dist@lists.debian.org, Mark Hindley <mark@hindley.org.uk>:
Bug#659669; Package apt-cacher. (Thu, 16 Feb 2012 18:15:40 GMT) Full text and rfc822 format available.

Acknowledgement sent to Leopold BAILLY <leo.bailly@infonie.fr>:
Extra info received and forwarded to list. Copy sent to Mark Hindley <mark@hindley.org.uk>. (Thu, 16 Feb 2012 18:15:40 GMT) Full text and rfc822 format available.

Message #16 received at 659669@bugs.debian.org (full text, mbox):

From: Leopold BAILLY <leo.bailly@infonie.fr>
To: Mark Hindley <mark@hindley.org.uk>
Cc: Leopold BAILLY <leo.bailly@infonie.fr>, 659669@bugs.debian.org
Subject: Re: Bug#659669: apt-cacher: ipv4 formatted allowed_hosts parameter not matched
Date: Thu, 16 Feb 2012 19:12:40 +0100
Mark Hindley <mark@hindley.org.uk> writes:

> On Mon, Feb 13, 2012 at 10:15:05PM +0000, Mark Hindley wrote:
>> On Mon, Feb 13, 2012 at 12:19:21AM +0100, Leopold BAILLY wrote:
>> > Package: apt-cacher
>> > Version: 1.7.2
>> > Severity: normal
>> > 
>> > Dear Maintainer,
>> > 
>> > for example, allowed_hosts = 192.168.1.0/24 does not work because ipv6 host address does not match this ipv4 formatted rule :
>> > Sun Feb 12 23:53:15 2012|debug [16668]: Test client 0:0:0:0:0:FFFF:C0A8:101/128 against allowed: 192.168.1.0/24
>> > Sun Feb 12 23:53:15 2012|debug [16668]: Alert: client ::ffff:192.168.1.1 disallowed by access control
>> > Sun Feb 12 23:53:15 2012|debug [16668]: Response: 403 Access to cache prohibited
>> > 
>> > But I don't use ipv6 on my network.
>> 
>> Although you only use IPv4, I think you have an IPv6 enabled kernel which is 
>> why the client address is shown as an IPv4 mapped IPv6 address. 

With Debian testing, ipv6 is built into the kernel, not as a module.
I tried to disable ipv6 through sysctl.conf but I don't know if it succeeded.

After reboot :
$ sudo sysctl net.ipv6.conf.all.disable_ipv6
net.ipv6.conf.all.disable_ipv6 = 1

And I still get the same ipv6 related error message.

> I have done a patch to transparently support IPv6 mapped IPv4 addresses. 
> I would be grateful if you could apply this patch and let me know how it 
> works for you.

Yes, it does.

It still works if I move back to my original sysctl config (and reboot).

Well done, thank you.

-- 
Léo.




Information forwarded to debian-bugs-dist@lists.debian.org:
Bug#659669; Package apt-cacher. (Fri, 17 Feb 2012 01:33:03 GMT) Full text and rfc822 format available.

Message #19 received at 659669@bugs.debian.org (full text, mbox):

From: Mark Hindley <mark@hindley.org.uk>
To: Leopold BAILLY <leo.bailly@infonie.fr>, 659669@bugs.debian.org
Cc: control@bugs.debian.org
Subject: Re: Bug#659669: apt-cacher: ipv4 formatted allowed_hosts parameter not matched
Date: Fri, 17 Feb 2012 01:28:40 +0000
package apt-cacher
tag 659669 pending
thanks

On Thu, Feb 16, 2012 at 07:12:40PM +0100, Leopold BAILLY wrote:
> Mark Hindley <mark@hindley.org.uk> writes:
> 
> > On Mon, Feb 13, 2012 at 10:15:05PM +0000, Mark Hindley wrote:
> >> On Mon, Feb 13, 2012 at 12:19:21AM +0100, Leopold BAILLY wrote:
> >> > Package: apt-cacher
> >> > Version: 1.7.2
> >> > Severity: normal
> >> > 
> >> > Dear Maintainer,
> >> > 
> >> > for example, allowed_hosts = 192.168.1.0/24 does not work because ipv6 host address does not match this ipv4 formatted rule :
> >> > Sun Feb 12 23:53:15 2012|debug [16668]: Test client 0:0:0:0:0:FFFF:C0A8:101/128 against allowed: 192.168.1.0/24
> >> > Sun Feb 12 23:53:15 2012|debug [16668]: Alert: client ::ffff:192.168.1.1 disallowed by access control
> >> > Sun Feb 12 23:53:15 2012|debug [16668]: Response: 403 Access to cache prohibited
> >> > 
> >> > But I don't use ipv6 on my network.
> >> 
> >> Although you only use IPv4, I think you have an IPv6 enabled kernel which is 
> >> why the client address is shown as an IPv4 mapped IPv6 address. 
> 
> With Debian testing, ipv6 is built into the kernel, not as a module.
> I tried to disable ipv6 through sysctl.conf but I don't know if it succeeded.
> 
> After reboot :
> $ sudo sysctl net.ipv6.conf.all.disable_ipv6
> net.ipv6.conf.all.disable_ipv6 = 1
> 
> And I still get the same ipv6 related error message.
> 
> > I have done a patch to transparently support IPv6 mapped IPv4 addresses. 
> > I would be grateful if you could apply this patch and let me know how it 
> > works for you.
> 
> Yes, it does.
> 
> It still works if I move back to my original sysctl config (and reboot).

Good! I will queue this for 1.7.4 upload (1.7.3 is already packaged and 
waiting to be uploaded)

Mark




Added tag(s) pending. Request was from Mark Hindley <mark@hindley.org.uk> to control@bugs.debian.org. (Fri, 17 Feb 2012 01:33:05 GMT) Full text and rfc822 format available.

Reply sent to Mark Hindley <mark@hindley.org.uk>:
You have taken responsibility. (Fri, 04 May 2012 18:21:04 GMT) Full text and rfc822 format available.

Notification sent to Leopold BAILLY <leo.bailly@infonie.fr>:
Bug acknowledged by developer. (Fri, 04 May 2012 18:21:04 GMT) Full text and rfc822 format available.

Message #26 received at 659669-close@bugs.debian.org (full text, mbox):

From: Mark Hindley <mark@hindley.org.uk>
To: 659669-close@bugs.debian.org
Subject: Bug#659669: fixed in apt-cacher 1.7.4
Date: Fri, 04 May 2012 18:17:11 +0000
Source: apt-cacher
Source-Version: 1.7.4

We believe that the bug you reported is fixed in the latest version of
apt-cacher, which is due to be installed in the Debian FTP archive:

apt-cacher_1.7.4.dsc
  to main/a/apt-cacher/apt-cacher_1.7.4.dsc
apt-cacher_1.7.4.tar.gz
  to main/a/apt-cacher/apt-cacher_1.7.4.tar.gz
apt-cacher_1.7.4_all.deb
  to main/a/apt-cacher/apt-cacher_1.7.4_all.deb



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 659669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mark Hindley <mark@hindley.org.uk> (supplier of updated apt-cacher package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 02 May 2012 08:31:52 +0100
Source: apt-cacher
Binary: apt-cacher
Architecture: source all
Version: 1.7.4
Distribution: unstable
Urgency: low
Maintainer: Mark Hindley <mark@hindley.org.uk>
Changed-By: Mark Hindley <mark@hindley.org.uk>
Description: 
 apt-cacher - Caching proxy for Debian package and source files
Closes: 659669 662737 669372 669753
Changes: 
 apt-cacher (1.7.4) unstable; urgency=low
 .
   * Minimise the time a checksum DB handle is held when adding new data.
   * Close "transition towards Apache 2.4". No automatic apache
     installation in version 1.7.x, so no changes required
     (closes: #669753).
   * Use InRelease files, if available, when refreshing and patching
     (closes: #669372).
   * Remove Release and Release.gpg on cleanup if InRelease is cached.
   * Optimise initialising %valid for index files: use map().
   * Skip already deleted files in unlink_by_fh().
   * When generating internal requests, set Cache-Control: no-cache so
     that refresh is forced.
   * In debconf manual mode, disable/remove any previous daemon or inetd
     configuration.
   * Add Quantal to Ubuntu release names.
   * Only set daemon_port from ENV{SERVER_PORT} in CGI mode -- it isn't
     set when invoked from apt-cacher-cleanup.pl
   * Avoid running apt-cacher script in separate interpreter. Use an
     internal fork and do-FILE.
   * Open and lock Release and diff/Index early when attempting to pdiff.
   * When refreshing in cleanup, just do a HEAD request so we save
     transferring the body content.
   * Warn if apt-cacher-import.pl fails to chown (closes: #662737).
   * Return 502 response on all internal errors via $SIG{__DIE__} handler.
   * Remove obsolete {cache_dir}/temp on install.
   * Wait for internal requests to complete before returning
   * Bump to standards version 3.9.3 (no changes required).
   * Unset executable bit from files in debian (silence lintian warnings).
   * Transparently convert IPv4 configuration options to IPv6 when a client
     request is on an IPv6 mapped IPv4 address (::ffff:0:/32)
     (closes: #659669).
   * Recognise whole 127.0.0.1/8 block as localhost.
Checksums-Sha1: 
 93212bb867ddc411bcb0b9d974d7361f769d7db4 857 apt-cacher_1.7.4.dsc
 79066c9f203065da19a647069a50fef40608613f 103483 apt-cacher_1.7.4.tar.gz
 bc103f2618b12184f7c72141361c4e8441f471e0 103828 apt-cacher_1.7.4_all.deb
Checksums-Sha256: 
 9f69b541142f02101d93bc8f3266387728e938a1abfda42405dede3dd51c5657 857 apt-cacher_1.7.4.dsc
 f6c4a72ee123837c900e1f4e54f94a0df9b519e433ea46a44c4dd5401b74c430 103483 apt-cacher_1.7.4.tar.gz
 2b88ab21e5d3dd0bcbe53611601075d7bb068b87c2fd85026bf1c1b83329567a 103828 apt-cacher_1.7.4_all.deb
Files: 
 5b6b6189dbe2523f10db7e563f10de44 857 net optional apt-cacher_1.7.4.dsc
 c02c09f092c3345171f849ebc145ddbd 103483 net optional apt-cacher_1.7.4.tar.gz
 9f536e26505c732911197fab81a8d382 103828 net optional apt-cacher_1.7.4_all.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iD8DBQFPpBrc4QZIHu3wCMURAhzCAJ9HUSIp31bx9okRq4YWdRpkeecrRACeMaMc
vo5s8/MFmBxIEvTGmLy+16Y=
=YhTX
-----END PGP SIGNATURE-----





Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Tue, 12 Jun 2012 07:45:12 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sun Apr 20 06:57:20 2014; Machine Name: buxtehude.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.