On 12 Mar 2019, at 7:53, Vincent Lefevre wrote:
I would like to match the 2a04:5200:fff4:0 IPv6 addresses (/64 block)
in an access table (and I'd like to avoid using a cidr lookup table
for specific cases). I have
2a04:5200:fff4:0 REJECT Blacklisted
However, 2a04:5200:fff4::fe was not caught.
The access(5) man page says "The access map lookup key must be in
canonical form" but this is ambiguous as RFC 5952 does not specify
canonical form for subnetworks. For instance, if the IPv6 address
is 2a04:5200:fff4:0:1:0:0:1, then its canonical form would be
2a04:5200:fff4:0:1::1, so that the 2a04:5200:fff4:0 prefix is
necessarily valid.
From the access(5) man page:
net Matches the specified IPv6 host address or subnetwork.
An IPv6
host address is a sequence of three to eight hexadecimal
octet
pairs separated by ":".
[...]
Subnetworks are matched by repeatedly truncating
the last
":octetpair" from the remote IPv6 host address string
until a
match is found in the access table, or until further
truncation
is not possible.
NOTE 1: the truncation and comparison are done with the
string
representation of the IPv6 host address. Thus, not all
the ":"
subnetworks will be tried.
"0" is not an octet pair. Demo:
# cat accessdemo
2a04:5200:fff4:0 REJECT 554 trailing zero
2a04:5200:fff4:0000 REJECT 554 trailing octet pair zeros
2a04:5200:fff4 REJECT 554 NO trailing zero
# postmap hash:accessdemo
# postmap -q 2a04:5200:fff4:0000:0001:0000:0000:0001 accessdemo
# postmap -q 2a04:5200:fff4:0000:0001:0000:0000 accessdemo
# postmap -q 2a04:5200:fff4:0000:0001:0000 accessdemo
# postmap -q 2a04:5200:fff4:0000:0001 accessdemo
# postmap -q 2a04:5200:fff4:0000 accessdemo
REJECT 554 trailing octet pair zeros
# postmap -q 2a04:5200:fff4 accessdemo
REJECT 554 NO trailing zero
--
Bill Cole
b...@scconsult.com or billc...@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Available For Hire: https://linkedin.com/in/billcole
