Re: [policyd-users] IPv6 in policy_group_members

Mon, 22 Jul 2013 01:24:02 -0700 

On 06/14/2013 12:20 PM, Christian Rohmann wrote:


On 14.06.2013 14:06, Christian Rohmann wrote:

Following the instructions on http://www.policyd.org/content/greylisting
to create a policy just matching IPv6 addresses (using '::/0' as source
filter) does not work anymore. But it worked with a much older fetch of
the git repo.

Just to clarify: It appears to work with 0::/0 or any address with a
mask of /0. It's just that ::/0 is a valid IPv6 CIDR ... and is stated
in the documentation to greylisting.



Attached patch for better IPv6 matching, to be applied to latest git.

Big thanks goes to Simon Stähelin for testing!

-N

diff --git a/cbp/policies.pm b/cbp/policies.pm
index ab2c87a..0298a16 100644
--- a/cbp/policies.pm
+++ b/cbp/policies.pm
@@ -319,6 +319,12 @@ sub policySourceItemMatches
 	my ($negate,$tmpItem) = ($rawItem =~ /^(!)?(.*)/);
 	# See if we match %, if we do its a group
 	my ($isGroup,$item) = ($tmpItem =~ /^(%)?(.*)/);
+	# IPv6 match components
+	my $v6c = '[a-f\d]{1,4}';
+	my $v6cg = "(?:$v6c:){0,6}";
+	my $v6c1 = "$v6cg?:?:?$v6cg?(?:$v6c)?";
+	my $v6m = '(?:\/\d{1,3})';
+	my $v6 = "$v6c1$v6m?";
 	
 	# Check if this is a group
 	my $match = 0;
@@ -370,7 +376,7 @@ sub policySourceItemMatches
 		# Match IPv4 or IPv6
 		if (
 			$item =~ /^(?:\d{1,3})(?:\.(?:\d{1,3})(?:\.(?:\d{1,3})(?:\.(?:\d{1,3}))?)?)?(?:\/(\d{1,2}))?$/ ||
-			$item =~ /^(?:::(?:[a-f\d]{1,4}:){0,6}?[a-f\d]{1,4}|[a-f\d]{1,4}(?::[a-f\d]{1,4}){0,6}?::|[a-f\d]{1,4}(?::[a-f\d]{1,4}){0,6}?::(?:[a-f\d]{1,4}:){0,6}?[a-f\d]{1,4})(?:\/\d{1,3})?$/i
+			$item =~ /^$v6$/i
 		) {
 			# See if we get an object from 
 			my $matchRange = new awitpt::netip($item);
@@ -385,7 +391,7 @@ sub policySourceItemMatches
 		# Match peer IPv4 or IPv6 (the server requesting the policy)
 		} elsif (
 			$item =~ /^\[((?:\d{1,3})(?:\.(?:\d{1,3})(?:\.(?:\d{1,3})(?:\.(?:\d{1,3}))?)?)?(?:\/(\d{1,2}))?)\]$/ ||
-			$item =~ /^\[((?:::(?:[a-f\d]{1,4}:){0,6}?[a-f\d]{1,4}|[a-f\d]{1,4}(?::[a-f\d]{1,4}){0,6}?::|[a-f\d]{1,4}(?::[a-f\d]{1,4}){0,6}?::(?:[a-f\d]{1,4}:){0,6}?[a-f\d]{1,4})(?:\/\d{1,3})?)\]$/i
+			$item =~ /^\[($v6)\]$/i
 		) {
 			# We don't want the [ and ]
 			my $cleanItem = $1;



Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


_______________________________________________
Users mailing list
[email protected]
http://lists.policyd.org/mailman/listinfo/users_lists.policyd.org






















					Reply via email to