On Wed, Feb 05, 2003 at 02:03:20PM +1100, Robert Collins wrote:
> Yep. first off, the IN_ADDR abstraction.... A local class to
> encapsulate that abstraction, and any other related ones, may be
> useful, and thus less ugly.
IN_ADDR is part-way there already. What is really needed is something
like hostaddr_t (better name anyone?) and a plethora of function to
deal with this... such a patch it itself would be enourmous I should
think though (we also need to audit all uses of INADDR_ANY &
INADDR_BROADCAST as these are magical values for many things such as
disabling functions or 'same as incoming address'). Ick.
There are also various users of s_addr, etc. that I really don't
understand, for example in the delay pools code we have:
host = ntohl(ch.src_addr.s_addr) & 0xff;
host = ntohl(ch.src_addr.s_addr) & 0xffff;
and similar. I really have no idea what the intention there is, I'm
guessing it's some kind of implicit classful-netmask logic or
something?
> Regarding acls and configuration: We need to allow the current
> configuration unchanged w.r.t. ip address syntax.
Sure, I quite agree.
> IPv6 deliberatly doesn't conflict with ipv4 notation, so handling
> both should be straight forward. For acl's, I'd be inclined to
> start off with an ip6 specific src_6 and dst_6 approach, and examine
> merging them (i.e. what does it take to compare 127.0.0.1 with
> 127:::::1 or whatever it is?
No, this isn't a problem. The current code deals with this mostly.
The crux of the issue is that where various addresses in a network are
unique in IPv4 land, there may not be in IPv6 land.
Some quick ramblings off the top of my head...
* IPv4 encapsulated IPv6 addresses of the form ::ffff:a.b.c.d
mean existing IPv4 ACLs will fail as-is
* IPv6 localhost is ::1 --- but we can also see inbound connections
as ::ffff:127.0.0.1 ?
* Hosts (other-hosts, cache clients for example) in the same subnet
could appear as
ipv6-address of other-host
ipv4-mapped-ipv4 address of other-host
site-local address of other-host
Maybe ACLs should be abstracted so the concept of "localhost" is "all
address that match localhost" and the concept of a network is "all
reasonable representations of this network"? This would also means
something like
acl foo src some.host
would work when some.host has multiple AAAA and/or A records to match
*any* of them?
> Anyhoo, if you are interested, sign up on sourceforge as a
> developer, and email me /the list your user name.
My time is very limited and my original post was basically a "hey,
this doesn't work by default but it's not hard to get it
sorta-working, what future plans are there to fix and merge this
stuff" sort thing.
I'd really like to have suggestions on how to deal with these issues
first and some idea of who else is prepared to work with these
potentially nasty issues.
--cw
Received on Tue Feb 04 2003 - 22:28:15 MST
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:19:13 MST