Re: blacklistd and IPv6 mapped IPv4 addresses

[Mouse <mouse%Rodents-Montreal.ORG@localhost>]

> I noticed that some servers (proftpd) report their IPv4 connections
> as IPv6 mapped addresses: ::ffff:x.y.z.w.  Adding these addresses to
> npf, works just fine (after I fixed the parser), but the packet
> filter does not block connections from them because the rule does not
> match.

Does proftpd actually use an AF_INET6 socket with the v4mapped address,
or is it using AF_INET sockets and just printing them that way?

My own take on the POLS here is that a v4 filter entry should stop any
matching v4 packets; a v4mapped v6 filter entry should stop any attempt
to receive matching traffic on a v4mapped v6 socket but should not
interfere with a native v4 socket.  (I think v4mapped v6 is supposed to
never appear on the wire, right?  If it does appear on the wire, IMO
the v6 filter should block it completely but the v4 filter should block
it only for v4 sockets.)

That is, however, written deliberately suppressing the knowledge that
it may be difficult to do.  I think it would be an acceptable
approximation for the filters to block only when they match the packets
on the wire, which in this case means either (a) that proftpd should be
reporting v4 connections in v4 format even if it's handling them via
v4mapped v6 sockets or (b) blacklistd should recognize them and add v4
entries.  Which one is better depends on how you squint your mind.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse%rodents-montreal.org@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B