blacklistd and IPv6 mapped IPv4 addresses

To: tech-net%netbsd.org@localhost
Subject: blacklistd and IPv6 mapped IPv4 addresses
From: christos%zoulas.com@localhost (Christos Zoulas)
Date: Fri, 22 Jan 2016 17:18:35 -0500

Hi,

I noticed that some servers (proftpd) report their IPv4 connections
as IPv6 mapped addresses:  ::ffff:x.y.z.w. Adding these addresses to npf,
works just fine (after I fixed the parser), but the packet filter does not
block connections from them because the rule does not match. Presumably
because the connections are processed by the IPv4 part of the stack and
there is no rule to match that.

What should blacklistd do? Recognize the mapped v4 addresses and convert
them to real v4 addresses and send those to the packet filter? Is that
guaranteed to work across different OS's? Or send both the v4 and mapped
v6 variants to the packet filter?

Or is it the responsibility of the packet filter to know that this is
a mapped v4 address and DTRT?

Thanks,

christos

Follow-Ups:
- Re: blacklistd and IPv6 mapped IPv4 addresses
  - From: Mouse
- Re: blacklistd and IPv6 mapped IPv4 addresses
  - From: Taylor R Campbell

Prev by Date: Re: fix gif(4)'s softint(9) contract violation [was Re: RFC: gif(4) MP-ify]
Next by Date: Re: blacklistd and IPv6 mapped IPv4 addresses
Previous by Thread: [netbsd-7] Critical issue with ffs+log
Next by Thread: Re: blacklistd and IPv6 mapped IPv4 addresses
Indexes:

Home | Main Index | Thread Index | Old Index