Subject: lib/16810: libwrap IPv6 support does not handle scoped address correctly
To: None <gnats-bugs@gnats.netbsd.org>
From: None <itojun@itojun.org>
List: netbsd-bugs
Date: 05/14/2002 23:26:16
>Number: 16810
>Category: lib
>Synopsis: libwrap IPv6 support does not handle scoped address correctly
>Confidential: no
>Severity: serious
>Priority: medium
>Responsible: lib-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Tue May 14 07:27:00 PDT 2002
>Closed-Date:
>Last-Modified:
>Originator: Jun-ichiro itojun Hagino
>Release: NetBSD 1.5.x and current
>Organization:
itojun.org
>Environment:
System: NetBSD coconut.itojun.org 1.5.3_ALPHA NetBSD 1.5.3_ALPHA (COCONUT) #11: Thu Jan 17 18:59:51 JST 2002 itojun@coconut.itojun.org:/export/home/itojun/NetBSD15/src/sys/arch/i386/compile/COCONUT i386
>Description:
libwrap IPv6 support is using IPv4 mapped address (::ffff:10.1.1.1)
internally when comparing address/mask in /etc/hosts.{allow,deny}.
it does not handle scoped IPv6 address at all.
while it makes it easier for libwrap to deal with IPv4 mapped
address case (IPv4 connection towards AF_INET6 socket),
it makes it impossible to write hosts.{allow,deny} rule that
takes scoped IPv6 address into account - for example, it is not possible
to have a rule that allows fe80::%fxp0/64 while denies fe80::%fxp1/64.
>How-To-Repeat:
code inspection.
>Fix:
avoid IPv4 mapped address, it was a very bad idea afterall.
>Release-Note:
>Audit-Trail:
>Unformatted: