www/squid: remove allowed default IPv6 networks #4992
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important notices
Before you add a new report, we ask you kindly to acknowledge the following:
Is your feature request related to a problem? Please describe.
Currently, fc00::/7 and fe80::/10 networks are silently enabled and this feature is undocumented. There is no option to disable these networks.
As I understand the RFC, the purpose of the fc00::/7 network (RFC 4193) is the same as that of IPv4 private networks (RFC 1918) and routed on local networks.
It's confusing to me that IPv6 private networks are always allowed, but IPv4 ones are not.
fc00::/7 is configurable on interfaces, so I think networks from fc00::/7 should be enabled by selecting the interface in the Proxy interfaces selection box (/ui/proxy#subtab_proxy-forward-general). Unconfigured IP addresses or networks can be allowed in the list of allowed subnets (/ui/proxy#subtab_proxy-forward-acl).
The same problems exists with fe80::/10 network (RFC 4291), except that it's only used on local links and not routed.
Describe the solution you'd like
I think both networks should be removed from localnet acls. An fc00::/7 subnet can be allowed by configuring an address from it on an interface and adding that interface to the Proxy Interfaces list. Or you can add any network to the Allowed Subnets list.