DevHeads.net

How to match 2a04:5200:fff4:0 in access table?

I would like to match the 2a04:5200:fff4:0 IPv6 addresses (/64 block)
in an access table (and I'd like to avoid using a cidr lookup table
for specific cases). I have

2a04:5200:fff4:0 REJECT Blacklisted

However, 2a04:5200:fff4::fe was not caught.

The access(5) man page says "The access map lookup key must be in
canonical form" but this is ambiguous as RFC 5952 does not specify
canonical form for subnetworks. For instance, if the IPv6 address
is 2a04:5200:fff4:0:1:0:0:1, then its canonical form would be
2a04:5200:fff4:0:1::1, so that the 2a04:5200:fff4:0 prefix is
necessarily valid.

Comments

Re: How to match 2a04:5200:fff4:0 in access table?

By Wietse Venema at 03/12/2019 - 09:36

Vincent Lefevre:
[ Charset ISO-8859-1 converted... ]
Short answer: 2a04:5200:fff4 (strip zero octets).

Or use a cidr map fox maximal control.

Wietse

Re: How to match 2a04:5200:fff4:0 in access table?

By Bill Cole at 03/12/2019 - 08:49

From the access(5) man page:

net Matches the specified IPv6 host address or subnetwork.
An IPv6
host address is a sequence of three to eight hexadecimal
octet
pairs separated by ":".
[...]
Subnetworks are matched by repeatedly truncating
the last
":octetpair" from the remote IPv6 host address string
until a
match is found in the access table, or until further
truncation
is not possible.

NOTE 1: the truncation and comparison are done with the
string
representation of the IPv6 host address. Thus, not all
the ":"
subnetworks will be tried.

"0" is not an octet pair. Demo:

# cat accessdemo
2a04:5200:fff4:0 REJECT 554 trailing zero
2a04:5200:fff4:0000 REJECT 554 trailing octet pair zeros
2a04:5200:fff4 REJECT 554 NO trailing zero

# postmap hash:accessdemo

# postmap -q 2a04:5200:fff4:0000:0001:0000:0000:0001 accessdemo

# postmap -q 2a04:5200:fff4:0000:0001:0000:0000 accessdemo

# postmap -q 2a04:5200:fff4:0000:0001:0000 accessdemo

# postmap -q 2a04:5200:fff4:0000:0001 accessdemo

# postmap -q 2a04:5200:fff4:0000 accessdemo
REJECT 554 trailing octet pair zeros

# postmap -q 2a04:5200:fff4 accessdemo
REJECT 554 NO trailing zero

Re: How to match 2a04:5200:fff4:0 in access table?

By Vincent Lefevre at 03/12/2019 - 09:16

On 2019-03-12 08:49:28 -0400, Bill Cole wrote:
OK, so you mean that "0" must be written as "0000"?

Then why does the access(5) man page say "The access map lookup key
must be in canonical form" while "0000" is not the canonical form?

According to <a href="https://tools.ietf.org/html/rfc5952" title="https://tools.ietf.org/html/rfc5952">https://tools.ietf.org/html/rfc5952</a>

Leading zeros MUST be suppressed. For example, 2001:0db8::0001 is
not acceptable and must be represented as 2001:db8::1. A single 16-
bit 0000 field MUST be represented as 0.

Re: How to match 2a04:5200:fff4:0 in access table?

By Bill Cole at 03/12/2019 - 10:00

Yes, if you need it to match (i.e. if it isn't just a placeholder.)

I have no answer for that. All I know is what actually works.

The RFC definition of "canonical form" is arguably inconsistent with the
description of the required format for Postfix and its matching strategy
in the access(5) man page.