Hi Alex,
I could finally reproduce your issue with 1.5-dev8. You won the jackport, this
bug has been there forever since "balance source" was introduced in 1.2.11 six
years ago ! The IP address pointer was erroneously mapped to IPv4, which is
wrong. The attached patch fixes it.
BTW, if your stud really emitted :
"PROXY TCP6 ::ffff:127.0.0.1 :: 52460 7302"
Then it is wrong since the second field ("::") is the destination address and
it cannot be zero. It's possible that it logs the IP it's listening to instead
of logging the IP the client connected to. This is not critical since it's not
used here, but dst-based ACLs or transparent forwarding would not work.
Cheers,
Willy
>From 5dd7fa1f6b8eec57bff8ff4630afd7eb3e837b5e Mon Sep 17 00:00:00 2001
From: Willy Tarreau <w...@1wt.eu>
Date: Sat, 31 Mar 2012 19:53:37 +0200
Subject: [PATCH] BUG/MEDIUM: balance source did not properly hash IPv6 addresses
The hash of IPv6 addresses was not properly aligned and resulted in the
last quarter of the address not being hashed. In practice, this is rarely
detected since MAC addresses are used in the second half. But this becomes
very visible with IPv6-mapped IPv4 addresses such as ::FFFF:1.2.3.4 where
the IPv4 part is never hashed.
This bug has been there forever, since introduction of "balance source" in
v1.2.11. The fix must then be backported to all stable versions.
Thanks to Alex Markham for reporting this issue to the list !
---
src/backend.c | 19 ++++++++++---------
1 files changed, 10 insertions(+), 9 deletions(-)
diff --git a/src/backend.c b/src/backend.c
index 39ee58b..f6e2d73 100644
--- a/src/backend.c
+++ b/src/backend.c
@@ -497,7 +497,6 @@ int assign_server(struct session *s)
clear_target(&s->target);
if (s->be->lbprm.algo & BE_LB_KIND) {
- int len;
/* we must check if we have at least one server available */
if (!s->be->lbprm.tot_weight) {
err = SRV_STATUS_NOSRV;
@@ -538,19 +537,21 @@ int assign_server(struct session *s)
switch (s->be->lbprm.algo & BE_LB_PARM) {
case BE_LB_HASH_SRC:
- if (s->req->prod->addr.from.ss_family ==
AF_INET)
- len = 4;
- else if (s->req->prod->addr.from.ss_family ==
AF_INET6)
- len = 16;
+ if (s->req->prod->addr.from.ss_family ==
AF_INET) {
+ srv = get_server_sh(s->be,
+ (void *)&((struct
sockaddr_in *)&s->req->prod->addr.from)->sin_addr,
+ 4);
+ }
+ else if (s->req->prod->addr.from.ss_family ==
AF_INET6) {
+ srv = get_server_sh(s->be,
+ (void *)&((struct
sockaddr_in6 *)&s->req->prod->addr.from)->sin6_addr,
+ 16);
+ }
else {
/* unknown IP family */
err = SRV_STATUS_INTERNAL;
goto out;
}
-
- srv = get_server_sh(s->be,
- (void *)&((struct
sockaddr_in *)&s->req->prod->addr.from)->sin_addr,
- len);
break;
case BE_LB_HASH_URI:
--
1.7.2.1.45.g54fbc
