I Willy,
I tracked a bug until late in the night. Working with IPv6 acls, I
discovered that some IPv4 addresses matched IPv6 subnets that shouldn't
(I think it can be the same for IPv6 addresses as well).
I could find a simple test case to reproduce it :
acl BUG src 2804::/16
When "src" is 127.0.0.1, the acl will match.
I have to make some more tests today (after work), but I think this can
be resolved by a 1 line patch in the acl_match_ip function, by calling
htonl() on the mask :
v4 &= (~0U) << (32-bits);
becomes :
v4 &= htonl((~0U) << (32-bits));
But if you already are OK with this, let me know if you want a patch or
if you apply your own directly.
Have a nice day.
--
Cyril Bonté
