Bug#832803: postfix: cidr_table(5) man page: description of IPv6 network address is incomplete

[Vincent Lefevre]

On 2016-07-29 17:39:01 -0400, Scott Kitterman wrote:
> On Friday, July 29, 2016 02:27:47 AM Vincent Lefevre wrote:
> > Package: postfix
> > Version: 3.1.0-4
> > Severity: minor
> > 
> > The cidr_table(5) man page contains:
> > 
> >   When  a  search  string matches the specified network block, use
> >   the corresponding result value. Specify 0.0.0.0/0 to match every
> >   IPv4 address, and ::/0 to match every IPv6 address.
> > 
> >   An  IPv4  network  address  is a sequence of four decimal octets
> >   separated by ".", and an IPv6 network address is a  sequence  of
> >   three to eight hexadecimal octet pairs separated by ":".
> > 
> > but :: is not of the form: a sequence of three to eight hexadecimal
> > octet pairs separated by ":". Is the standard "::" zero compression
> > accepted (RFC 4291) more generally?
> > 
> > Moreover, examples with IPv6 addresses could be added in Section
> > "EXAMPLE SMTPD ACCESS MAP".
> 
> I've reviewed the man page in question.  I think you stopped just a little 
> too 
> soon:
> 
> > Before comparisons are made, lookup keys and table entries
> > are converted from string to binary. Therefore table entries
> > will be matched regardless of redundant zero characters.
> 
> I think that answers your question.

Not really. If I understand correctly, "redundant zero characters"
means things like 1 vs 01 vs 001, etc. Note that in RFC 4291, "::"
is *not* equivalent to ":0:", so that's beyond redundant zero
characters. Zero compression is a specific rule for IPv6 addresses.

Moreover, it seems that in RFC 4291, there are always 8 octet pairs
(not 3 to 8), possibly implied by zero compression. Examples that are
given in the RFC:

  2001:0DB8::CD30::::/60
  2001:0DB8::CD30:0:0:0:0/60
  2001:0DB8:0:CD30::/60

But if zero compression is allowed with 'three to eight hexadecimal
octet pairs separated by ":"', this becomes completely unspecified.

-- 
Vincent Lefèvre  - Web: 
100% accessible validated (X)HTML - Blog: 
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Bug#832803: postfix: cidr_table(5) man page: description of IPv6 network address is incomplete

[Scott Kitterman]

On Friday, July 29, 2016 02:27:47 AM Vincent Lefevre wrote:
> Package: postfix
> Version: 3.1.0-4
> Severity: minor
> 
> The cidr_table(5) man page contains:
> 
>   When  a  search  string matches the specified network block, use
>   the corresponding result value. Specify 0.0.0.0/0 to match every
>   IPv4 address, and ::/0 to match every IPv6 address.
> 
>   An  IPv4  network  address  is a sequence of four decimal octets
>   separated by ".", and an IPv6 network address is a  sequence  of
>   three to eight hexadecimal octet pairs separated by ":".
> 
> but :: is not of the form: a sequence of three to eight hexadecimal
> octet pairs separated by ":". Is the standard "::" zero compression
> accepted (RFC 4291) more generally?
> 
> Moreover, examples with IPv6 addresses could be added in Section
> "EXAMPLE SMTPD ACCESS MAP".

I've reviewed the man page in question.  I think you stopped just a little too 
soon:

> Before comparisons are made, lookup keys and table entries
> are converted from string to binary. Therefore table entries
> will be matched regardless of redundant zero characters.

I think that answers your question.  I do agree an example to make it clearer 
would be nice, so I've sent a request upstream to add that.

I'll at a link to the bug once it appears in their archive.

Scott K

Bug#832803: postfix: cidr_table(5) man page: description of IPv6 network address is incomplete

[Vincent Lefevre]

Package: postfix
Version: 3.1.0-4
Severity: minor

The cidr_table(5) man page contains:

  When  a  search  string matches the specified network block, use
  the corresponding result value. Specify 0.0.0.0/0 to match every
  IPv4 address, and ::/0 to match every IPv6 address.

  An  IPv4  network  address  is a sequence of four decimal octets
  separated by ".", and an IPv6 network address is a  sequence  of
  three to eight hexadecimal octet pairs separated by ":".

but :: is not of the form: a sequence of three to eight hexadecimal
octet pairs separated by ":". Is the standard "::" zero compression
accepted (RFC 4291) more generally?

Moreover, examples with IPv6 addresses could be added in Section
"EXAMPLE SMTPD ACCESS MAP".

-- System Information:
Debian Release: stretch/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.6.0-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages postfix depends on:
ii  adduser3.115
ii  cpio   2.11+dfsg-5
ii  debconf [debconf-2.0]  1.5.59
ii  dpkg   1.18.9
ii  init-system-helpers1.41
ii  libc6  2.23-4
ii  libdb5.3   5.3.28-12
ii  libicu55   55.1-7
ii  libsasl2-2 2.1.26.dfsg1-15
ii  libsqlite3-0   3.13.0-1
ii  libssl1.0.21.0.2h-1
ii  lsb-base   9.20160629
ii  netbase5.3
ii  ssl-cert   1.0.38

Versions of packages postfix recommends:
ii  python3  3.5.1-4

Versions of packages postfix suggests:
ii  bsd-mailx [mail-reader]  8.1.2-0.20160123cvs-3
pn  dovecot-common   
ii  emacs24 [mail-reader]24.5+1-6+local2
ii  libsasl2-modules 2.1.26.dfsg1-15
ii  mutt [mail-reader]   1.6.0-1
pn  postfix-cdb  
ii  postfix-doc  3.1.0-4
pn  postfix-ldap 
pn  postfix-mysql
ii  postfix-pcre 3.1.0-4
pn  postfix-pgsql
ii  procmail 3.22-25
pn  resolvconf   
pn  sasl2-bin
pn  ufw  

-- debconf information excluded