Bug#946689: munin-node: cidr_allow directive is sensitive to order when mixing IPv4 and IPv6

2019-12-14 Thread Stig Sandbeck Mathisen 
Raphaël Hertzog  writes:

> After a lot of tweaking, I noticed that all the "cidr_allow" for the
> IPv4 addresses have to be before the first cidr_allow for an IPv6
> address. So just sorting the rules differently like this makes it work
> as expected (at least when connecting over IPv4):

Hello,

Thanks for reporting a bug. :)

The munin-node network listener is managed by Net::Server::Fork
instance, from the libnet-server-perl package, and the cidr_allow
parameters are passed directly to that module.

The bug report mentions you have that package "purged", so I do not want
to guess a version. The oldoldstable release from your bug report has
libnet-server-perl version 2.008-1, and the current is 2.009-1. Are you
using any of these, or a replacement?

-- 
Stig Sandbeck Mathisen
Debian Developer

Bug#946689: munin-node: cidr_allow directive is sensitive to order when mixing IPv4 and IPv6

2019-12-13 Thread Raphaël Hertzog 
Package: munin-node
Version: 2.0.33-1
Severity: normal

I recently migrated my munin server and thus I updated my munin-node
configuration to allow connections from 2 servers (on IPv4 and on IPv6)
with a config like this:

# Old server
cidr_allow 212.83.177.246/32
cidr_allow 2a01:e0b:21e3:3::1/128
# New server
cidr_allow 163.172.191.75/32
cidr_allow 2001:bc8:47c0:11f::1/128

It turns out that the new server would not manage to connect to the munin
nodes. The logs were showing a message like this:
2019/12/13-21:10:02 CONNECT TCP Peer: "[:::163.172.191.75]:49184" Local: 
"[:::212.83.178.2]:4949"
Invalid netblock: 42.1.14.11.33.227.0.3.0.0.0.0.0.0.0.1-163.172.191.75 at 
/usr/share/perl5/Net/Server.pm line 600.

This made no sense to me. After a lot of tweaking, I noticed that
all the "cidr_allow" for the IPv4 addresses have to be before the first
cidr_allow for an IPv6 address. So just sorting the rules differently
like this makes it work as expected (at least when connecting over IPv4):

# Old and new, with IPv4 first and IPv6 after
cidr_allow 212.83.177.246/32
cidr_allow 163.172.191.75/32
cidr_allow 2a01:e0b:21e3:3::1/128
cidr_allow 2001:bc8:47c0:11f::1/128

-- System Information:
Debian Release: bullseye/sid
  APT prefers oldoldstable
  APT policy: (500, 'oldoldstable'), (500, 'unstable'), (500, 'testing'), (500, 
'stable'), (500, 'oldstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 4.19.0-6-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8), 
LANGUAGE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages munin-node depends on:
ii  adduser  3.118
ii  gawk 1:5.0.1+dfsg-1
ii  init-system-helpers  1.57
pn  libmunin-node-perl   
pn  libnet-server-perl   
ii  lsb-base 11.1.0
pn  munin-common 
pn  munin-plugins-core   
ii  netbase  5.8
ii  perl 5.30.0-9
ii  procps   2:3.3.15-2+b1

Versions of packages munin-node recommends:
ii  gawk 1:5.0.1+dfsg-1
pn  libnet-snmp-perl 
pn  munin-plugins-core   
pn  munin-plugins-extra  
ii  procps   2:3.3.15-2+b1

Versions of packages munin-node suggests:
pn  acpi | lm-sensors 
pn  default-mysql-client  
ii  ethtool   1:4.19-1
ii  hdparm9.58+ds-4
pn  libcache-cache-perl   
ii  libcrypt-ssleay-perl  0.73.06-1+b2
pn  libdbd-mysql-perl 
ii  libdbd-pg-perl3.10.0-2
pn  liblwp-useragent-determined-perl  
pn  libnet-irc-perl   
ii  libtext-csv-xs-perl   1.40-1
ii  libwww-perl   6.43-1
ii  libxml-simple-perl2.25-1
pn  logtail   
pn  munin 
pn  munin-plugins-extra   
pn  munin-plugins-http
pn  munin-plugins-java
pn  munin-plugins-pgsql   
pn  munin-plugins-snmp
pn  mysql-client  
ii  net-tools 1.60+git20180626.aebd88e-1
ii  python2.7.17-2
ii  ruby  1:2.5.2
pn  smartmontools