Henrik Nordstrom wrote:
There is a Fedora user request for proper support of odd netmasks in IP acls: https://bugzilla.redhat.com/show_bug.cgi?id=470709Quote from Fedora bug report: Any valid network mask should be usable, especially as there appears to be an increasing tendency for very large corporations to deliberately choose odd IP address combinations in an effort to frustrate people who legitimately wish to secure their computers. Which is counter to our plan or removing support for "odd" netmasks. Any comments or suggestions?
1) Odd netmasks break Internet routing table design. This is a minor issue in IPv4, but with IPv6 space being larger it becomes a critical flaw.
2) Netmasks are a deprecated Internet protocol. CIDR, the replacement, is 15 years old as an RFC. Time for the non-conformists to upgrade both their topology and security systems.
3) Keeping and passing old-style netmasks doubles the Squid memory usage for mask info addresses. The netmask deprecation goal was solely to reduce that footprint.
The bug report as such is about things failing silently when odd netmasks is used.
Easy enough to make it noisy :-)
My suggestion is that we continue supporting odd netmasks, but move these to a linked list, parallell to the splay tree, giving the IP mathes a dual personality of both splay tree and linked list based on the type of element added.
A lot of complication to placate people who are breaking the Internet routing scheme for their own flawed attempts at security.
Such netmask foolery is already supported and can be implemented with nested CIDR rules for ACL. It's just a highly complicated config for the fools who try it.
The problem only pops up for config entries which are a single mask (ie wccp router mask, client IP mask).
Amos -- Please be using Current Stable Squid 2.7.STABLE5 or 3.0.STABLE10 Current Beta Squid 3.1.0.1
