Bug 538421

Summary: Default configuration doesn't contain acls for IPv6
Product: [Fedora] Fedora Reporter: Matthew Booth <mbooth>
Component: squidAssignee: Henrik Nordström <henrik>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 12CC: henrik, jonathansteffan, jskala, mnagy
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: squid-3.1.3-2.fc12 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-06-01 18:21:22 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matthew Booth 2009-11-18 14:46:29 UTC
Description of problem:
The default squid configuration in F12 contains the following:

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

The default /etc/host in F12 contains the following:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 t500.mbooth
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 t500.mbooth

This means that any client connecting to 'localhost' will fail if it selects an IPv6 address, but not if it selects an IPv4 address. yum seems to select an IPv6 address by default.

The squid documentation for acl:

http://www.squid-cache.org/Doc/config/acl/

suggests the following minimum configuration:

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines

Adding the missing lines to the default configuration fixes the problem.

Version-Release number of selected component (if applicable):
squid-3.1.0.14-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start squid with default config
2. Add 'proxy=http://localhost:3128/' to /etc/yum.conf
3. Perform any yum operation which has to go to the network
  
Actual results:
1258555476.725      0 ::1 TCP_DENIED/403 3713 GET ftp://ftp6.linux.cz/pub/linux/fedora/linux/releases/12/Everything/x86_64/os/Packages/tuxpaint-0.9.20-3.fc11.x86_64.rpm - NONE/- text/html

Expected results:
Cached yum repo.

Additional info:

Comment 1 Henrik Nordström 2009-11-18 16:07:08 UTC
Already fixed upstream, pending release of 3.1.0.15.

Comment 2 Fedora Update System 2010-05-14 06:45:53 UTC
squid-3.1.3-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc13

Comment 3 Fedora Update System 2010-05-14 06:47:56 UTC
squid-3.1.3-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc12

Comment 4 Fedora Update System 2010-05-15 20:19:25 UTC
squid-3.1.3-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc12

Comment 5 Fedora Update System 2010-05-15 20:38:39 UTC
squid-3.1.3-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc13

Comment 6 Fedora Update System 2010-06-01 18:21:00 UTC
squid-3.1.3-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-06-01 18:25:32 UTC
squid-3.1.3-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.