Bug 1801407 - Router in v4v6 mode puts brackets around IPv4 addresses in the Forwarded header
Summary: Router in v4v6 mode puts brackets around IPv4 addresses in the Forwarded header
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Routing
Version: 4.4
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.8.0
Assignee: Miciah Dashiel Butler Masters
QA Contact: Arvind iyengar
URL:
Whiteboard: ipv6
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-10 19:57 UTC by Miciah Dashiel Butler Masters
Modified: 2021-07-27 22:32 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-07-27 22:32:19 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift router pull 83 0 None closed Bug 1801407: Omit brackets around IPv4 addresses in v4v6 mode 2021-02-16 19:13:33 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:32:36 UTC

Description Miciah Dashiel Butler Masters 2020-02-10 19:57:34 UTC
Description of problem:

In v4v6 mode, the router puts brackets around an IPv4 address in the Forwarded header.  RFC 7239 dictates that the header should have either an IPv4 address (without brackets) or an IPv6 address with brackets.

Steps to Reproduce:

1. Disable the ingress operator:

   oc -n openshift-cluster-version scale deployments/cluster-version-operator --replicas=0
   oc -n openshift-ingress-operator scale deploy/ingress-operator --replicas=0

2. Put the router in v4v6 mode:

   oc -n openshift-ingress set env deploy/router-default ROUTER_IP_V4_V6_MODE=v4v6 -c router

3. Deploy an application that echos its headers:

   oc adm new-project test
   oc -n test create -f ~/src/github.com/openshift/origin/test/extended/testdata/router/router-http-echo-server.yaml

4. Send a request to the application:

   host="x.$(oc get ingresses.config/cluster -o 'jsonpath={.spec.domain}')"
   addr="$(dig +short "$host")"
   curl "http://$host" -H 'Host: router-headers.example.com'

Actual results:

The curl output shows an IPv4 address inside brackets:

    GET / HTTP/1.1
    User-Agent: curl/7.29.0
    Accept: */*
    Host: router-headers.example.com
    X-Forwarded-Host: router-headers.example.com
    X-Forwarded-Port: 80
    X-Forwarded-Proto: http
    Forwarded: for="[174.19.21.82]";host=router-headers.example.com;proto=http;proto-version=""
    X-Forwarded-For: 174.19.21.82


Expected results:

The forwarded header should not have brackets around an IPv4 address:

    Forwarded: for=174.19.21.82;host=router-headers.example.com;proto=http;proto-version=""

RFC 7239 permits double-quotes around the value, so the following is also acceptable:

    Forwarded: for="174.19.21.82";host=router-headers.example.com;proto=http;proto-version=""

Comment 1 Miciah Dashiel Butler Masters 2020-05-08 20:10:47 UTC
A proposed fix is posted at https://github.com/openshift/router/pull/83, waiting to be merged.

Comment 4 Miciah Dashiel Butler Masters 2020-06-18 19:24:35 UTC
The proposed fix mentioned in comment 1 is still waiting to be merged, blocked on getting access to an IPv6 cluster for testing.

Comment 5 Miciah Dashiel Butler Masters 2020-07-09 05:12:28 UTC
The proposed fix is still blocked on testing.

Comment 6 Miciah Dashiel Butler Masters 2020-07-30 08:32:03 UTC
The proposed fix is still blocked on testing.

Comment 8 Miciah Dashiel Butler Masters 2020-08-21 05:02:48 UTC
We'll try to get the proposed fix tested this upcoming sprint.

Comment 9 Andrew McDermott 2020-09-10 11:57:23 UTC
Iā€™m adding UpcomingSprint, because I was occupied by fixing bugs with
higher priority/severity, developing new features with higher
priority, or developing new features to improve stability at a macro
level. I will revisit this bug next sprint.

Comment 10 Miciah Dashiel Butler Masters 2020-10-02 14:29:45 UTC
We'll try to get the proposed fix merged in the upcoming sprint.

Comment 11 Miciah Dashiel Butler Masters 2020-10-26 05:31:05 UTC
We'll continue tracking this issue in the upcoming sprint.

Comment 12 Miciah Dashiel Butler Masters 2020-11-14 00:25:05 UTC
Need to investigate CI failures.  I'll investigate in the upcoming sprint.

Comment 13 Miciah Dashiel Butler Masters 2020-12-07 03:03:39 UTC
I'll investigate the CI failures in the upcoming sprint.

Comment 14 Miciah Dashiel Butler Masters 2021-02-06 00:05:44 UTC
Testing revealed a small issue in how IPv4 source addresses are reported on dualstack clusters.  The propose fix has been updated, and we'll continue working on this in the upcoming sprint.

Comment 16 Miciah Dashiel Butler Masters 2021-02-16 05:53:19 UTC
Setting target release to 4.8.0 because this didn't make 4.7.

Comment 17 Arvind iyengar 2021-03-24 10:18:09 UTC
Verified in "4.8.0-0.nightly-2021-03-22-011000" release version. With this payload, the 'Forwarded' field now displays the ipv4 address correctly without any additional brackets: 
----
$ oc get clusterversion
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.8.0-0.nightly-2021-03-22-011000   True        False         38h     Cluster version is 4.8.0-0.nightly-2021-03-22-011000


$ oc get all
NAME                       READY   STATUS      RESTARTS   AGE
pod/header-test-1-9vw86    1/1     Running     0          116s
pod/header-test-1-deploy   0/1     Completed   0          119s

NAME                                  DESIRED   CURRENT   READY   AGE
replicationcontroller/header-test-1   1         1         1       119s

NAME                           TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/header-test-insecure   ClusterIP   172.30.181.233   <none>        8080/TCP   37s

NAME                                             REVISION   DESIRED   CURRENT   TRIGGERED BY
deploymentconfig.apps.openshift.io/header-test   1          1         1         config


$ oc expose  service/header-test-insecure
route.route.openshift.io/header-test-insecure exposed

NAME                                            HOST/PORT                                                             PATH   SERVICES               PORT   TERMINATION   WILDCARD
route.route.openshift.io/header-test-insecure   header-test-insecure-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com          header-test-insecure   http                 None


$ curl header-test-insecure-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
<pre>
  user-agent: curl/7.61.1
  accept: */*
  host: header-test-insecure-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
  x-forwarded-host: header-test-insecure-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com
  x-forwarded-port: 80
  x-forwarded-proto: http
  forwarded: for=192.168.123.1;host=header-test-insecure-test.apps.ocp-edge-cluster-0.qe.lab.redhat.com;proto=http
  x-forwarded-for: 192.168.123.1
----

Comment 19 Brandi Munilla 2021-06-24 16:51:02 UTC
Hi, does this bug require doc text? If so, please update the doc text field.

Comment 22 errata-xmlrpc 2021-07-27 22:32:19 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438


Note You need to log in before you can comment on or make changes to this bug.