Bug 1964482 - Ipv6 IP addresses are not accepted for whitelisting
Summary: Ipv6 IP addresses are not accepted for whitelisting
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Networking
Version: 4.4
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.9.0
Assignee: Andrey Lebedev
QA Contact: Arvind iyengar
Depends On:
Blocks: 1984565
TreeView+ depends on / blocked
Reported: 2021-05-25 15:19 UTC by sajeel irkal
Modified: 2023-05-02 07:50 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-18 17:31:44 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift router pull 307 0 None open Bug 1964482: config template: accept IPv6 IPs for whitelisting 2021-06-17 14:12:07 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:32:03 UTC

Comment 1 Miciah Dashiel Butler Masters 2021-05-25 16:13:33 UTC
Possible fix:  https://github.com/openshift/router/pull/262

Setting severity to medium; adjust if needed.

Comment 8 Arvind iyengar 2021-06-30 08:43:59 UTC
Verified in "4.9.0-0.nightly-2021-06-29-114024" version. With this version, it is observed that the ipv6 whitelist configuration gets added in the router backend for which the annotation is applied:
oc get clusterversion                         
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.9.0-0.nightly-2021-06-29-114024   True        False         4h44m   Cluster version is 4.9.0-0.nightly-2021-06-29-114024

oc annotate route edge-route haproxy.router.openshift.io/ip_whitelist="2600:14a0::/40"
route.route.openshift.io/edge-route annotated

route config:
oc get route edge-route -o yaml                 
apiVersion: route.openshift.io/v1
kind: Route
    haproxy.router.openshift.io/hsts_header: max-age=31536000
    haproxy.router.openshift.io/ip_whitelist: 2600:14a0::/40 <-----
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-06-30T07:15:43Z"
    name: service-unsecure
  name: edge-route
  namespace: test2

Router configuration:
backend be_edge_http:test2:edge-route
  mode http
  option redispatch
  option forwardfor
  acl whitelist src 2600:14a0::/40 <---
  tcp-request content reject if !whitelist <---

  timeout check 5000ms
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
  http-request add-header X-Forwarded-Proto http if !{ ssl_fc }
  http-request add-header X-Forwarded-Proto https if { ssl_fc }
  http-request add-header X-Forwarded-Proto-Version h2 if { ssl_fc_alpn -i h2 }
  http-request add-header Forwarded for=%[src];host=%[req.hdr(host)];proto=%[req.hdr(X-Forwarded-Proto)]
  cookie 9e6916b23f1cdad50d8a86b48f87064e insert indirect nocache httponly secure attr SameSite=None
  http-response set-header Strict-Transport-Security 'max-age=31536000'
  server pod:web-server-rc-8lx6w:service-unsecure:http: cookie 1d739f57547fd5c0c5479298c4f8fe1d weight 256

Comment 11 errata-xmlrpc 2021-10-18 17:31:44 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.