1994645 – Ipv6 IP addresses are not accepted for whitelisting

Bug 1994645 - Ipv6 IP addresses are not accepted for whitelisting

Summary: Ipv6 IP addresses are not accepted for whitelisting

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Networking
Sub Component:
Version:	4.4
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	4.7.z
Assignee:	Miciah Dashiel Butler Masters
QA Contact:	Arvind iyengar
Docs Contact:
URL:
Whiteboard:
Depends On:	1984565
Blocks:
TreeView+	depends on / blocked

Reported:	2021-08-17 15:45 UTC by OpenShift BugZilla Robot
Modified:	2022-08-04 22:35 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2021-09-01 18:24:07 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift router pull 325	0	None	None	None	2021-08-17 15:46:22 UTC
Red Hat Product Errata	RHSA-2021:3262	0	None	None	None	2021-09-01 18:24:17 UTC

Comment 3 Arvind iyengar 2021-08-24 05:47:53 UTC

Verified in "4.7.0-0.nightly-2021-08-19-153748" version. With this version, it is observed that the ipv6 whitelist configuration gets added in the router backend for which the annotation is applied:
------
oc get clusterversion                                  
NAME      VERSION                             AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.7.0-0.nightly-2021-08-19-153748   True        False         106m    Cluster version is 4.7.0-0.nightly-2021-08-19-153748

oc annotate route edge-route haproxy.router.openshift.io/ip_whitelist="2600:14a0::/40"
route.route.openshift.io/edge-route annotated

oc get route edge-route -o yaml                    
apiVersion: route.openshift.io/v1
kind: Route
metadata:
  annotations:
    haproxy.router.openshift.io/ip_whitelist: 2600:14a0::/40
    openshift.io/host.generated: "true"
  creationTimestamp: "2021-08-24T05:41:56Z"
  labels:
    name: service-unsecure
  name: edge-route
  namespace: test1
  resourceVersion: "57568"
  uid: a8ebaf28-e806-40e5-b8c2-29273188a6ff
spec:
  host: edge-route-test1.apps.aiyengar47bz.qe.devcluster.openshift.com
  port:
    targetPort: http


haproxy pod:
backend be_edge_http:test1:edge-route
  mode http
  option redispatch
  option forwardfor
  balance leastconn
  acl whitelist src 2600:14a0::/40
  tcp-request content reject if !whitelist <-----

  timeout check 5000ms
  http-request add-header X-Forwarded-Host %[req.hdr(host)]
  http-request add-header X-Forwarded-Port %[dst_port]
------

Comment 5 errata-xmlrpc 2021-09-01 18:24:07 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: OpenShift Container Platform 4.7.28 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3262

Note You need to log in before you can comment on or make changes to this bug.