Bug 538421 - Default configuration doesn't contain acls for IPv6
Summary: Default configuration doesn't contain acls for IPv6
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: squid
Version: 12
Hardware: All
OS: Linux
low
medium
Target Milestone: ---
Assignee: Henrik Nordström
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-11-18 14:46 UTC by Matthew Booth
Modified: 2010-06-01 18:25 UTC (History)
4 users (show)

Fixed In Version: squid-3.1.3-2.fc12
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2010-06-01 18:21:22 UTC


Attachments (Terms of Use)

Description Matthew Booth 2009-11-18 14:46:29 UTC
Description of problem:
The default squid configuration in F12 contains the following:

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.0/8 0.0.0.0/32
acl localnet src 10.0.0.0/8     # RFC1918 possible internal network
acl localnet src 172.16.0.0/12  # RFC1918 possible internal network
acl localnet src 192.168.0.0/16 # RFC1918 possible internal network

The default /etc/host in F12 contains the following:

127.0.0.1   localhost localhost.localdomain localhost4 localhost4.localdomain4 t500.mbooth
::1         localhost localhost.localdomain localhost6 localhost6.localdomain6 t500.mbooth

This means that any client connecting to 'localhost' will fail if it selects an IPv6 address, but not if it selects an IPv4 address. yum seems to select an IPv6 address by default.

The squid documentation for acl:

http://www.squid-cache.org/Doc/config/acl/

suggests the following minimum configuration:

acl localnet src 10.0.0.0/8	# RFC1918 possible internal network
acl localnet src 172.16.0.0/12	# RFC1918 possible internal network
acl localnet src 192.168.0.0/16	# RFC1918 possible internal network
acl localnet src fc00::/7   # RFC 4193 local private network range
acl localnet src fe80::/10  # RFC 4291 link-local (directly plugged) machines

Adding the missing lines to the default configuration fixes the problem.

Version-Release number of selected component (if applicable):
squid-3.1.0.14-1.fc12.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Start squid with default config
2. Add 'proxy=http://localhost:3128/' to /etc/yum.conf
3. Perform any yum operation which has to go to the network
  
Actual results:
1258555476.725      0 ::1 TCP_DENIED/403 3713 GET ftp://ftp6.linux.cz/pub/linux/fedora/linux/releases/12/Everything/x86_64/os/Packages/tuxpaint-0.9.20-3.fc11.x86_64.rpm - NONE/- text/html

Expected results:
Cached yum repo.

Additional info:

Comment 1 Henrik Nordström 2009-11-18 16:07:08 UTC
Already fixed upstream, pending release of 3.1.0.15.

Comment 2 Fedora Update System 2010-05-14 06:45:53 UTC
squid-3.1.3-2.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc13

Comment 3 Fedora Update System 2010-05-14 06:47:56 UTC
squid-3.1.3-2.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc12

Comment 4 Fedora Update System 2010-05-15 20:19:25 UTC
squid-3.1.3-2.fc12 has been pushed to the Fedora 12 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc12

Comment 5 Fedora Update System 2010-05-15 20:38:39 UTC
squid-3.1.3-2.fc13 has been pushed to the Fedora 13 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update squid'.  You can provide feedback for this update here: http://admin.fedoraproject.org/updates/squid-3.1.3-2.fc13

Comment 6 Fedora Update System 2010-06-01 18:21:00 UTC
squid-3.1.3-2.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 7 Fedora Update System 2010-06-01 18:25:32 UTC
squid-3.1.3-2.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.