Browse Source

[core] server.v4mapped option

For IPv6 listen addresses:
server.v4mapped = "disable" results in IPV6_V6ONLY socket opt set to 0
server.v4mapped = "enable"  results in IPV6_V6ONLY socket opt set to 1

server.v4mapped has an effect only if explicitly set in lighttpd.conf.
If not set, the socket option is inherited from kernel defaults, which
may vary on different OS.

server.v4mapped takes priority over server.set_v6only

server.set_v6only behavior is inconsistent and depreacted.
server.set_v6only behavior differs from server.v4mapped in that
server.set_v6only = "enable" will cause the IPV6_V6ONLY socket
option to be set to 1 for IPv6 listening sockets configured via
$SERVER["socket"] in lighttpd.conf, is enabled by default, and
has no effect if set to "disable"

Note: IPv4-mapped addresses may bring potential security issues,
depending on the situation.  For example, lighttpd does not attempt
to match IPv4 addresses with IPv4-mapped addresses.  Other writings:
https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02.html
master
Glenn Strauss 2 years ago
parent
commit
025f2d0dad
  1. 17
      src/network.c

17
src/network.c

@ -145,6 +145,7 @@ typedef struct {
unsigned char use_ipv6;
unsigned char set_v6only; /* set_v6only is only a temporary option */
unsigned char defer_accept;
int8_t v4mapped;
const buffer *socket_perms;
const buffer *bsd_accept_filter;
} network_socket_config;
@ -178,6 +179,9 @@ static void network_merge_config_cpv(network_socket_config * const pconf, const
case 6: /* server.set-v6only */
pconf->set_v6only = (0 != cpv->v.u);
break;
case 7: /* server.v4mapped */
pconf->v4mapped = (0 != cpv->v.u);
break;
default:/* should not happen */
return;
}
@ -243,6 +247,9 @@ static int network_server_init(server *srv, network_socket_config *s, buffer *ho
"update your config to have different sockets for ipv4 and ipv6");
}
}
if (AF_INET6 == family && -1 != s->v4mapped) { /*(configured; -1 is unset)*/
set_v6only = (s->v4mapped ? -1 : 0);
}
#endif
network_host_normalize_addr_str(host_token, &addr);
@ -330,17 +337,17 @@ static int network_server_init(server *srv, network_socket_config *s, buffer *ho
log_perror(srv->errh, __FILE__, __LINE__, "socket");
return -1;
}
}
#ifdef HAVE_IPV6
if (set_v6only && -1 == stdin_fd) {
int val = 1;
if (set_v6only) {
int val = (set_v6only > 0);
if (-1 == setsockopt(srv_socket->fd, IPPROTO_IPV6, IPV6_V6ONLY, &val, sizeof(val))) {
log_perror(srv->errh, __FILE__, __LINE__, "setsockopt(IPV6_V6ONLY)");
return -1;
}
}
#endif
}
/* */
srv->cur_fds = srv_socket->fd;
@ -556,6 +563,9 @@ int network_init(server *srv, int stdin_fd) {
,{ CONST_STR_LEN("server.set-v6only"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
,{ CONST_STR_LEN("server.v4mapped"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
#if 0 /* TODO: more integration needed ... */
,{ CONST_STR_LEN("mbedtls.engine"),
T_CONFIG_BOOL,
@ -588,6 +598,7 @@ int network_init(server *srv, int stdin_fd) {
p->defaults.defer_accept = 0;
p->defaults.use_ipv6 = 0;
p->defaults.set_v6only = 1;
p->defaults.v4mapped = -1; /*(-1 for unset; not 0 or 1)*/
/* initialize p->defaults from global config context */
if (p->nconfig > 0 && p->cvlist->v.u2[1]) {

Loading…
Cancel
Save