Hi! On Tue, Jul 17, 2018 at 01:39:38PM +0200, Lukas Tribus wrote: > Hello Tim, > > > On Fri, 29 Jun 2018 at 21:00, Tim Duesterhus <t...@bastelstu.be> wrote: > > > > This patch changes the sending side of proxy protocol to convert IP > > addresses to IPv4 when possible (and converts them IPv6 otherwise). > > > > Previously the code failed to properly provide information under > > certain circumstances: > > > > 1. haproxy is being accessed using IPv4, http-request set-src sets > > a IPv6 address. > > 2. haproxy is being accessed using IPv6, http-request set-src sets > > a IPv4 address. > > 3. haproxy listens on `::` with v4v6 and is accessed using IPv4: > > It would send a TCP6 line, instead of a proper TCP4 line, because > > the IP addresses are representing as a mapped IPv4 address internally. > > > > Once correctness of this patch has been verified it should be evaluated > > whether it should be backported, as (1) and (2) are bugs. (3) is an > > enhancement. > > Thanks for this, just a comment about nr 3: > > A backend may rely on v4-mapped addresses for various reason, consider > a backend that to simplify its handling of IP addresses only handles > IPv6 and expects IPv4 addresses to be mapped. > Also consider that to send native v4 addresses the admin only has to > make a small adjustment in the bind configuration. > > So since this would be a breaking change, and that the admin can > easily reconfigure the bind line any time, I would advise against this > and vote for maintaining the current behavior (where the bind > configuration controls this behavior).
I must say I'm a bit reluctant about this change for the same reasons. What I would suggest would be to only "upgrade" the addresses to IPv6 if either side already is on IPv6, but never downgrade from IPv6 to IPv4 since v6-mapped v4 addresses can exist on both sides for a valid reason. I don't know what ppv2 does in this situation where source and destination are in different classes, because initially it was not expected to happen and this became possible after we introduced set-src :-/ Also I suspect we can have similar issues with unix domain sockets. Let's say we have a listener on /var/haproxy-sockets/foo which accepts a connection on which we do a set-src. I don't really know what happens in this case if we want to send a PP header. Maybe we'd need to improve the PP spec to be able to mention only one side when the other one is unknown, though that would obviously not solve the case Tim tried to address above. Cheers, Willy
