We have the issue that some IPv6s were rejected by the filter, because of how the ::ffff:* IPs are defined. The concatenation in ip6FromIp4Blacklist led to entries such as ::ffff:127.0.0.0/8, which meant that all v6 IPs that start with 0x00 would be rejected (which applies to some used in our environment). The ipaddr.js library actually has native support for ::ffff:* and converts them to IPv4 addresses on parsing so the entries from ip6FromIp4Blacklist are actually not used for matching.
I added an additional test case to make sure the filter is correct.
benparsons
commented
1 year ago
We have the issue that some IPv6s were rejected by the filter, because of how the
::ffff:*IPs are defined. The concatenation inip6FromIp4Blacklistled to entries such as::ffff:127.0.0.0/8, which meant that all v6 IPs that start with 0x00 would be rejected (which applies to some used in our environment). Theipaddr.jslibrary actually has native support for::ffff:*and converts them to IPv4 addresses on parsing so the entries fromip6FromIp4Blacklistare actually not used for matching.I added an additional test case to make sure the filter is correct.