IPv6 hosts allow|deny

Mon Jan 20 17:36:00 EST 2003

On Mon, 20 Jan 2003, Dave Dykstra wrote:

> On Fri, Jan 17, 2003 at 12:31:26AM +0100, Bert Vermeulen wrote:
> > On Mon, 13 Jan 2003, Dave Dykstra wrote:
> >
> > > I don't understand enough how that syntax works in order to be able
> > > to write an explanation for people.  Could you please try to write
> > > something up based on the current version checked in to CVS?
> >
> > Here's a patch for the manpage:
> >
> > 	http://biot.com/patches/rsync-ipv6-acl-doc.patch
>
> I have never been introduced to IPv6 addresses before and there are some
> things about your documentation that baffle me.  Perhaps I just need to
> be educated a little, or perhaps it would be useful to include a little
> more explnation in the documentation.
>
> Your patch includes this:
> > -  it() a dotted decimal IP address of the form a.b.c.d for IPv4 and
> > -  a.b.c.d.e.f for IPv6. In this case the incoming machine's IP address
> > +  it() a dotted decimal IPv4 address of the form a.b.c.d, or an IPv6 address
> > +  of the form a:b:c::d:e:f. In this case the incoming machine's IP address
> >    must match exactly.
>
> Why is there a blank field between "c" and "d"?    Do you think you
> should you say something about the fields being hexadecimal for IPv6,
> or is that obvious to anyone who has seen IPv6 addresses before?

What Hideaki said, RFC 2373 describes the address format for IPv6.

But yes, if you've ever dealt with IPv6, certainly this is obvious. I don't
think it really needs explaining in the rsync docs as such...  If you have
IPv6 working on the machine, you pretty much already know the address
format.

Anyway, briefly... :: denotes a number of 0 values, it's an abbreviation.
You can only do this once per IPv6 address. It's exactle the same as writing
this:

	000a:000b:000c:0000:0000:000d:000e:000f

So you can see how a:b:c::d:e:f is easier to type. This is standardized
stuff, so you're guaranteed to be able to type that into anything that
parses IPv6 addresses.

> Your patch also includes this:
> > +  it() an address/mask in the form ipaddr/n where ipaddr is the IP address
> > +  and n is the number of one bits in the netmask.  All IP addresses which
> > +  match the masked IP address will be allowed in.
> > +
> > +  it() an address/mask in the form ipaddr/maskaddr where ipaddr is the
> > +  IP address and maskaddr is the netmask in dotted decimal notation for IPv4,
> > +  or similar for IPv6, e.g. ffff:ffff:ffff:ffff:: instead of /64. All IP
> > +  addresses which match the masked IP address will be allowed in.
>
>
> How come a mask includes 4 fields followed by 2 blanks?   What do you
> mean by "/64"?

The /64 is just CIDR notation as used in IPv4 as well, i.e. the number of 1
bits in the network mask. In IPv4, they go up to 32, where a /32 means a
host. With IPv6, they go up to /128 for a host, however /64 is the
"standard" netmask for a subnet.

> Your patch also has this addition:
> > +Note IPv6 link-local addresses can have a scope in the address specification:
> > +
> > +quote(fe80::1%eth0)
> > +quote(fe80::%eth0/64)
> > +quote(fe80::%eth0/ffff:ffff:ffff:ffff::)
>
> What's a link-local address?

An address that is only valid for a certain link, i.e. only reachable
through that interface. Thus the special prefix (fe80) -- and naturally,
those are only useful if you specify the interface as well, as you might
have the same link-local address on two different interfaces.

> What's a scope?

In the case of a link-local address, the scope of an interface would be the
subnet behind it.

> I think I get that the parts after the '/' are masks, but what does it
> mean to have just two colons in the address, with one field blank and the
> third one either 1%eth0 or %eth0?

The 1 is the last part of the address. It goes on until the "%", which
denotes the start of the interface specification. The "/64" after the
interface is indeed the netmask.

Bert Vermeulen
bert at biot.com
--
Profanity is the inevitable linguistic crutch of the inarticulate motherfucker.