{"id":1234,"date":"2013-06-15T16:52:15","date_gmt":"2013-06-15T15:52:15","guid":{"rendered":"http:\/\/www.michaelm.info\/blog\/?p=1234"},"modified":"2013-06-15T16:52:44","modified_gmt":"2013-06-15T15:52:44","slug":"ubuntu-precises-apt-cacher-1-7-3-ipv4ipv6-allowed_hosts-bug","status":"publish","type":"post","link":"http:\/\/www.michaelm.info\/blog\/?p=1234","title":{"rendered":"Ubuntu Precise&#8217;s apt-cacher 1.7.3 IPv4\/IPv6 allowed_hosts bug"},"content":{"rendered":"<p>Well &#8211; this one stung a little and took a few mins to come up with a work around. The apt-cacher included with Ubuntu Precise 12.04 is at version 1.7.3. Unfortunately this version of apt-cacher has a bug when using the &#8220;allowed_hosts&#8221;\u00a0\/etc\/apt-cacher\/apt-cacher.conf\u00a0parameter\u00a0to restrict access to IPv4 clients when running on a machine with an IPv6 enabled network stack. There is a Debian bug report at\u00a0<a title=\"Debian bug 659669\" href=\"http:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=659669\" target=\"_blank\">http:\/\/bugs.debian.org\/cgi-bin\/bugreport.cgi?bug=659669<\/a>. This bug is fixed, apparently, in apt-cacher 1.7.4.<\/p>\n<p>Due to the nature of the dual IPv4\/IPv6 stack the apt-cacher code fails to correctly compare IPv4 addresses in the allowed_hosts access list, resulting in clients receiving HTTP 403 errors when trying to use the cache. One workaround is to use &#8220;allowed_hosts = *&#8221;, \u00a0which allows all clients to use the cache, coupled with an IPTables rule to restrict access.<\/p>\n<p>The workaround I am testing, which appears to work, is to use the IPv4 mapped IPv6 addressing notation for the access list. This form of notation is described <a title=\"IPv4 mapped IPv6 addresses on Wikipedia\" href=\"http:\/\/en.wikipedia.org\/wiki\/IPv6#IPv4-mapped_IPv6_addresses\" target=\"_blank\">here<\/a>\u00a0and <a title=\"IPv4 mapped IPv6\" href=\"http:\/\/www.tcpipguide.com\/free\/t_IPv6IPv4AddressEmbedding-2.htm\" target=\"_blank\">here<\/a>.\u00a0In this notation the IPv4 address 10.1.2.3 is represented as ::ffff:10.1.2.3. We can use slash notation to indicate a subnet mask. So with IPv6 addresses being 128 bit &#8211; we could represent this example IP address as\u00a0::ffff:10.1.2.3\/128. For a standard IPv4 255.255.255.0 mask on this example network, which is 8 bits for the host portion, we use a &#8220;\/24&#8221; for IPv4 notation and can use &#8220;\/120&#8221; for IPv6 nation. This would be\u00a0::ffff:10.1.2.0\/120.<\/p>\n<p>So, for example, if we originally wanted an allowed_hosts for apt-cacher of:<\/p>\n<p style=\"padding-left: 30px;\">allowed_hosts = 10.11.12.0\/24, 10.32.0.0\/16, 10.128.0.0\/15, 10.250.1.1\/32<\/p>\n<p>we could replace it with<\/p>\n<p style=\"padding-left: 30px;\">allowed_hosts = ::ffff:10.11.12.0\/120, ::ffff:10.32.0.0\/112, ::ffff:10.128.0.0\/111, ::ffff:10.250.1.1\/128<\/p>\n<p>to work around this bug.<\/p>\n<p>This appears to work with the limited testing I did. Of course, it would be preferable if the Ubuntu apt-cacher package was upgraded to one which actually works on a default Ubuntu 12.04 install \ud83d\ude42<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Well &#8211; this one stung a little and took a few mins to come up with a work around. The apt-cacher included with Ubuntu Precise 12.04 is at version 1.7.3. Unfortunately this version of apt-cacher has a bug when using the &#8220;allowed_hosts&#8221;\u00a0\/etc\/apt-cacher\/apt-cacher.conf\u00a0parameter\u00a0to restrict access to IPv4 clients when running on a machine with an IPv6 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[12],"tags":[126,125,95],"class_list":["post-1234","post","type-post","status-publish","format-standard","hentry","category-technical","tag-apt-cacher","tag-ubuntu","tag-workaround"],"_links":{"self":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1234","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1234"}],"version-history":[{"count":4,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1234\/revisions"}],"predecessor-version":[{"id":1237,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=\/wp\/v2\/posts\/1234\/revisions\/1237"}],"wp:attachment":[{"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1234"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1234"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.michaelm.info\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1234"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}