IPV6

[Mads Kiilerich]

On 07/09/2018 09:43 AM, Nicolas Pinault wrote:
> Le 07/07/2018 à 14:19, Mads Kiilerich a écrit :
>> On 07/06/2018 04:35 PM, Nicolas Pinault wrote:
>>> Hi Mads,
>>>
>>> Le 23/03/2018 à 00:55, Mads Kiilerich a écrit :
>>>> On 03/22/2018 02:58 PM, Nicolas Pinault wrote:
>>>>> Hi,
>>>>>
>>>>> Is there a way to make kallithea serve on IPV6 only or, IPV4 and 
>>>>> IPV6?
>>>>
>>>> I am not aware of anything that should be IPv4 specific. But I also 
>>>> haven't tried IPv6.
>>>>
>>>> I guess it just works if using Apache and mod_wsgi.
>>>>
>>>> The waitress version we default to use for `gearbox serve` doesn't 
>>>> support IPv6.
>>>>
>>>> A quick test on our default branch shows that it seems to work on 
>>>> IPv6 if you edit setup.py to "waitress>=0.8.8,<2.0" to get 
>>>> something like waitress 1.1 and edit your .ini to host = * .
>>>>
>>>> With reports of Waitress 1.1 (and review of their release note) we 
>>>> can make that version the default.
>>> I finally had some time to try your solution.
>>> I didn't reinstalled all after modifying setup.py.
>>>
>>> I upgraded waitress directly with :
>>> pip install --upgrade "waitress>=0.8.8,<2.0"
>>>
>>> I then modified METADATA and metadata.json files located in 
>>> Kallithea-0.3.5.dist-info directory to set the ">=0.8.8,<2.0" pattern.
>>>
>>> Kallithea launches and remote client accesses it.
>>> However, Kallithea crashes on first access.
>>>   File "d:\kallithea\env\lib\site-packages\kallithea\lib\auth.py", 
>>> line 1336, in
>>>  check_ip_access
>>>     if ipaddr.IPAddress(source_ip) in ipaddr.IPNetwork(ip):
>>>   File "d:\kallithea\env\lib\site-packages\kallithea\lib\ipaddr.py", 
>>> line 76, in
>>>  IPAddress
>>>     address)
>>> ValueError: 'fe80::acaf:647b:6b31:70b8%13' does not appear to be an 
>>> IPv4 or IPv6
>>>  address
>>>
>>> I believe the scope at the end of the IP address is the culprit. But 
>>> maybe I am wrong.
>>
>> Agree. I didn't know that was a thing that could appear here. I guess 
>> we just should strip it? That would not be a security issue?
>>
>> Can you try something like
>>
>> --- a/kallithea/lib/auth.py
>> +++ b/kallithea/lib/auth.py
>> @@ -1008,6 +1008,7 @@ def check_ip_access(source_ip, allowed_i
>>      :param allowed_ips: list of allowed ips together with mask
>>      """
>>      from kallithea.lib import ipaddr
>> +    source_ip = source_ip.split('%', 1)[0]
>>      log.debug('checking if ip:%s is subnet of %s', source_ip, 
>> allowed_ips)
>>      if isinstance(allowed_ips, (tuple, list, set)):
>>          for ip in allowed_ips:
>>
>>> I have added the full trace back at the end of this message.
>>>
>>> As IPV6 is not officially supported, I have not created a bug request.
>>
>> It is also not not officially unsupported ;-) So please bring it on 
>> so we can fix all issues.
> Your patch fixed the issue. I am now able to pull/push to/from Kallithea.

Great. Can any IPv6 experts confirm that it is the right thing to do?

> Are there other tests I should try ?

Nothing special. Just everything ;-)

Great if you can play around more with IPv6 and Waitress 1.1 and this 
change and confirm things work ... or report other unexxpected issues 
you might encounter.

/Mads