kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 4 weeks ago verified publisher icon Kong

plugin ip-restriction not working for IPv6 addesses

Open stefan-schilling opened this issue 2 years ago • 4 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

Kong 2.8.3

Current Behavior

When we set up an ip-restriction, access is granted for all IPv4 addresses. BUT: any IPv6 address is not functional. Taking below config, client 2a02:908:2226:9b40:9ce1:62d:b67b:6508 continues to be blocked, while 62.216.208.197 can.

Expected Behavior

IPv4 + IPv6 (mixed environment) should work.

Steps To Reproduce

apiVersion: configuration.konghq.com/v1
config:
  allow:
  - 62.216.208.197
  - 2a02:908:2226:9b40:9ce1:62d:b67b:6508
kind: KongPlugin
metadata:
  annotations:
    meta.helm.sh/release-name: application
    meta.helm.sh/release-namespace: application
  creationTimestamp: "2023-05-25T14:44:27Z"
  generation: 12
  labels:
    app.kubernetes.io/managed-by: Helm
  name: application-ip-restriction
  namespace: application
  resourceVersion: "131224210"
  uid: 1aaa951c-ebd9-4947-bcfb-9349f7f674bc
plugin: ip-restriction

Anything else?

No response

stefan-schilling avatar Jun 09 '23 15:06 stefan-schilling

This looks like a bug. We will track this in our internal process. And just a suggestion. Please use code block so we have better readability and the code does not mess up with markdown grammar.

StarlightIbuki avatar Jun 13 '23 08:06 StarlightIbuki

Hey @StarlightIbuki thank you for tracking this topic, is it already clear what the issue is? Thank you in advance!

MarcHock98 avatar Jun 27 '23 15:06 MarcHock98

@stefan-schilling @MarcHock98 We are unable to reproduce the issue on our end - We can successfully allow and deny IPv4 and IPv6 addresses, and things work as expected. Can you check the access.log file of your Kong Gateway installation? Do you see lines like these

2a02:908:2226:9b40:9ce1:62d:b67b:6508 - - [28/Jun/2023:06:43:23 +0200] "GET /request HTTP/1.1" 403 48 "-" "HTTPie/3.2.1"

when you see your requests be rejected? Did you double check the IP address in the log against the one that you have configured in the ip-restriction plugin?

hanshuebner avatar Jun 28 '23 04:06 hanshuebner

The ticket can be closed. We have found the issue on our side: At first we had another kongplugin (transformer plugin) configured that has got overwritten by the ip-restriction. In addition we had to enlarge our subnet: https://www.vultr.com/resources/subnet-calculator-ipv6/

Sorry for the effort and thank you for your support!

MarcHock98 avatar Jul 06 '23 08:07 MarcHock98