We have a web server at www.peakinternet.com that is dual stacked: ipv4: 207.55.16.224 ipv6: 2607:f678::16:224 A recent redesign of the web site moved it to Wordpress, which included as part of the .htaccess a block of ip addresses known for attacks, including: # PSI network deny from 38.0.0.0/8 When this rule is enabled and we try to access the site from our ipv6 enabled clients, we get "permission denied" errors. When it's disabled, the site works fine. We notice that 38 decimal is 26 hex, which matches the first 8 bits of our ipv6 block. In looking in the logs, we see that all the ipv6 denials were 26xx addresses: 2600:1002:b016:321f:51ca:e30f:4b1c:fc22] 2600:1008:b002:30f2::103] 2600:1008:b002:adfd:0:41:9772:1301] 2600:1008:b109:5639::103] 2600:1008:b111:8c5::103] 2600:100c:b203:e466:40ae:f7a6:58af:3e2e] 2600:100c:b210:ba5e:53e:ae29:66be:8af2] 2600:100e:b00c:ef2:e90a:88d8:b94a:847e] etc... It appears that the ipv4 mask 38/8 is being applied to ipv6 addresses inappropriately - this is only a guess, but it's the only thing we can think of that matches the symptoms...
Created attachment 29555 [details] proposed patch How bizarre that such a bug can go undiscovered for so long. Thanks for the report. Can you test this APR patch?
Committed in r1405985.
I applied that patch to the httpd 2.2.15 code I had handy and verified that the problem exists without the patch and does not exist with the patch.
1.5 commit: r1420111 1.4 commit: r1420116 will be fixed in 1.4.7 / 1.5.0
fixed in 1.4.7 and later releases