@ipMatch "Could not add entry" on slash notation in 2.8.0

[lifeforms]

Slash notation no longer works for IPv6 subnets in @ipMatch operator in 2.8.0:

SecRule REMOTE_ADDR "@ipMatch 2001:db8::/32" \
    "id:9999999,phase:1,t:none,nolog,deny"

Parsing gives the following error:

AH00526: Syntax error on line 45 of /usr/local/etc/apache24/mods-enabled/security2.conf:
Error creating rule: Could not add entry "2001:db8::/32" from: 2001:db8::/32.

Normal IPv6 address notation, such as "@ipMatch 2001:db8::" works normally.

Tested on FreeBSD 8.4+Apache 2.2 and FreeBSD 9.2+Apache 2.4.

[aaccomazzi]

This also applies to IPv4 subnets, e.g. "@ipMatch 156.149.249.0/8"

Strangely enough, everything seems to work if a full IPv4 address is used rather than the mask, e.g. "@ipMatch 156.149.249.10/8"

[lifeforms]

@aaccomazzi I can confirm this, so apparently IPv4 is also affected.

It's very interesting. @ipMatch 10.0.0.0/24 and @ipMatch 10.0.0.0/16 are accepted, but @ipMatch 10.0.0.0/8 gives "Could not add entry".

Updated the issue title to reflect this.

[zimmerle]

Hi guys,

Thanks for the report.

Before v2.8.0 two different implementations were used to match the ip address, one for the @ipMatch operator, and another one to the @ipMatchFromFile. As of 2.8.0 we have it changed to use the very same implementation, check out this commit: 0037a07. Turns out that something is not working as expected, as you guys have reported.

I have created a unit test case for the operator @ipMatch, it is available here:
https://github.com/SpiderLabs/ModSecurity/blob/ipmatch_slash_notation/tests/op/ipMatch.t

If you have more suggestions for tests, it will be nice. I will double check the ones that i have created while fixing the issue.

That is the actual scenario:

Loaded 17 tests from op/ipMatch.t
     1) op "ipMatch": passed ((null) at UNIT_TEST.)
     2) op "ipMatch": passed
     3) op "ipMatch": passed ((null) at UNIT_TEST.)
     4) op "ipMatch": passed
     5) op "ipMatch": passed ((null) at UNIT_TEST.)
     6) op "ipMatch": passed
     7) op "ipMatch": passed ((null) at UNIT_TEST.)
     8) op "ipMatch": passed ((null) at UNIT_TEST.)
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "156.149.249.1/8" from: 156.149.249.1/8.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "156.149.249.1/8" "-D" "0" "-r" "1"
     9) op "ipMatch": failed
Returned 0 (expected 1)
 Test: '@ipMatch 10.0.0.0/24'
Input: '10.10.10.11' len=11
    10) op "ipMatch": failed
Returned 0 (expected 1)
 Test: '@ipMatch 10.0.0.0/16'
Input: '10.10.10.11' len=11
    11) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "10.0.0.0/8" from: 10.0.0.0/8.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "10.0.0.0/8" "-D" "0" "-r" "1"
    12) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "10.0.0.0/4" from: 10.0.0.0/4.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "10.0.0.0/4" "-D" "0" "-r" "1"
    13) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "10.0.0.0/2" from: 10.0.0.0/2.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "10.0.0.0/2" "-D" "0" "-r" "1"
    14) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "10.0.0.0/100" from: 10.0.0.0/100.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "10.0.0.0/100" "-D" "0" "-r" "-1"
    15) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "2001:db8::/32" from: 2001:db8::/32.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "2001:db8::/32" "-D" "0" "-r" "1"
    16) op "ipMatch": failed
ERROR: Failed to create rule for op "ipMatch": Error creating rule: Could not add entry "2001:db8::/63" from: 2001:db8::/63.
Test exited with signal 11.
Executed: ./msc_test "-t" "op" "-n" "ipMatch" "-p" "2001:db8::/63" "-D" "0" "-r" "0"
    17) op "ipMatch": failed
Passed:  8; Failed:  9

8/17 tests passed.

[dune73]

This is an annoying one. We are stuck on 2.7.7 because of this bug.