IPv6 clients within LAN subnet incorrectly classified as WAN when restricted = true

[neuronalit]

On Ubuntu 24.04 with ctrld cli v1.5.0, when setting up a listener with restricted = true and specifying an IPv6 LAN subnet in the [network.0].cidrs field, all IPv6 client queries from that subnet are still being refused as WAN. Only setting allow_wan_clients = true allows them through, which is not secure.

Sample config:

[listener.0]
ip = "::"
port = 53
restricted = true

[listener.0.policy]
networks = [
{ "network.0" = ["upstream.0"] }
]

[network.0]
cidrs = [
"2a01:XXX:XXX:XXXX::/64"
]

Observed:
All IPv6 client addresses within 2a01:XXX:XXX:XXXX::/64 receive REFUSED and logs show:
query refused, listener does not allow WAN clients: [2a01:XXX:XXX:XXXX:xxxx:xxxx:xxxx:xxxx]:xxxxx
Only allow_wan_clients = true “fixes” things (but exposes resolver).

Tested:
Confirmed client addresses are within the /64 and appear correctly with ifconfig/ip -6 addr.
Tried both short and fully expanded IPv6 notation.
No firewall on VM, netstat confirms ctrld listens on UDP6/TCP6 :: port 53.
Tried simplifying cidrs to single /64 only, still refused.
Logs at debug level confirm matching fails on IPv6, while IPv4 works as expected.

Expected:
All IPv6 clients with addresses from the specified /64 should be treated as LAN and accepted, not as WAN.
Workaround:
Setting allow_wan_clients = true + firewall rules on the router.

Version:
ctrld cli v1.5.0
Ubuntu 24.04

Extra:
systemd-resolved disabled, no local firewall, clean config.
ctrlc works correctly for loopback queries.

Please investigate, as this seems to be a parsing/matching bug for IPv6 in network policies.
Let me know if you want it tailored even more, or add other details!

[cuonglm]

Hello, thanks for reporting.

You are seeing the same issue here: #260 (comment)