Provides a set of VCL helper functions to deal with IPv4-embedded IPv6 addresses using the format specified in RFC6052 (IPv6 addresses that contain an embedded IPv4 address). Such addresses will typically be seen as when Varnish Cache is deployed in an IPv6 network that provides some kind of protocol translation function (e.g., SIIT-DC) to provide connectivity to IPv4-only end-users. The primary usage is to be able to extract the embedded IPv4 address so that it may be treated like a literal IPv4 address, e.g., passing it to the backend, using it for some sort of Geo-Location lookup, and so on.

The functions provided are:

  • boolean = is_v4embedded(ip) - returns true or false depending on whether or not ip is an IPv4-embedded IPv6 address.
  • ipv4 = extract(ip) - returns the embedded IPv4 address found inside ip, or NULL if ip is not an IPv4-embedded IPv6 address.
  • prefix("2001:db8::") - sets the RFC6052 translation prefix in use to the supplied string argument, using inet_pton(3). A prefix length of /96 is implied. The default value is 64:ff9b::/96, cf. RFC6052 Section 2.1.
  • replace(ip) - performs an in-place replacement of the supplied ip object, so that it will represent the embedded IPv4 address found in the original object. If the original object does not contain an IPv4-embedded IPv6 address, no replacement is performed.

Example VCL usage:

import rfc6052;

sub vcl_init {
    # Set a custom translation prefix

sub vcl_recv {
    ### Alternative A: use rfc6052.extract() in order to leave client.ip
    ### intact.
    if(rfc6052.is_v4embedded(client.ip)) {
        # "client.ip" contains an RFC6052 IPv4-embedded IPv6 address.
        # Set XFF to the literal IPv4 address:
        set req.http.X-Forwarded-For = rfc6052.extract(client.ip);
    } else {
        # "client.ip" contains an IPv4 address, or a non-RFC6052 IPv6 address.
        # Set XFF directly:
        set req.http.X-Forwarded-For = client.ip;

    ### Alternative B: Use replace() to change the value of "client.ip"
    ### before setting XFF.
    # If "client.ip" originally contained an IPv4-embedded IPv6 address, it
    # will now contain just the IPv4 address. Otherwise, replace() did no
    # changes, and "client.ip" still contains its original value. In any case,
    # we can just set XFF to whatever value "client.ip" now contains.
    set req.http.X-Forwarded-For = client.ip;

The module only works with Varnish Cache 4.1, but it is probably not too difficult to port it to 4.0 if there's any interest in that. Let me know.

In development
Varnish version supported: 
Commercial support: