From be0d8a84b163d583b88648776ae6ef4715e64d53 Mon Sep 17 00:00:00 2001
From: master3395 <master3395@users.noreply.github.com>
Date: Tue, 17 Feb 2026 02:15:17 +0100
Subject: [PATCH] Fix GetServerIPv6(): parse IPv6 with ipaddress, exclude only
 loopback/link-local

- Bug: filtering on '::1' in line incorrectly excluded addresses like
  2a02:c206:2238:7806::1, so fixDNS() never created AAAA records.
- Fix: use ipaddress.ip_address() and is_loopback/is_link_local so
  only actual loopback (::1) and link-local (fe80::) are excluded.
- GetServerIPv6() now returns correct global IPv6 for DNS AAAA records.
---
 plogical/acl.py | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

diff --git a/plogical/acl.py b/plogical/acl.py
index bc06d31b2..9af6b0a87 100644
--- a/plogical/acl.py
+++ b/plogical/acl.py
@@ -1091,8 +1091,9 @@ class ACLManager:
         Returns None if no IPv6 address is found
         """
         try:
+            import ipaddress
             import subprocess
-            # Get IPv6 addresses, exclude link-local (fe80::) and loopback (::1)
+            # Get IPv6 addresses and filter loopback/link-local with proper IP parsing.
             result = subprocess.run(
                 ['ip', '-6', 'addr', 'show'],
                 capture_output=True,
@@ -1103,14 +1104,19 @@ class ACLManager:
             if result.returncode == 0:
                 lines = result.stdout.split('\n')
                 for line in lines:
-                    if 'inet6' in line and '::1' not in line and 'fe80::' not in line:
-                        # Extract IPv6 address (format: inet6 2a02:c207:2139:8929::1/64)
-                        parts = line.strip().split()
-                        if len(parts) >= 2:
-                            ipv6 = parts[1].split('/')[0]
-                            # Validate it's a real IPv6 (not link-local)
-                            if not ipv6.startswith('fe80::'):
-                                return ipv6
+                    if 'inet6' not in line:
+                        continue
+                    # Expected format: "inet6 2a02:c207:2139:8929::1/64 scope global ..."
+                    parts = line.strip().split()
+                    if len(parts) < 2:
+                        continue
+                    ipv6 = parts[1].split('/')[0]
+                    try:
+                        ip_obj = ipaddress.ip_address(ipv6)
+                    except ValueError:
+                        continue
+                    if ip_obj.version == 6 and not ip_obj.is_loopback and not ip_obj.is_link_local:
+                        return str(ip_obj)
         except Exception as e:
             logging.CyberCPLogFileWriter.writeToFile(f'Error getting IPv6 address: {str(e)}')