Seems Elasticsearch doesn't allow IPv4 mapped IPv6 with CIDR to index. When I was trying to index IPv4-mapped-IPv6
::ffff:127.12.0.1/108
I am getting the following error.
PUT test
PUT test/_mapping/
{
"dynamic_templates": [
{
"ip_range": {
"match": "*ip_range",
"mapping": {
"type": "ip_range",
"ignore_malformed": true
}
}
}
]
}
PUT test/_doc/1
{
"test1_ip_range": "::ffff:127.12.0.1/108"
}
{
"error": {
"root_cause": [
{
"type": "mapper_parsing_exception",
"reason": "failed to parse field [test1_ip_range] of type [ip_range] in document with id '2'. Preview of field's value: '::ffff:127.12.0.1/108'"
}
],
"type": "mapper_parsing_exception",
"reason": "failed to parse field [test1_ip_range] of type [ip_range] in document with id '2'. Preview of field's value: '::ffff:127.12.0.1/108'",
"caused_by": {
"type": "illegal_argument_exception",
"reason": "CIDR notation is not allowed with IPv6-mapped IPv4 address [::ffff:127.12.0.1 as it introduces ambiguity as to whether the prefix length should be interpreted as a v4 prefix length or a v6 prefix length"
}
},
"status": 400
}
But when I index IPv4, and when I query on IPv4 mapped IPv6, Elasticsearch query execution is working as expected.
Ex:
PUT test/_doc/2
{
"test1_ip_range": "127.12.0.1/12"
}
GET test/_doc/_search
{
"query": {
"term": {
"test1_ip_range": "::ffff:127.12.0.2"
}
}
}
In this case, search query returning expected results.
From the error thrown by the Elasticsearch, it seems IPv4-mapped IPv6 with CIDR cannot get indexed by Elasticsearch.
So I was thinking if we could write an custom analyser which can convert IPv4-mapped IPv6 with CIDR into IPv4 with CIDR before indexing.
Seems any IPv4 mapped IPv6 with CIDR can be converted to IPv4 by just removing prefix ::ffff: and by substracting 96 from CIDR value
Example: IPv4 for ::ffff:127.12.0.1/108 is 127.12.0.1/12.
Could someone help me if we can do this with custom analyser or by making some changes to Elasticsearch template? Any help is appreciated. Thanks in advance.