Block apipa address (#238)

* block apipa address and remove reading dns from dnc. Added config for passing dns * modified iptable rule to allow dns server to top of chain
Azure · Aug 20, 2018 · f656f44 · f656f44
1 parent 9a9c2cd
commit f656f44
Show file tree

Hide file tree

Showing 3 changed files with 33 additions and 6 deletions.
diff --git a/cni/azure-linux-multitenancy.conflist b/cni/azure-linux-multitenancy.conflist
@@ -7,10 +7,16 @@
          "mode":"bridge",
          "bridge":"azure0",
          "multiTenancy":true,
+         "infraVnetAddressSpace":"",
+         "podNamespaceForDualNetwork":[],
+         "enableExactMatchForPodName": false,
          "enableSnatOnHost":true,
          "ipam":{
             "type":"azure-vnet-ipam"
-         }
+         },
+         "dns":{
+            "nameservers":[]
+        }
       },
       {
          "type":"portmap",
@@ -20,4 +26,4 @@
          "snat":true
       }
    ]
-}
+}
diff --git a/cni/network/mutlitenancy.go b/cni/network/mutlitenancy.go
@@ -112,7 +112,6 @@ func convertToCniResult(networkConfig *cns.GetNetworkContainerResponse, ifName s
 
 	resultIpconfig.Gateway = net.ParseIP(ipconfig.GatewayIPAddress)
 	result.IPs = append(result.IPs, resultIpconfig)
-	result.DNS.Nameservers = ipconfig.DNSServers
 
 	if networkConfig.Routes != nil && len(networkConfig.Routes) > 0 {
 		for _, route := range networkConfig.Routes {

diff --git a/network/epcommon/endpoint_common_linux.go b/network/epcommon/endpoint_common_linux.go
@@ -9,8 +9,23 @@ import (
 	"github.com/Azure/azure-container-networking/platform"
 )
 
+/*RFC For Private Address Space: https://tools.ietf.org/html/rfc1918
+   The Internet Assigned Numbers Authority (IANA) has reserved the
+   following three blocks of the IP address space for private internets:
+
+     10.0.0.0        -   10.255.255.255  (10/8 prefix)
+     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
+     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)
+
+RFC for Link Local Addresses: https://tools.ietf.org/html/rfc3927
+   This document describes how a host may
+   automatically configure an interface with an IPv4 address within the
+   169.254/16 prefix that is valid for communication with other devices
+   connected to the same physical (or logical) link.
+*/
+
 func getPrivateIPSpace() []string {
-	privateIPAddresses := []string{"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"}
+	privateIPAddresses := []string{"10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "169.254.0.0/16"}
 	return privateIPAddresses
 }
 
@@ -82,22 +97,29 @@ func AssignIPToInterface(interfaceName string, ipAddresses []net.IPNet) error {
 }
 
 func addOrDeleteFilterRule(bridgeName string, action string, ipAddress string, chainName string, target string) error {
+	var cmd string
 	option := "i"
 
 	if chainName == "OUTPUT" {
 		option = "o"
 	}
 
 	if action != "D" {
-		cmd := fmt.Sprintf("iptables -t filter -C %v -%v %v -d %v -j %v", chainName, option, bridgeName, ipAddress, target)
+		cmd = fmt.Sprintf("iptables -t filter -C %v -%v %v -d %v -j %v", chainName, option, bridgeName, ipAddress, target)
 		_, err := platform.ExecuteCommand(cmd)
 		if err == nil {
 			log.Printf("Iptable filter for private ipaddr %v on %v chain %v target rule already exists", ipAddress, chainName, target)
 			return nil
 		}
 	}
 
-	cmd := fmt.Sprintf("iptables -t filter -%v %v -%v %v -d %v -j %v", action, chainName, option, bridgeName, ipAddress, target)
+	if target != "ACCEPT" {
+		cmd = fmt.Sprintf("iptables -t filter -%v %v -%v %v -d %v -j %v", action, chainName, option, bridgeName, ipAddress, target)
+	} else {
+		action = "I"
+		cmd = fmt.Sprintf("iptables -t filter -%v %v 1 -%v %v -d %v -j %v", action, chainName, option, bridgeName, ipAddress, target)
+	}
+
 	_, err := platform.ExecuteCommand(cmd)
 	if err != nil {
 		log.Printf("Iptable filter %v action for private ipaddr %v on %v chain %v target failed with %v", action, ipAddress, chainName, target, err)