OS-4683 Using the allowed-ips property prevents using dynamic addresses

TritonDataCenter · Jun 12, 2018 · 71a0dd0 · 71a0dd0
1 parent 56aefb8
commit 71a0dd0
Show file tree

Hide file tree

Showing 4 changed files with 102 additions and 16 deletions.
diff --git a/overlay/generic/usr/lib/brand/jcommon/statechange b/overlay/generic/usr/lib/brand/jcommon/statechange
@@ -486,12 +486,20 @@ setup_net()
 			unset allowed_ip_map
 			typeset -A allowed_ip_map
 
+			dynamic_methods=""
+			separator=""
 			OLDIFS=$IFS
 			IFS=,
 
 			for zone_ip in $zone_ips; do
 				# For each static IP available, add it to the list.
-				if [[ $zone_ip != "dhcp" ]] && [[ $zone_ip != "addrconf" ]]; then
+				if [[ $zone_ip == "dhcp" ]]; then
+					dynamic_methods+="${separator}dhcpv4"
+					separator=","
+				elif [[ $zone_ip == "addrconf" ]]; then
+					dynamic_methods+="${separator}addrconf"
+					separator=","
+				else
 					clean_ip=`printf "%s" "${zone_ip}" | sed 's|^\([^/]*\)/.*|\1|'`
 					allowed_ip_map[${clean_ip}]=true
 				fi
@@ -525,6 +533,14 @@ setup_net()
 				log_and_exit \
 				    "error setting VNIC allowed-ips $nic $allowed_ip_list"
 			fi
+
+			# Set the dynamic-methods property on the NIC
+			if [[ -n ${dynamic_methods} ]] &&
+			    ! dladm set-linkprop -t -z $ZONENAME \
+			    -p "dynamic-methods=${dynamic_methods}" ${nic}; then
+				log_and_exit \
+				    "error setting VNIC dynamic-methods $nic $dynamic_methods"
+			fi
 		fi
 
 		if [[ "$enable_dhcp" != "true" ]] && [[ -n "$allowed_dhcp_cids" ]] &&

diff --git a/src/vm/node_modules/VM.js b/src/vm/node_modules/VM.js
diff --git a/src/vm/node_modules/dladm.js b/src/vm/node_modules/dladm.js
diff --git a/src/vm/tests/test-spoof-opts.js b/src/vm/tests/test-spoof-opts.js
@@ -50,6 +50,9 @@ function nic_link_props(opts, callback) {
                 return ip + '/32';
             }),
             opts.nic + ': allowed-ips ' + opts.desc);
+        opts.t.deepEqual(props['dynamic-methods'].sort(),
+            opts.dynamic_methods,
+            opts.nic + ': dynamic methods ' + opts.desc);
 
         return callback();
     });
@@ -163,6 +166,7 @@ function brand_test(brand, image, t) {
                     allowed_dhcp_cids: [ '--' ],
                     props: [ 'dhcp-nospoof', 'ip-nospoof', 'mac-nospoof',
                         'restricted' ],
+                    dynamic_methods: [ '--' ],
                     allowed_ips: [ ips[i] ]
                 }, cb2);
             }, cb);
@@ -369,6 +373,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -381,6 +386,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ '--' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -394,6 +400,7 @@ function brand_test(brand, image, t) {
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'ip-nospoof', 'mac-nospoof',
                     'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ips[2], '10.5.0.201', '10.5.0.202']
             }, cb);
 
@@ -409,6 +416,7 @@ function brand_test(brand, image, t) {
                     'dhcp-nospoof', 'ip-nospoof',
                     'mac-nospoof', 'restricted'
                 ],
+                dynamic_methods: [ 'dhcpv6', 'slaac' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -462,6 +470,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -474,6 +483,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -487,6 +497,7 @@ function brand_test(brand, image, t) {
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'ip-nospoof', 'mac-nospoof',
                     'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ips[2], '10.5.0.201', '10.5.0.202']
             }, cb);
 
@@ -540,6 +551,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -551,6 +563,7 @@ function brand_test(brand, image, t) {
                 t: t,
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ '--' ]
             }, cb);
 
@@ -563,6 +576,7 @@ function brand_test(brand, image, t) {
                 allowed_dhcp_cids: [ '--' ],
                 props: [ 'dhcp-nospoof', 'ip-nospoof', 'mac-nospoof',
                     'restricted' ],
+                dynamic_methods: [ '--' ],
                 allowed_ips: [ips[2], '10.5.0.201', '10.5.0.202']
             }, cb);
         }, function (cb) {