Permalink
Browse files

OS-3027 vmadm support for IPv6 antispoof prefixes

Reviewed by: Josh Wilsdon <jwilsdon@joyent.com>
  • Loading branch information...
1 parent 4df8cb4 commit fbe057b41d645981ecb236eaa38935a3082d8415 @rmustacc rmustacc committed May 10, 2014
Showing with 144 additions and 12 deletions.
  1. +4 −2 src/vm/man/vmadm.1m.md
  2. +23 −9 src/vm/node_modules/VM.js
  3. +117 −1 src/vm/tests/test-spoof-opts.js
@@ -1314,8 +1314,10 @@ tab-complete UUIDs rather than having to type them out for every command.
This sets additional IP addresses from which this nic is allowed to
send traffic, in addition to the IPs in the ip and vrrp_primary_ip
- properties (if set). Values can be either single IPv4 Addresses or
- CIDR ranges in the form 192.168.1.0/24.
+ properties (if set). Values may be single IPv4 or IPv6 addresses
+ or IPv4 and IPv6 CIDR ranges. The following are all valid
+ examples of allowed_ips: '10.169.0.0/16', '10.99.99.7',
+ 'fe82::/15', '2600:3c00::f03c:91ff:fe96:a267'.
type: array (of IP addresses or CIDR ranges)
vmtype: OS,KVM
@@ -887,24 +887,38 @@ function validateImages(payload, errors, log, callback)
});
}
-// This is for allowed_ips which accepts IPiv4 addresses or CIDR addresses in
-// the form IP/MASK where MASK is 1-32.
+// This is for allowed_ips which accepts IPv4 and IPv6 addresses or CIDR
+// addresses in the form IP/MASK where MASK is 1-32 for IPv4 and 1-128 for
+// IPv6.
function validateIPlist(list) {
var invalid = [];
list.forEach(function (ip) {
var matches;
- if (!net.isIPv4(ip)) {
- matches = ip.match(/^([0-9\.]+)\/([0-9]+)$/);
- if (matches && net.isIPv4(matches[1])
- && (Number(matches[2]) >= 1) && (Number(matches[2]) <= 32)) {
- // In this case it wasn't an IPv4, but it was a valid CIDR
- return;
- } else {
+ if (net.isIPv4(ip) || net.isIPv6(ip)) {
+ return;
+ }
+
+ matches = ip.split('/');
+ if (matches.length !== 2) {
+ invalid.push(ip);
+ return;
+ }
+
+ if (net.isIPv4(matches[0])) {
+ if (Number(matches[1]) > 32 || (Number(matches[1])) < 1) {
+ invalid.push(ip);
+ }
+ } else if (net.isIPv6(matches[0])) {
+ if (Number(matches[1]) > 128 || (Number(matches[1])) < 1) {
invalid.push(ip);
}
+ } else {
+ invalid.push(ip);
}
+
+
});
if (invalid.length !== 0) {
@@ -493,8 +493,124 @@ function brand_test(brand, image, t) {
'restricted' ],
allowed_ips: [ips[2], '10.5.0.201', '10.5.0.202']
}, cb);
- }
+ }, function (cb) {
+ // update net2 to have a v4 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '10.88.88.0/24' ]
+ } ] }, function (e) {
+ if (e) {
+ t.ok(false, 'VM.update: ' + e.message);
+ return cb(e);
+ }
+
+ VM.load(state.uuid, function (err, obj) {
+ if (err) {
+ t.ok(false, 'VM.load: ' + err.message);
+ return cb(err);
+ }
+
+ t.ok(obj.nics[2].allowed_ips[0] == '10.88.88.0/24',
+ 'single allowed-ips IPv4 prefix');
+ cb();
+ });
+ });
+ }, function (cb) {
+ // update net2 to have a v6 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '2600:3c00::f03c:91ff:fe96:a260/124' ]
+ } ] }, function (e) {
+ if (e) {
+ t.ok(false, 'VM.update: ' + e.message);
+ return cb(e);
+ }
+ VM.load(state.uuid, function (err, obj) {
+ if (err) {
+ t.ok(false, 'VM.load: ' + err.message);
+ return cb(err);
+ }
+
+ t.ok(obj.nics[2].allowed_ips[0] ==
+ '2600:3c00::f03c:91ff:fe96:a260/124',
+ 'single allowed-ips IPv6 prefix');
+ cb();
+ });
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v4 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '10.88.88.0/36' ]
+ } ] }, function (e) {
+ t.ok(e, 'v4 prefix too large');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v4 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '10.88.88.0/0' ]
+ } ] }, function (e) {
+ t.ok(e, 'v4 prefix too small');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v4 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '10.88.88.0/-3' ]
+ } ] }, function (e) {
+ t.ok(e, 'v4 prefix invalid number');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v4 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '10.88.88.0/' ]
+ } ] }, function (e) {
+ t.ok(e, 'v4 prefix missing number');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v6 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '2600:3c00::f03c:91ff:fe96:a260/129' ]
+ } ] }, function (e) {
+ t.ok(e, 'v6 prefix too large');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v6 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '2600:3c00::f03c:91ff:fe96:a260/0' ]
+ } ] }, function (e) {
+ t.ok(e, 'v6 prefix too small');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v6 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '2600:3c00::f03c:91ff:fe96:a260/-5' ]
+ } ] }, function (e) {
+ t.ok(e, 'v6 prefix invalid number');
+ cb();
+ });
+ }, function (cb) {
+ // update net2 to have an invalid v6 prefix for IP antispoof
+ VM.update(state.uuid, { update_nics: [ {
+ mac: state.nics[2].mac,
+ allowed_ips: [ '2600:3c00::f03c:91ff:fe96:a260/' ]
+ } ] }, function (e) {
+ t.ok(e, 'v6 prefix missing number');
+ cb();
+ });
+ }
], function (err) {
t.end();
});

0 comments on commit fbe057b

Please sign in to comment.