Disallow IPv6 multicast as bridge n/w subnet

Signed-off-by: Rob Murray <rob.murray@docker.com>
krissetto · May 1, 2024 · a5f82ba · a5f82ba
1 parent aa3a86c
commit a5f82ba
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 0 deletions.
diff --git a/libnetwork/drivers/bridge/bridge_linux.go b/libnetwork/drivers/bridge/bridge_linux.go
@@ -193,6 +193,9 @@ func validateIPv6Subnet(addr netip.Prefix) error {
 	if !addr.Addr().Is6() || addr.Addr().Is4In6() {
 		return fmt.Errorf("'%s' is not a valid IPv6 subnet", addr)
 	}
+	if addr.Addr().IsMulticast() {
+		return fmt.Errorf("multicast subnet '%s' is not allowed", addr)
+	}
 	if addr.Masked() != linkLocalPrefix && linkLocalPrefix.Overlaps(addr) {
 		return fmt.Errorf("'%s' clashes with the Link-Local prefix 'fe80::/64'", addr)
 	}

diff --git a/libnetwork/drivers/bridge/bridge_linux_test.go b/libnetwork/drivers/bridge/bridge_linux_test.go
@@ -1046,6 +1046,11 @@ func TestValidateFixedCIDRV6(t *testing.T) {
 			input:       "nonsense",
 			expectedErr: "invalid fixed-cidr-v6: netip.ParsePrefix(\"nonsense\"): no '/'",
 		},
+		{
+			doc:         "multicast IPv6 subnet",
+			input:       "ff05::/64",
+			expectedErr: "invalid fixed-cidr-v6: multicast subnet 'ff05::/64' is not allowed",
+		},
 	}
 	for _, tc := range tests {
 		tc := tc