fix: check multicast and loopback subnet

kubeovn · Oct 23, 2020 · 8ef1200 · 8ef1200
1 parent dd91c48
commit 8ef1200
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/pkg/util/net.go b/pkg/util/net.go
@@ -106,6 +106,9 @@ func CIDRContainIP(cidrStr, ipStr string) bool {
 	if err != nil {
 		return false
 	}
+	if CheckProtocol(cidrStr) != CheckProtocol(ipStr) {
+		return false
+	}
 	ip := net.ParseIP(ipStr)
 	if ip == nil {
 		return false

diff --git a/pkg/util/validator.go b/pkg/util/validator.go
@@ -10,11 +10,36 @@ import (
 	kubeovnv1 "github.com/alauda/kube-ovn/pkg/apis/kubeovn/v1"
 )
 
+const (
+	V6Multicast = "ff00::/8"
+	V4Multicast = "224.0.0.0/4"
+	V4Loopback  = "127.0.0.1/8"
+	V6Loopback  = "::1/128"
+)
+
+func cidrConflict(cidr string) error {
+	if CIDRConflict(cidr, V6Multicast) {
+		return fmt.Errorf("%s conflict with v6 multicast cidr %s", cidr, V6Multicast)
+	}
+	if CIDRConflict(cidr, V4Multicast) {
+		return fmt.Errorf("%s conflict with v4 multicast cidr %s", cidr, V4Multicast)
+	}
+	if CIDRConflict(cidr, V6Loopback) {
+		return fmt.Errorf("%s conflict with v6 loopback cidr %s", cidr, V6Loopback)
+	}
+	if CIDRConflict(cidr, V4Loopback) {
+		return fmt.Errorf("%s conflict with v4 multicast cidr %s", cidr, V4Loopback)
+	}
+	return nil
+}
+
 func ValidateSubnet(subnet kubeovnv1.Subnet) error {
 	if !CIDRContainIP(subnet.Spec.CIDRBlock, subnet.Spec.Gateway) {
 		return fmt.Errorf(" gateway %s is not in cidr %s", subnet.Spec.Gateway, subnet.Spec.CIDRBlock)
 	}
-
+	if err := cidrConflict(subnet.Spec.CIDRBlock); err != nil {
+		return err
+	}
 	excludeIps := subnet.Spec.ExcludeIps
 	for _, ipr := range excludeIps {
 		ips := strings.Split(ipr, "..")