Add new validation forbidding bigger than /8 CIDRs

nokia · Aug 29, 2019 · 3df88a0 · 3df88a0
1 parent 598ce0f
commit 3df88a0
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 1 deletion.
diff --git a/pkg/admit/validators.go b/pkg/admit/validators.go
@@ -15,6 +15,7 @@ import (
 
 const (
   MaxNidLength = 11
+  MaxNetMaskLength = 8
 )
 
 var (
@@ -50,6 +51,12 @@ func validateIpFields(cidr string, routes map[string]string) error {
   if err != nil {
     return errors.New("Invalid CIDR: " + cidr)
   }
+  if ipnet.IP.To4() != nil {
+    ones, _ := ipnet.Mask.Size()
+    if ones < MaxNetMaskLength {
+      return errors.New("Netmask of the IPv4 CIDR is bigger than the maximum allowed /8")
+    }
+  }
   for _, gw := range routes {
     if !ipnet.Contains(net.ParseIP(gw)) {
       return errors.New("Specified GW address:" + gw + " is not part of CIDR:" + cidr)
@@ -208,7 +215,7 @@ func validateVniChange(oldManifest, newManifest *danmtypes.DanmNet, opType admis
   }
   if (oldManifest.Spec.Options.Vlan  != 0 && (oldManifest.Spec.Options.Vlan  != newManifest.Spec.Options.Vlan  || oldManifest.Spec.Options.Device != newManifest.Spec.Options.Device)) ||
      (oldManifest.Spec.Options.Vxlan != 0 && (oldManifest.Spec.Options.Vxlan != newManifest.Spec.Options.Vxlan || oldManifest.Spec.Options.Device != newManifest.Spec.Options.Device)) {
-    return errors.New("cannot change VNI/host_device of a network which having any Pods connected to it e.g. Pod:" + connectedEp.Spec.Pod + " in namespace:" + connectedEp.ObjectMeta.Namespace)   
+    return errors.New("cannot change VNI/host_device of a network which having any Pods connected to it e.g. Pod:" + connectedEp.Spec.Pod + " in namespace:" + connectedEp.ObjectMeta.Namespace)
   }
   return nil
 }
diff --git a/test/uts/admit_tests/netadmit_test.go b/test/uts/admit_tests/netadmit_test.go
@@ -42,6 +42,9 @@ var validateNetworkTcs = []struct {
   {"Ipv4InvalidCidrDNet", "", "invalid-cidr", DnetType, "", nil, nil, true, nil, 0},
   {"Ipv4InvalidCidrTNet", "", "invalid-cidr", TnetType, "", nil, nil, true, nil, 0},
   {"Ipv4InvalidCidrCNet", "", "invalid-cidr", CnetType, "", nil, nil, true, nil, 0},
+  {"Ipv4TooBigCidrDNet", "", "long-cidr", DnetType, "", nil, nil, true, nil, 0},
+  {"Ipv4TooBigCidrTNet", "", "long-cidr", TnetType, "", nil, nil, true, nil, 0},
+  {"Ipv4TooBigCidrCNet", "", "long-cidr", CnetType, "", nil, nil, true, nil, 0},
   {"Ipv4GwOutsideCidrDNet", "", "gw-outside-cidr", DnetType, "", nil, nil, true, nil, 0},
   {"Ipv4GwOutsideCidrTNet", "", "gw-outside-cidr", TnetType, "", nil, nil, true, nil, 0},
   {"Ipv4GwOutsideCidrCNet", "", "gw-outside-cidr", CnetType, "", nil, nil, true, nil, 0},
@@ -141,6 +144,10 @@ var (
       ObjectMeta: meta_v1.ObjectMeta {Name: "invalid-cidr"},
       Spec: danmtypes.DanmNetSpec{NetworkType: "ipvlan", NetworkID: "nanomsg", Options: danmtypes.DanmNetOption{Cidr: "192.168.1.0/a4"}},
     },
+    danmtypes.DanmNet {
+      ObjectMeta: meta_v1.ObjectMeta {Name: "long-cidr"},
+      Spec: danmtypes.DanmNetSpec{NetworkType: "ipvlan", NetworkID: "nanomsg", Options: danmtypes.DanmNetOption{Cidr: "10.0.0.0/7"}},
+    },
     danmtypes.DanmNet {
       ObjectMeta: meta_v1.ObjectMeta {Name: "gw-outside-cidr"},
       Spec: danmtypes.DanmNetSpec{NetworkType: "ipvlan", NetworkID: "nanomsg", Options: danmtypes.DanmNetOption{Cidr: "10.20.1.0/24", Routes: map[string]string{"10.20.20.0/24": "10.20.1.1", "10.20.30.0/24": "10.20.0.1"}}},