Fix the prefix filter function as the return condition when IPv6 prefixes have same length. If denylist prefix and prefix verified have the same length, it must be have compared only. Without this fix if denylist filter has 2003:db08::/64 and it exists a route to 2003:db88, this route is blocked because the calc for IPv6 doesn't check if they have the same prefix lenght. AND operator between prefix and denylist prefix will be 2003:db08::/68 in this example (2003:db88::/64 & 2003:db08::64)
Signed-off-by: Lucas Vargas Dias <[email protected]> --- ic/ovn-ic.c | 12 +++++++++++- tests/ovn-ic.at | 14 ++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 75b5d1787..a26eab461 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1073,12 +1073,22 @@ prefix_is_deny_listed(const struct smap *nb_options, } } else { struct in6_addr mask = ipv6_create_mask(plen); + struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask); + + if (plen == bl_plen) { + struct in6_addr actual_prefix = ipv6_addr_bitand(prefix, &mask); + if (!ipv6_addr_equals(&actual_prefix, &m_bl_prefix)) { + continue; + } + matched = true; + break; + } /* First calculate the difference between bl_prefix and prefix, so * use the bl mask to ensure prefixes are correctly validated. * e.g.: 2005:1734:5678::/50 is a subnet of 2005:1234::/21 */ struct in6_addr m_prefixes = ipv6_addr_bitand(prefix, &bl_prefix); struct in6_addr m_prefix = ipv6_addr_bitand(&m_prefixes, &mask); - struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask); + if (!ipv6_addr_equals(&m_prefix, &m_bl_prefix)) { continue; } diff --git a/tests/ovn-ic.at b/tests/ovn-ic.at index fbcfca2e4..08a80e960 100644 --- a/tests/ovn-ic.at +++ b/tests/ovn-ic.at @@ -1413,7 +1413,7 @@ for i in 1 2; do check ovn-nbctl set nb_global . options:ic-route-adv=true # Enable denylist single filter for IPv6 check ovn-nbctl set nb_global . options:ic-route-denylist=" \ - 2003:db8:1::/64,2004:aaaa::/32,2005:1234::/21" + 2003:db08:1::/64,2004:aaaa::/32,2005:1234::/21" check ovn-ic-nbctl --wait=sb sync # Create LRP and connect to TS @@ -1430,7 +1430,10 @@ for i in 1 2; do # Create denylisted LRPs and connect to TS check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \ - 11:11:11:11:11:1$i 2003:db8:1::$i/64 + 11:11:11:11:11:1$i 2003:db88:1::$i/64 + + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext1$i \ + 11:11:11:11:12:1$i 2003:db08:1::$i/64 check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ 22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48 @@ -1449,6 +1452,7 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 +2003:db88:1::/64 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 ]) @@ -1464,7 +1468,8 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' | sort ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 -2003:db8:1::/64 2001:db8:1::2 +2003:db08:1::/64 2001:db8:1::2 +2003:db88:1::/64 2001:db8:1::2 2004:aaaa:bbb::/48 2001:db8:1::2 2005:1734:5678::/50 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 @@ -1474,7 +1479,7 @@ for i in 1 2; do ovn_as az$i check ovn-nbctl set nb_global . \ - options:ic-route-denylist="2003:db8:1::/64,2004:db8:1::/64" + options:ic-route-denylist="2003:db88:1::/64,2004:db8:1::/64" # Create an 'extra' denylisted LRP and connect to TS check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext5$i \ @@ -1485,6 +1490,7 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' | sort ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 +2003:db08:1::/64 2001:db8:1::2 2004:aaaa:bbb::/48 2001:db8:1::2 2005:1734:5678::/50 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 -- 2.34.1 -- _'Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas'._ * **'Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.* _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
