Fix the prefix filter function as the return condition when IPv6 prefixes have same length. If denylist prefix and prefix verified have the same length, it must be have compared only. Without this fix if denylist filter has 2003:db08::/64 and it exists a route to 2003:db88, this route is blocked because the calc for IPv6 doesn't check if they have the same prefix lenght. AND operator between prefix and denylist prefix will be 2003:db08::/68 in this example (2003:db88::/64 & 2003:db08::64)
Signed-off-by: Lucas Vargas Dias <[email protected]> --- ic/ovn-ic.c | 12 +++++++++++- tests/ovn-ic.at | 14 ++++++++++---- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/ic/ovn-ic.c b/ic/ovn-ic.c index 8320cbea5..7339811a4 100644 --- a/ic/ovn-ic.c +++ b/ic/ovn-ic.c @@ -1073,12 +1073,22 @@ prefix_is_deny_listed(const struct smap *nb_options, } } else { struct in6_addr mask = ipv6_create_mask(plen); + struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask); + + if (plen == bl_plen) { + struct in6_addr prefix_v6 = ipv6_addr_bitand(prefix, &mask); + if (!ipv6_addr_equals(&prefix_v6, &m_bl_prefix)) { + continue; + } + matched = true; + break; + } /* First calculate the difference between bl_prefix and prefix, so * use the bl mask to ensure prefixes are correctly validated. * e.g.: 2005:1734:5678::/50 is a subnet of 2005:1234::/21 */ struct in6_addr m_prefixes = ipv6_addr_bitand(prefix, &bl_prefix); struct in6_addr m_prefix = ipv6_addr_bitand(&m_prefixes, &mask); - struct in6_addr m_bl_prefix = ipv6_addr_bitand(&bl_prefix, &mask); + if (!ipv6_addr_equals(&m_prefix, &m_bl_prefix)) { continue; } diff --git a/tests/ovn-ic.at b/tests/ovn-ic.at index 9fc386131..0ce08260c 100644 --- a/tests/ovn-ic.at +++ b/tests/ovn-ic.at @@ -1352,7 +1352,7 @@ for i in 1 2; do check ovn-nbctl set nb_global . options:ic-route-adv=true # Enable denylist single filter for IPv6 check ovn-nbctl set nb_global . options:ic-route-denylist=" \ - 2003:db8:1::/64,2004:aaaa::/32,2005:1234::/21" + 2003:db08:1::/64,2004:aaaa::/32,2005:1234::/21" check ovn-ic-nbctl --wait=sb sync # Create LRP and connect to TS @@ -1369,7 +1369,10 @@ for i in 1 2; do # Create denylisted LRPs and connect to TS check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext$i \ - 11:11:11:11:11:1$i 2003:db8:1::$i/64 + 11:11:11:11:11:1$i 2003:db88:1::$i/64 + + check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext1$i \ + 11:11:11:11:12:1$i 2003:db08:1::$i/64 check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext2$i \ 22:22:22:22:22:2$i 2004:aaaa:bbb::$i/48 @@ -1388,6 +1391,7 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 +2003:db88:1::/64 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 ]) @@ -1403,7 +1407,8 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' | sort ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 -2003:db8:1::/64 2001:db8:1::2 +2003:db08:1::/64 2001:db8:1::2 +2003:db88:1::/64 2001:db8:1::2 2004:aaaa:bbb::/48 2001:db8:1::2 2005:1734:5678::/50 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 @@ -1413,7 +1418,7 @@ for i in 1 2; do ovn_as az$i check ovn-nbctl set nb_global . \ - options:ic-route-denylist="2003:db8:1::/64,2004:db8:1::/64" + options:ic-route-denylist="2003:db88:1::/64,2004:db8:1::/64" # Create an 'extra' denylisted LRP and connect to TS check ovn-nbctl lrp-add lr$i lrp-lr$i-p-ext5$i \ @@ -1424,6 +1429,7 @@ check ovn-ic-nbctl --wait=sb sync AT_CHECK([ovn_as az1 ovn-nbctl lr-route-list lr1 | awk '/learned/{print $1, $2}' | sort ], [0], [dnl 2002:db8:1::/64 2001:db8:1::2 +2003:db08:1::/64 2001:db8:1::2 2004:aaaa:bbb::/48 2001:db8:1::2 2005:1734:5678::/50 2001:db8:1::2 2005:1834:5678::/50 2001:db8:1::2 -- 2.34.1 -- _'Esta mensagem é direcionada apenas para os endereços constantes no cabeçalho inicial. Se você não está listado nos endereços constantes no cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão imediatamente anuladas e proibidas'._ * **'Apesar do Magazine Luiza tomar todas as precauções razoáveis para assegurar que nenhum vírus esteja presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por quaisquer perdas ou danos causados por esse e-mail ou por seus anexos'.* _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
