1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
|
package util
import (
"errors"
"fmt"
"net"
"strings"
"unicode"
"github.com/containers/common/libnetwork/types"
"github.com/containers/common/libnetwork/util"
)
// ValidateSubnet will validate a given Subnet. It checks if the
// given gateway and lease range are part of this subnet. If the
// gateway is empty and addGateway is true it will get the first
// available ip in the subnet assigned.
func ValidateSubnet(s *types.Subnet, addGateway bool, usedNetworks []*net.IPNet) error {
if s == nil {
return errors.New("subnet is nil")
}
if s.Subnet.IP == nil {
return errors.New("subnet ip is nil")
}
// Reparse to ensure subnet is valid.
// Do not use types.ParseCIDR() because we want the ip to be
// the network address and not a random ip in the subnet.
_, n, err := net.ParseCIDR(s.Subnet.String())
if err != nil {
return fmt.Errorf("subnet invalid: %w", err)
}
// check that the new subnet does not conflict with existing ones
if NetworkIntersectsWithNetworks(n, usedNetworks) {
return fmt.Errorf("subnet %s is already used on the host or by another config", n.String())
}
s.Subnet = types.IPNet{IPNet: *n}
if s.Gateway != nil {
if !s.Subnet.Contains(s.Gateway) {
return fmt.Errorf("gateway %s not in subnet %s", s.Gateway, &s.Subnet)
}
util.NormalizeIP(&s.Gateway)
} else if addGateway {
ip, err := util.FirstIPInSubnet(n)
if err != nil {
return err
}
s.Gateway = ip
}
if s.LeaseRange != nil {
if s.LeaseRange.StartIP != nil {
if !s.Subnet.Contains(s.LeaseRange.StartIP) {
return fmt.Errorf("lease range start ip %s not in subnet %s", s.LeaseRange.StartIP, &s.Subnet)
}
util.NormalizeIP(&s.LeaseRange.StartIP)
}
if s.LeaseRange.EndIP != nil {
if !s.Subnet.Contains(s.LeaseRange.EndIP) {
return fmt.Errorf("lease range end ip %s not in subnet %s", s.LeaseRange.EndIP, &s.Subnet)
}
util.NormalizeIP(&s.LeaseRange.EndIP)
}
}
return nil
}
// ValidateSubnets will validate the subnets for this network.
// It also sets the gateway if the gateway is empty and addGateway is set to true
// IPv6Enabled to true if at least one subnet is ipv6.
func ValidateSubnets(network *types.Network, addGateway bool, usedNetworks []*net.IPNet) error {
for i := range network.Subnets {
err := ValidateSubnet(&network.Subnets[i], addGateway, usedNetworks)
if err != nil {
return err
}
if util.IsIPv6(network.Subnets[i].Subnet.IP) {
network.IPv6Enabled = true
}
}
return nil
}
func ValidateRoutes(routes []types.Route) error {
for _, route := range routes {
err := ValidateRoute(route)
if err != nil {
return err
}
}
return nil
}
func ValidateRoute(route types.Route) error {
if route.Destination.IP == nil {
return errors.New("route destination ip nil")
}
if route.Destination.Mask == nil {
return errors.New("route destination mask nil")
}
if route.Gateway == nil {
return errors.New("route gateway nil")
}
// Reparse to ensure destination is valid.
ip, ipNet, err := net.ParseCIDR(route.Destination.String())
if err != nil {
return fmt.Errorf("route destination invalid: %w", err)
}
// check that destination is a network and not an address
if !ip.Equal(ipNet.IP) {
return errors.New("route destination invalid")
}
return nil
}
func ValidateSetupOptions(n NetUtil, namespacePath string, options types.SetupOptions) error {
if namespacePath == "" {
return errors.New("namespacePath is empty")
}
if options.ContainerID == "" {
return errors.New("ContainerID is empty")
}
if len(options.Networks) == 0 {
return errors.New("must specify at least one network")
}
for name, netOpts := range options.Networks {
network, err := n.Network(name)
if err != nil {
return err
}
err = validatePerNetworkOpts(network, &netOpts)
if err != nil {
return err
}
}
return nil
}
// validatePerNetworkOpts checks that all given static ips are in a subnet on this network
func validatePerNetworkOpts(network *types.Network, netOpts *types.PerNetworkOptions) error {
if netOpts.InterfaceName == "" {
return fmt.Errorf("interface name on network %s is empty", network.Name)
}
if network.IPAMOptions[types.Driver] == types.HostLocalIPAMDriver {
outer:
for _, ip := range netOpts.StaticIPs {
for _, s := range network.Subnets {
if s.Subnet.Contains(ip) {
continue outer
}
}
return fmt.Errorf("requested static ip %s not in any subnet on network %s", ip.String(), network.Name)
}
}
return nil
}
// ValidateInterfaceName validates the interface name based on the following rules:
// 1. The name must be less than MaxInterfaceNameLength characters
// 2. The name must not be "." or ".."
// 3. The name must not contain / or : or any whitespace characters
// ref to https://github.com/torvalds/linux/blob/81e4f8d68c66da301bb881862735bd74c6241a19/include/uapi/linux/if.h#L33C18-L33C20
func ValidateInterfaceName(ifName string) error {
if len(ifName) > types.MaxInterfaceNameLength {
return fmt.Errorf("interface name is too long: interface names must be %d characters or less: %w", types.MaxInterfaceNameLength, types.ErrInvalidArg)
}
if ifName == "." || ifName == ".." {
return fmt.Errorf("interface name is . or ..: %w", types.ErrInvalidArg)
}
if strings.ContainsFunc(ifName, func(r rune) bool {
return r == '/' || r == ':' || unicode.IsSpace(r)
}) {
return fmt.Errorf("interface name contains / or : or whitespace characters: %w", types.ErrInvalidArg)
}
return nil
}
|
