From patchwork Thu Nov 7 12:19:19 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1191116 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.b="aDC6qXCa"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4782ZY1NBNz9sP6 for ; Thu, 7 Nov 2019 23:21:39 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 5F12614D9; Thu, 7 Nov 2019 12:21:34 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8B87814D7 for ; Thu, 7 Nov 2019 12:21:32 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from us-smtp-1.mimecast.com (us-smtp-2.mimecast.com [205.139.110.61]) by smtp1.linuxfoundation.org (Postfix) with ESMTP id 6385A710 for ; Thu, 7 Nov 2019 12:21:31 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1573129289; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:content-type:content-type: content-transfer-encoding:content-transfer-encoding; bh=hJtCqkgc1eHfVRqvZpHUZ7NxFmVYzL7u+Fd+Xbb7Kaw=; b=aDC6qXCaNQkXbGlDxFvUcaq5gHy3Ad6Qf+mwvE85XOtHg5n2pByD6MHJAdw9bcbjaTbmbl j1vtHo7DpgLPUpa/wDJxe4H9xIL2taVMdvkhGuwZbWLpCiJv26nk/NKmLYS9WFgozLoIzl 24esdvHHxvXiSAqSKHCmX2gPhr7K4+Y= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-214-Bp9Oq6PZN3aKiJ6TGrJFYw-1; Thu, 07 Nov 2019 07:21:28 -0500 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 4C79C8017DD for ; Thu, 7 Nov 2019 12:21:27 +0000 (UTC) Received: from dceara.remote.csb (ovpn-117-132.ams2.redhat.com [10.36.117.132]) by smtp.corp.redhat.com (Postfix) with ESMTP id C80F05C557 for ; Thu, 7 Nov 2019 12:21:26 +0000 (UTC) From: Dumitru Ceara To: dev@openvswitch.org Date: Thu, 7 Nov 2019 13:19:19 +0100 Message-Id: <1573129159-14644-1-git-send-email-dceara@redhat.com> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 X-MC-Unique: Bp9Oq6PZN3aKiJ6TGrJFYw-1 X-Mimecast-Spam-Score: 0 X-Spam-Status: No, score=-4.3 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_MED autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH ovn] ovn-northd: Validate dnat_and_snat external_mac/logical_ip. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org When dnat_and_snat NAT rules are configured, if the user tries to set external_mac in the NAT rule record without setting logical_ip ovn-northd crashes as there's no validation in place. Add checks for valid ethernet address in NAT.external_mac and for non-null NAT.logical_ip where applicable. Reported-by: Daniel Alvarez Sanchez Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1769709 Signed-off-by: Dumitru Ceara --- northd/ovn-northd.c | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index c23c270..2f0f501 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6032,9 +6032,12 @@ add_distributed_nat_routes(struct hmap *lflows, const struct ovn_port *op) for (size_t i = 0; i < op->od->nbr->n_nat; i++) { const struct nbrec_nat *nat = op->od->nbr->nat[i]; bool found = false; + struct eth_addr mac; if (strcmp(nat->type, "dnat_and_snat") || - !nat->external_mac || !nat->external_ip) { + !nat->external_mac || + !eth_addr_from_string(nat->external_mac, &mac) || + !nat->external_ip || !nat->logical_port) { continue; } @@ -6083,10 +6086,14 @@ add_distributed_nat_routes(struct hmap *lflows, const struct ovn_port *op) for (size_t j = 0; j < op->od->nbr->n_nat; j++) { const struct nbrec_nat *nat2 = op->od->nbr->nat[j]; + struct eth_addr mac2; if (nat == nat2 || strcmp(nat2->type, "dnat_and_snat") || - !nat2->external_mac || !nat2->external_ip) + !nat2->external_mac || + !eth_addr_from_string(nat2->external_mac, &mac2) || + !nat2->external_ip) { continue; + } family = AF_INET; if (!ip_parse(nat2->external_ip, &ip) || !ip) { @@ -7785,7 +7792,8 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, if (od->l3dgw_port) { /* Distributed router. */ if (!strcmp(nat->type, "dnat_and_snat") && - nat->external_mac && nat->external_ip) { + nat->external_mac && nat->external_ip && + eth_addr_from_string(nat->external_mac, &mac)) { for (int j = 0; j < od->nbr->n_nat; j++) { const struct nbrec_nat *nat2 = od->nbr->nat[j];