github/kubernetes
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #108460 from Nordix/issue-72236

Browse Source 
Prevent host access on VIP addresses in proxy-mode=ipvs
This commit is contained in:
Kubernetes Prow Robot
2022-09-01 12:59:18 -07:00
committed by GitHub
parent 3710cc8f7b c1e5a9e6f0
commit 9924814270
5 changed files with 47 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
pkg/util/ipset/ipset.go
View File

@@ -169,6 +169,11 @@ func (e *Entry) Validate(set *IPSet) bool {
return false
}
switch e.SetType {
case HashIP:
//check if IP of Entry is valid.
if valid := e.checkIP(set); !valid {
return false
}
case HashIPPort:
//check if IP and Protocol of Entry is valid.
if valid := e.checkIPandProtocol(set); !valid {
@@ -219,6 +224,9 @@ func (e *Entry) Validate(set *IPSet) bool {
// String returns the string format for ipset entry.
func (e *Entry) String() string {
switch e.SetType {
case HashIP:
// Entry{192.168.1.1} -> 192.168.1.1
return fmt.Sprintf("%s", e.IP)
case HashIPPort:
// Entry{192.168.1.1, udp, 53} -> 192.168.1.1,udp:53
// Entry{192.168.1.2, tcp, 8080} -> 192.168.1.2,tcp:8080
@@ -247,7 +255,11 @@ func (e *Entry) checkIPandProtocol(set *IPSet) bool {
} else if !validateProtocol(e.Protocol) {
return false
}
return e.checkIP(set)
}
// checkIP checks if IP of Entry is valid.
func (e *Entry) checkIP(set *IPSet) bool {
if netutils.ParseIPSloppy(e.IP) == nil {
klog.Errorf("Error parsing entry %v ip address %v for ipset %v", e, e.IP, set)
return false
@@ -283,7 +295,7 @@ func (runner *runner) CreateSet(set *IPSet, ignoreExistErr bool) error {
// otherwise raised when the same set (setname and create parameters are identical) already exists.
func (runner *runner) createSet(set *IPSet, ignoreExistErr bool) error {
args := []string{"create", set.Name, string(set.SetType)}
if set.SetType == HashIPPortIP || set.SetType == HashIPPort || set.SetType == HashIPPortNet {
if set.SetType == HashIPPortIP || set.SetType == HashIPPort || set.SetType == HashIPPortNet || set.SetType == HashIP {
args = append(args,
"family", set.HashFamily,
"hashsize", strconv.Itoa(set.HashSize),

3
pkg/util/ipset/types.go
View File

@@ -35,6 +35,8 @@ const (
// BitmapPort represents the `bitmap:port` type ipset. The bitmap:port set type uses a memory range, where each bit
// represents one TCP/UDP port. A bitmap:port type of set can store up to 65535 ports.
BitmapPort Type = "bitmap:port"
// HashIP represents the `hash:ip` type ipset.
HashIP Type = "hash:ip"
)
// DefaultPortRange defines the default bitmap:port valid port range.
@@ -59,4 +61,5 @@ var ValidIPSetTypes = []Type{
HashIPPortIP,
BitmapPort,
HashIPPortNet,
HashIP,
}