ITQC/containernetworking-plugins
24
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 34 Wiki Activity

Merge pull request #639 from EdDev/bridge-macspoofchk

Browse Source 
bridge: Add macspoofchk support
This commit is contained in:
Matt Dupre
2021-10-06 08:39:10 -07:00
committed by GitHub
parent 2a9114d1af 081ed44a1d
commit f1f128e3c9
24 changed files with 2132 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
plugins/main/bridge/bridge.go
View File

@ -20,6 +20,7 @@ import (
"fmt"
"io/ioutil"
"net"
"os"
"runtime"
"syscall"
"time"
@ -33,6 +34,7 @@ import (
"github.com/containernetworking/cni/pkg/version"
"github.com/containernetworking/plugins/pkg/ip"
"github.com/containernetworking/plugins/pkg/ipam"
"github.com/containernetworking/plugins/pkg/link"
"github.com/containernetworking/plugins/pkg/ns"
"github.com/containernetworking/plugins/pkg/utils"
bv "github.com/containernetworking/plugins/pkg/utils/buildversion"
@ -55,6 +57,7 @@ type NetConf struct {
HairpinMode bool `json:"hairpinMode"`
PromiscMode bool `json:"promiscMode"`
Vlan int `json:"vlan"`
MacSpoofChk bool `json:"macspoofchk,omitempty"`
Args struct {
Cni BridgeArgs `json:"cni,omitempty"`
@ -460,6 +463,20 @@ func cmdAdd(args *skel.CmdArgs) error {
},
}
if n.MacSpoofChk {
sc := link.NewSpoofChecker(hostInterface.Name, containerInterface.Mac, uniqueID(args.ContainerID, args.IfName))
if err := sc.Setup(); err != nil {
return err
}
defer func() {
if !success {
if err := sc.Teardown(); err != nil {
fmt.Fprintf(os.Stderr, "%v", err)
}
}
}()
}
if isLayer3 {
// run the IPAM plugin and get back the config to apply
r, err := ipam.ExecAdd(n.IPAM.Type, args.StdinData)
@ -658,6 +675,13 @@ func cmdDel(args *skel.CmdArgs) error {
return err
}
if n.MacSpoofChk {
sc := link.NewSpoofChecker("", "", uniqueID(args.ContainerID, args.IfName))
if err := sc.Teardown(); err != nil {
fmt.Fprintf(os.Stderr, "%v", err)
}
}
if isLayer3 && n.IPMasq {
chain := utils.FormatChainName(n.Name, args.ContainerID)
comment := utils.FormatComment(n.Name, args.ContainerID)
@ -938,3 +962,7 @@ func cmdCheck(args *skel.CmdArgs) error {
return nil
}
func uniqueID(containerID, cniIface string) string {
return containerID + "-" + cniIface
}

110
plugins/main/bridge/bridge_test.go
View File

@ -23,6 +23,7 @@ import (
"strings"
"github.com/coreos/go-iptables/iptables"
"github.com/networkplumbing/go-nft/nft"
"github.com/vishvananda/netlink/nl"
"github.com/containernetworking/cni/pkg/skel"
@ -65,19 +66,20 @@ type Net struct {
// testCase defines the CNI network configuration and the expected
// bridge addresses for a test case.
type testCase struct {
cniVersion string // CNI Version
subnet string // Single subnet config: Subnet CIDR
gateway string // Single subnet config: Gateway
ranges []rangeInfo // Ranges list (multiple subnets config)
isGW bool
isLayer2 bool
expGWCIDRs []string // Expected gateway addresses in CIDR form
vlan int
ipMasq bool
AddErr020 string
DelErr020 string
AddErr010 string
DelErr010 string
cniVersion string // CNI Version
subnet string // Single subnet config: Subnet CIDR
gateway string // Single subnet config: Gateway
ranges []rangeInfo // Ranges list (multiple subnets config)
isGW bool
isLayer2 bool
expGWCIDRs []string // Expected gateway addresses in CIDR form
vlan int
ipMasq bool
macspoofchk bool
AddErr020 string
DelErr020 string
AddErr010 string
DelErr010 string
envArgs string // CNI_ARGS
runtimeConfig struct {
@ -164,6 +166,9 @@ const (
ipamEndStr = `
}`
macspoofchkFormat = `,
"macspoofchk": %t`
argsFormat = `,
"args": {
"cni": {
@ -193,6 +198,9 @@ func (tc testCase) netConfJSON(dataDir string) string {
if tc.runtimeConfig.mac != "" {
conf += fmt.Sprintf(runtimeConfig, tc.runtimeConfig.mac)
}
if tc.macspoofchk {
conf += fmt.Sprintf(macspoofchkFormat, tc.macspoofchk)
}
if !tc.isLayer2 {
conf += netDefault
@ -2175,6 +2183,35 @@ var _ = Describe("bridge Operations", func() {
})
}
}
It(fmt.Sprintf("[%s] configures mac spoof-check (no mac spoofing)", ver), func() {
Expect(originalNS.Do(func(ns.NetNS) error {
defer GinkgoRecover()
tc := testCase{
cniVersion: ver,
subnet: "10.1.2.0/24",
macspoofchk: true,
}
args := tc.createCmdArgs(originalNS, dataDir)
_, _, err := testutils.CmdAddWithArgs(args, func() error {
return cmdAdd(args)
})
Expect(err).NotTo(HaveOccurred())
assertMacSpoofCheckRulesExist()
Expect(testutils.CmdDelWithArgs(args, func() error {
if err := cmdDel(args); err != nil {
return err
}
assertMacSpoofCheckRulesMissing()
return nil
})).To(Succeed())
return nil
})).To(Succeed())
})
}
It("check vlan id when loading net conf", func() {
@ -2211,3 +2248,50 @@ var _ = Describe("bridge Operations", func() {
}
})
})
func assertMacSpoofCheckRulesExist() {
assertMacSpoofCheckRules(
func(actual interface{}, expectedLen int) {
ExpectWithOffset(3, actual).To(HaveLen(expectedLen))
})
}
func assertMacSpoofCheckRulesMissing() {
assertMacSpoofCheckRules(
func(actual interface{}, _ int) {
ExpectWithOffset(3, actual).To(BeEmpty())
})
}
func assertMacSpoofCheckRules(assert func(actual interface{}, expectedLen int)) {
c, err := nft.ReadConfig()
ExpectWithOffset(2, err).NotTo(HaveOccurred())
expectedTable := nft.NewTable("nat", "bridge")
filter := nft.TypeFilter
hook := nft.HookPreRouting
prio := -300
policy := nft.PolicyAccept
expectedBaseChain := nft.NewChain(expectedTable, "PREROUTING", &filter, &hook, &prio, &policy)
assert(c.LookupRule(nft.NewRule(
expectedTable,
expectedBaseChain,
nil, nil, nil,
"macspoofchk-dummy-0-eth0",
)), 1)
assert(c.LookupRule(nft.NewRule(
expectedTable,
nft.NewRegularChain(expectedTable, "cni-br-iface-dummy-0-eth0"),
nil, nil, nil,
"macspoofchk-dummy-0-eth0",
)), 1)
assert(c.LookupRule(nft.NewRule(
expectedTable,
nft.NewRegularChain(expectedTable, "cni-br-iface-dummy-0-eth0-mac"),
nil, nil, nil,
"macspoofchk-dummy-0-eth0",
)), 2)
}