Check for loopback/vip with no_check_supernet_rules

hknutzen · Jun 13, 2024 · 0627ea8 · 0627ea8
1 parent d5fc421
commit 0627ea8
Show file tree

Hide file tree

Showing 2 changed files with 32 additions and 14 deletions.
diff --git a/go/pkg/pass1/set-zone.go b/go/pkg/pass1/set-zone.go
@@ -699,13 +699,10 @@ func (c *spoc) processAggregates() {
 		}
 
 		// Use aggregate with ip 0/0 to set attribute of all zones in cluster.
-		prefixlen := agg.ipp.Bits()
-		if prefixlen == 0 {
-			if agg.noCheckSupernetRules {
-				for _, z2 := range cluster {
-					z2.noCheckSupernetRules = true
-					c.checkAttrNoCheckSupernetRules(z2)
-				}
+		if agg.ipp.Bits() == 0 && agg.noCheckSupernetRules {
+			for _, z2 := range cluster {
+				z2.noCheckSupernetRules = true
+				c.checkAttrNoCheckSupernetRules(z2)
 			}
 		}
 
@@ -720,18 +717,25 @@ func (c *spoc) processAggregates() {
 }
 
 func (c *spoc) checkAttrNoCheckSupernetRules(z *zone) {
-	var errList netList
+	var withHosts, loopbacks netList
 	// z.networks currently contains all networks of zone,
 	// subnets are discared later in findSubnetsInZone.
 	for _, n := range z.networks {
 		if len(n.hosts) > 0 {
-			errList.push(n)
+			withHosts.push(n)
+		} else if n.loopback {
+			loopbacks.push(n)
 		}
 	}
-	if errList != nil {
+	if withHosts != nil {
 		c.err("Must not use attribute 'no_check_supernet_rules' at %s\n"+
 			" with networks having host definitions:\n%s",
-			z, errList.nameList())
+			z, withHosts.nameList())
+	}
+	if loopbacks != nil {
+		c.err("Must not use attribute 'no_check_supernet_rules' at %s\n"+
+			" having loopback/vip interfaces:\n%s",
+			z, loopbacks.nameList())
 	}
 }
 

diff --git a/go/testdata/aggregate.t b/go/testdata/aggregate.t
@@ -2008,12 +2008,13 @@ Warning: This reversed supernet rule would permit unexpected access:
 =TEMPL=input
 network:n1 = { ip = 10.1.1.0/24; }
 network:sub = { ip = 10.1.1.128/25; subnet_of = network:n1;
-{{.}}
+{{.hosts}}
 }
 router:u = {
  interface:n1;
  interface:sub;
  interface:t;
+ {{.interfaces}}
 }
 network:t = { ip = 10.9.2.0/24; }
 any:t = {
@@ -2034,16 +2035,29 @@ service:s = {
  user = any:[ ip = 10.1.0.0/16 & network:n2 ];
  permit src = network:n3; dst = user; prt = tcp 80;
 }
-=INPUT=[[input ""]]
+=INPUT=
+[[input
+hosts: ""
+interfaces: ""
+]]
 =WARNING=NONE
 
 ############################################################
 =TITLE=Must not use no_check_supernet_rules with hosts
-=INPUT=[[input "host:h = { ip = 10.1.1.130; }"]]
+=INPUT=
+[[input
+hosts: "host:h = { ip = 10.1.1.130; }"
+interfaces: "interface:lo = { ip = 10.9.9.1; loopback; }
+interface:vip = { ip = 10.9.9.2; vip; }"
+]]
 =ERROR=
 Error: Must not use attribute 'no_check_supernet_rules' at any:[network:t]
  with networks having host definitions:
  - network:sub
+Error: Must not use attribute 'no_check_supernet_rules' at any:[network:t]
+ having loopback/vip interfaces:
+ - interface:u.lo
+ - interface:u.vip
 =END=
 
 ############################################################