From 0627ea8c3260d72d0328af5c42d9026e26810f7b Mon Sep 17 00:00:00 2001 From: Heinz Knutzen Date: Thu, 13 Jun 2024 11:14:21 +0200 Subject: [PATCH] Check for loopback/vip with no_check_supernet_rules --- go/pkg/pass1/set-zone.go | 26 +++++++++++++++----------- go/testdata/aggregate.t | 20 +++++++++++++++++--- 2 files changed, 32 insertions(+), 14 deletions(-) diff --git a/go/pkg/pass1/set-zone.go b/go/pkg/pass1/set-zone.go index 928dfdd3..00b5bc35 100644 --- a/go/pkg/pass1/set-zone.go +++ b/go/pkg/pass1/set-zone.go @@ -699,13 +699,10 @@ func (c *spoc) processAggregates() { } // Use aggregate with ip 0/0 to set attribute of all zones in cluster. - prefixlen := agg.ipp.Bits() - if prefixlen == 0 { - if agg.noCheckSupernetRules { - for _, z2 := range cluster { - z2.noCheckSupernetRules = true - c.checkAttrNoCheckSupernetRules(z2) - } + if agg.ipp.Bits() == 0 && agg.noCheckSupernetRules { + for _, z2 := range cluster { + z2.noCheckSupernetRules = true + c.checkAttrNoCheckSupernetRules(z2) } } @@ -720,18 +717,25 @@ func (c *spoc) processAggregates() { } func (c *spoc) checkAttrNoCheckSupernetRules(z *zone) { - var errList netList + var withHosts, loopbacks netList // z.networks currently contains all networks of zone, // subnets are discared later in findSubnetsInZone. for _, n := range z.networks { if len(n.hosts) > 0 { - errList.push(n) + withHosts.push(n) + } else if n.loopback { + loopbacks.push(n) } } - if errList != nil { + if withHosts != nil { c.err("Must not use attribute 'no_check_supernet_rules' at %s\n"+ " with networks having host definitions:\n%s", - z, errList.nameList()) + z, withHosts.nameList()) + } + if loopbacks != nil { + c.err("Must not use attribute 'no_check_supernet_rules' at %s\n"+ + " having loopback/vip interfaces:\n%s", + z, loopbacks.nameList()) } } diff --git a/go/testdata/aggregate.t b/go/testdata/aggregate.t index 41d18551..822a3322 100644 --- a/go/testdata/aggregate.t +++ b/go/testdata/aggregate.t @@ -2008,12 +2008,13 @@ Warning: This reversed supernet rule would permit unexpected access: =TEMPL=input network:n1 = { ip = 10.1.1.0/24; } network:sub = { ip = 10.1.1.128/25; subnet_of = network:n1; -{{.}} +{{.hosts}} } router:u = { interface:n1; interface:sub; interface:t; + {{.interfaces}} } network:t = { ip = 10.9.2.0/24; } any:t = { @@ -2034,16 +2035,29 @@ service:s = { user = any:[ ip = 10.1.0.0/16 & network:n2 ]; permit src = network:n3; dst = user; prt = tcp 80; } -=INPUT=[[input ""]] +=INPUT= +[[input +hosts: "" +interfaces: "" +]] =WARNING=NONE ############################################################ =TITLE=Must not use no_check_supernet_rules with hosts -=INPUT=[[input "host:h = { ip = 10.1.1.130; }"]] +=INPUT= +[[input +hosts: "host:h = { ip = 10.1.1.130; }" +interfaces: "interface:lo = { ip = 10.9.9.1; loopback; } +interface:vip = { ip = 10.9.9.2; vip; }" +]] =ERROR= Error: Must not use attribute 'no_check_supernet_rules' at any:[network:t] with networks having host definitions: - network:sub +Error: Must not use attribute 'no_check_supernet_rules' at any:[network:t] + having loopback/vip interfaces: + - interface:u.lo + - interface:u.vip =END= ############################################################