Skip to content

Commit

Permalink
kube-ovn-cni will panic if cidr is invalid (#4729)
Browse files Browse the repository at this point in the history
Signed-off-by: oilbeater <liumengxinfly@gmail.com>
  • Loading branch information
oilbeater committed Nov 14, 2024
1 parent e12731d commit 714afd4
Show file tree
Hide file tree
Showing 2 changed files with 33 additions and 13 deletions.
28 changes: 19 additions & 9 deletions pkg/daemon/gateway.go
Original file line number Diff line number Diff line change
Expand Up @@ -105,8 +105,10 @@ func (c *Controller) getSubnetsNeedNAT(protocol string) ([]string, error) {

for _, subnet := range subnets {
if c.isSubnetNeedNat(subnet, protocol) {
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
subnetsNeedNat = append(subnetsNeedNat, cidrBlock)
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err == nil {
subnetsNeedNat = append(subnetsNeedNat, cidrBlock)
}
}
}
return subnetsNeedNat, nil
Expand Down Expand Up @@ -143,8 +145,10 @@ func (c *Controller) getSubnetsDistributedGateway(protocol string) ([]string, er
subnet.Spec.CIDRBlock != "" &&
subnet.Spec.GatewayType == kubeovnv1.GWDistributedType &&
(subnet.Spec.Protocol == kubeovnv1.ProtocolDual || subnet.Spec.Protocol == protocol) {
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
result = append(result, cidrBlock)
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err == nil {
result = append(result, cidrBlock)
}
}
}
return result, nil
Expand Down Expand Up @@ -172,9 +176,11 @@ func (c *Controller) getDefaultVpcSubnetsCIDR(protocol string) ([]string, map[st

for _, subnet := range subnets {
if subnet.Spec.Vpc == c.config.ClusterRouter && (subnet.Spec.Vlan == "" || subnet.Spec.LogicalGateway) && subnet.Spec.CIDRBlock != "" {
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
ret = append(ret, cidrBlock)
subnetMap[subnet.Name] = cidrBlock
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err == nil {
ret = append(ret, cidrBlock)
subnetMap[subnet.Name] = cidrBlock
}
}
}
return ret, subnetMap, nil
Expand Down Expand Up @@ -202,8 +208,12 @@ func (c *Controller) getOtherNodes(protocol string) ([]string, error) {
return ret, nil
}

func getCidrByProtocol(cidr, protocol string) string {
func getCidrByProtocol(cidr, protocol string) (string, error) {
var cidrStr string
if err := util.CheckCidrs(cidr); err != nil {
return "", err
}

if util.CheckProtocol(cidr) == kubeovnv1.ProtocolDual {
cidrBlocks := strings.Split(cidr, ",")
if protocol == kubeovnv1.ProtocolIPv4 {
Expand All @@ -214,7 +224,7 @@ func getCidrByProtocol(cidr, protocol string) string {
} else {
cidrStr = cidr
}
return cidrStr
return cidrStr, nil
}

func (c *Controller) getEgressNatIPByNode(nodeName string) (map[string]string, error) {
Expand Down
18 changes: 14 additions & 4 deletions pkg/daemon/gateway_linux.go
Original file line number Diff line number Diff line change
Expand Up @@ -207,7 +207,11 @@ func (c *Controller) reconcileNatOutGoingPolicyIPset(protocol string) {
subnetCidrs := make([]string, 0)
natPolicyRuleIDs := strset.New()
for _, subnet := range subnets {
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err != nil {
klog.Errorf("failed to get subnet %s CIDR block by protocol: %v", subnet.Name, err)
continue
}
subnetCidrs = append(subnetCidrs, cidrBlock)
for _, rule := range subnet.Status.NatOutgoingPolicyRules {
if rule.RuleID == "" {
Expand Down Expand Up @@ -956,7 +960,11 @@ func (c *Controller) generateNatOutgoingPolicyChainRules(protocol string) ([]uti
subnet := subnetMap[subnetName]
var natPolicyRuleIptables []util.IPTableRule
natPolicySubnetUIDs.Add(util.GetTruncatedUID(string(subnet.GetUID())))
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err != nil {
klog.Errorf("failed to get subnet %s cidr block with protocol: %v", subnet.Name, err)
continue
}

ovnNatPolicySubnetChainName := OvnNatOutGoingPolicySubnet + util.GetTruncatedUID(string(subnet.GetUID()))
natPolicySubnetIptables = append(natPolicySubnetIptables, util.IPTableRule{Table: NAT, Chain: OvnNatOutGoingPolicy, Rule: strings.Fields(fmt.Sprintf(`-s %s -m comment --comment natPolicySubnet-%s -j %s`, cidrBlock, subnet.Name, ovnNatPolicySubnetChainName))})
Expand Down Expand Up @@ -1544,8 +1552,10 @@ func (c *Controller) getSubnetsNeedPR(protocol string) (map[policyRouteMeta]stri
meta.gateway = egw[0]
}
if meta.gateway != "" {
cidrBlock := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
subnetsNeedPR[meta] = cidrBlock
cidrBlock, err := getCidrByProtocol(subnet.Spec.CIDRBlock, protocol)
if err == nil {
subnetsNeedPR[meta] = cidrBlock
}
}
}
}
Expand Down

0 comments on commit 714afd4

Please sign in to comment.