Browse code
Disallow IPv6 multicast as bridge n/w subnet
Signed-off-by: Rob Murray <rob.murray@docker.com>
Rob Murray authored on 2024/05/01 22:42:01Showing 2 changed files
| ... | ... |
@@ -193,6 +193,9 @@ func validateIPv6Subnet(addr netip.Prefix) error {
|
| 193 | 193 |
if !addr.Addr().Is6() || addr.Addr().Is4In6() {
|
| 194 | 194 |
return fmt.Errorf("'%s' is not a valid IPv6 subnet", addr)
|
| 195 | 195 |
} |
| 196 |
+ if addr.Addr().IsMulticast() {
|
|
| 197 |
+ return fmt.Errorf("multicast subnet '%s' is not allowed", addr)
|
|
| 198 |
+ } |
|
| 196 | 199 |
if addr.Masked() != linkLocalPrefix && linkLocalPrefix.Overlaps(addr) {
|
| 197 | 200 |
return fmt.Errorf("'%s' clashes with the Link-Local prefix 'fe80::/64'", addr)
|
| 198 | 201 |
} |
| ... | ... |
@@ -1046,6 +1046,11 @@ func TestValidateFixedCIDRV6(t *testing.T) {
|
| 1046 | 1046 |
input: "nonsense", |
| 1047 | 1047 |
expectedErr: "invalid fixed-cidr-v6: netip.ParsePrefix(\"nonsense\"): no '/'", |
| 1048 | 1048 |
}, |
| 1049 |
+ {
|
|
| 1050 |
+ doc: "multicast IPv6 subnet", |
|
| 1051 |
+ input: "ff05::/64", |
|
| 1052 |
+ expectedErr: "invalid fixed-cidr-v6: multicast subnet 'ff05::/64' is not allowed", |
|
| 1053 |
+ }, |
|
| 1049 | 1054 |
} |
| 1050 | 1055 |
for _, tc := range tests {
|
| 1051 | 1056 |
tc := tc |