Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

add source address check in mroute_plugin #1144

Merged
merged 1 commit into from
Nov 28, 2023
Merged
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
22 changes: 19 additions & 3 deletions plugins/mroute/mroute_plugin.js
Original file line number Diff line number Diff line change
@@ -45,7 +45,10 @@ class MRoutePlugin extends Plugin {
for (const route of this.networkConfig.routes) {
const {cidr} = route;
if (new Address4(cidr).isValid()) {
await exec(util.wrapIptables(`sudo iptables -w -t mangle -D FR_MROUTE -p udp -i ${this.name} -d ${cidr} -j TTL --ttl-inc 1`)).catch((err) => {});
if (!_.isEmpty(this._ip4s)) {
for (const ip4 of this._ip4s)
await exec(util.wrapIptables(`sudo iptables -w -t mangle -D FR_MROUTE -p udp -i ${this.name} -s ${ip4} -d ${cidr} -j TTL --ttl-inc 1`)).catch((err) => {});
}
} else {
if (new Address6(cidr).isValid()) {
await exec(util.wrapIptables(`sudo ip6tables -w -t mangle -D FR_MROUTE -p udp -i ${this.name} -d ${cidr} -j HL --hl-inc 1`)).catch((err) => {});
@@ -70,8 +73,23 @@ class MRoutePlugin extends Plugin {
}
const phyints = [this.name];
const mroutes = [];
const ip4s = await iifIntfPlugin.getIPv4Addresses();
this._ip4s = ip4s;
for (const route of this.networkConfig.routes) {
const {cidr, oifs} = route;
if (new Address4(cidr).isValid()) {
if (!_.isEmpty(this._ip4s)) {
// add source address check to filter some invalid packets due to loop
for (const ip4 of this._ip4s)
await exec(util.wrapIptables(`sudo iptables -w -t mangle -A FR_MROUTE -p udp -i ${this.name} -s ${ip4} -d ${cidr} -j TTL --ttl-inc 1`)).catch((err) => {});
}
} else {
if (new Address6(cidr).isValid()) {
// source address check on IPv6 is not implemented yet because most use cases are on IPv4
await exec(util.wrapIptables(`sudo ip6tables -w -t mangle -A FR_MROUTE -p udp -i ${this.name} -d ${cidr} -j HL --hl-inc 1`)).catch((err) => {});
} else
this.log.error(`Invalid cidr ${cidr}`);
}
mroutes.push(`mgroup from ${this.name} group ${cidr}`);
for (const oif of oifs) {
if (oif === this.name) {
@@ -85,11 +103,9 @@ class MRoutePlugin extends Plugin {
continue;
phyints.push(oif);
if (new Address4(cidr).isValid()) {
await exec(util.wrapIptables(`sudo iptables -w -t mangle -A FR_MROUTE -p udp -i ${this.name} -d ${cidr} -j TTL --ttl-inc 1`)).catch((err) => {});
mroutes.push(`mroute from ${this.name} group ${cidr} to ${oif}`);
} else {
if (new Address6(cidr).isValid()) {
await exec(util.wrapIptables(`sudo ip6tables -w -t mangle -A FR_MROUTE -p udp -i ${this.name} -d ${cidr} -j HL --hl-inc 1`)).catch((err) => {});
mroutes.push(`mroute from ${this.name} group ${cidr} to ${oif}`);
} else
this.log.error(`Invalid cidr ${cidr}`);
Loading