gardener-attic · neo-liang-sap · Sep 1, 2020 · Aug 26, 2020
diff --git a/pkg/cmd/miscellaneous.go b/pkg/cmd/miscellaneous.go
@@ -21,10 +21,10 @@ import (
 	"fmt"
 	"io"
 	"io/ioutil"
+	"net"
 	"net/http"
 	"net/url"
 	"os"
-	"strconv"
 	"strings"
 
 	"github.com/gardener/gardener/pkg/apis/core"
@@ -327,22 +327,8 @@ func capture() func() (string, error) {
 	}
 }
 
-func isIP(word string) bool {
-	parts := strings.Split(word, ".")
-	if len(parts) < 4 {
-		return false
-	}
-	for _, x := range parts {
-		if i, err := strconv.Atoi(x); err == nil {
-			if i < 0 || i > 255 {
-				return false
-			}
-		} else {
-			return false
-		}
-
-	}
-	return true
+func isIPv4(host string) bool {
+	return net.ParseIP(host) != nil && net.ParseIP(host).To4() != nil
 }
 
 func getPublicIP() string {
@@ -356,5 +342,9 @@ func getPublicIP() string {
 	defer resp.Body.Close()
 	ip, err := ioutil.ReadAll(resp.Body)
 	checkError(err)
+	if !isIPv4(string(ip)) {
+		fmt.Println("Not valid ipv4 address")
+		os.Exit(1)
+	}
 	return string(ip)
 }
diff --git a/pkg/cmd/ssh_aws.go b/pkg/cmd/ssh_aws.go
@@ -17,6 +17,7 @@ package cmd
 import (
 	"fmt"
 	"io/ioutil"
+	"net"
 	"os"
 	"os/exec"
 	"path/filepath"
@@ -56,7 +57,7 @@ type AwsInstanceAttribute struct {
 func sshToAWSNode(nodeName, path, user, pathSSKeypair string, sshPublicKey []byte, myPublicIP string) {
 	a := &AwsInstanceAttribute{}
 	a.SSHPublicKey = sshPublicKey
-	a.MyPublicIP = myPublicIP + "/32"
+	a.MyPublicIP = myPublicIP
 
 	fmt.Println("")
 
@@ -171,7 +172,7 @@ func (a *AwsInstanceAttribute) createBastionHostSecurityGroup() {
 		return
 	}
 
-	// create security group and ssh rule
+	// create security group for bastion host
 	arguments := fmt.Sprintf("aws ec2 create-security-group --group-name %s --description ssh-access --vpc-id %s", a.BastionSecurityGroupName, a.VpcID)
 	captured := capture()
 	operate("aws", arguments)
@@ -180,10 +181,17 @@ func (a *AwsInstanceAttribute) createBastionHostSecurityGroup() {
 	a.BastionSecurityGroupID = strings.Trim((capturedOutput), "\n")
 	arguments = fmt.Sprintf("aws ec2 create-tags --resources %s  --tags Key=component,Value=gardenctl", a.BastionSecurityGroupID)
 	operate("aws", arguments)
-	arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s", a.BastionSecurityGroupID, a.MyPublicIP)
+
+	if net.IP.To4([]byte(a.MyPublicIP)) != nil {
+		arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --protocol tcp --port 22 --cidr %s/32", a.BastionSecurityGroupID, a.MyPublicIP)
+	} else if net.IP.To16([]byte(a.MyPublicIP)) != nil {
+		arguments = fmt.Sprintf("aws ec2 authorize-security-group-ingress --group-id %s --ip-permissions IpProtocol=tcp,FromPort=22,ToPort=22,Ipv6Ranges=[{CidrIpv6=%s/64}]", a.BastionSecurityGroupID, a.MyPublicIP)
+	} else {
+		fmt.Printf("IP not valid:" + a.MyPublicIP)
+		os.Exit(0)
+	}
 	operate("aws", arguments)
 	fmt.Println("Bastion host security group set up.")
-
 }
 
 func (a *AwsInstanceAttribute) createNodeHostSecurityGroup() {

diff --git a/pkg/cmd/ssh_gcp.go b/pkg/cmd/ssh_gcp.go
@@ -167,7 +167,7 @@ func (g *GCPInstanceAttribute) createBastionHostInstance() {
 			checkError(err)
 			ip := ""
 			for _, value := range words {
-				if isIP(value) && !strings.HasPrefix(value, "10.") {
+				if isIPv4(value) && !strings.HasPrefix(value, "10.") {
 					ip = value
 					break
 				}