From c53deef80de781ee325fc1747083335f8b850150 Mon Sep 17 00:00:00 2001 From: Jianwen Pi Date: Sat, 21 Dec 2019 13:33:42 -0800 Subject: [PATCH] The commit fixed the issue when a port with index 0 adding to a allow rule will be mistakenly regarded as wild-card rule, so even a packet from a diffrent port will be allowed passing by mistake. There are 2 changes in this commit: - update the iptables submodule pointing to the latest code base so interface parameter can be supported - change the wild-card index from 0 to 0xffff for pcn-iptables service because id 0 could be conflicting with a regular port, and recover the original failed test case. Signed-off-by: Jianwen Pi --- src/components/iptables/iptables | 2 +- src/polycubed/src/base_cube.h | 3 +++ src/services/pcn-iptables/src/Utils.cpp | 2 +- src/services/pcn-iptables/src/modules/InterfaceLookup.cpp | 2 +- ...aky_local_test_interfaces1.sh => local_test_interfaces1.sh} | 0 5 files changed, 6 insertions(+), 3 deletions(-) rename src/services/pcn-iptables/test/{flaky_local_test_interfaces1.sh => local_test_interfaces1.sh} (100%) diff --git a/src/components/iptables/iptables b/src/components/iptables/iptables index 84e1a77ad..85a163ffa 160000 --- a/src/components/iptables/iptables +++ b/src/components/iptables/iptables @@ -1 +1 @@ -Subproject commit 84e1a77adbcb2aaf1d822469a076f6f2d34beed7 +Subproject commit 85a163ffa3915c4795d9c426f566c004e7a91411 diff --git a/src/polycubed/src/base_cube.h b/src/polycubed/src/base_cube.h index 6333a0403..bd33fe450 100644 --- a/src/polycubed/src/base_cube.h +++ b/src/polycubed/src/base_cube.h @@ -88,6 +88,9 @@ class BaseCube : virtual public BaseCubeIface { protected: static const int _POLYCUBE_MAX_BPF_PROGRAMS = 64; static const int _POLYCUBE_MAX_PORTS = 128; + static_assert(_POLYCUBE_MAX_PORTS <= 0xffff, + "_POLYCUBE_MAX_PORTS shouldn't be great than 0xffff, " + "id 0xffff was used by iptables wild card index"); static std::vector cflags; virtual int load(ebpf::BPF &bpf, ProgramType type) = 0; diff --git a/src/services/pcn-iptables/src/Utils.cpp b/src/services/pcn-iptables/src/Utils.cpp index 1be5f29c6..60c423974 100644 --- a/src/services/pcn-iptables/src/Utils.cpp +++ b/src/services/pcn-iptables/src/Utils.cpp @@ -523,7 +523,7 @@ bool Chain::interfaceFromRulesToMap( if (interfaces.size() != 0 && dont_care_rules.size() != 0) { std::vector bitVector( FROM_NRULES_TO_NELEMENTS(Iptables::max_rules_)); - interfaces.insert(std::pair>(0, bitVector)); + interfaces.insert(std::pair>(0xffff, bitVector)); for (auto const &ruleNumber : dont_care_rules) { for (auto &interface : interfaces) { SET_BIT((interface.second)[ruleNumber / 63], ruleNumber % 63); diff --git a/src/services/pcn-iptables/src/modules/InterfaceLookup.cpp b/src/services/pcn-iptables/src/modules/InterfaceLookup.cpp index ded3ae06c..c159c5554 100644 --- a/src/services/pcn-iptables/src/modules/InterfaceLookup.cpp +++ b/src/services/pcn-iptables/src/modules/InterfaceLookup.cpp @@ -41,7 +41,7 @@ Iptables::InterfaceLookup::InterfaceLookup( : ProgramType::INGRESS) { this->type_ = type; - auto it = ports.find(0); + auto it = ports.find(0xffff); if (it == ports.end()) { wildcard_rule_ = false; wildcard_string_ = ""; diff --git a/src/services/pcn-iptables/test/flaky_local_test_interfaces1.sh b/src/services/pcn-iptables/test/local_test_interfaces1.sh similarity index 100% rename from src/services/pcn-iptables/test/flaky_local_test_interfaces1.sh rename to src/services/pcn-iptables/test/local_test_interfaces1.sh