Merge pull request #293 from swordqiu/hotfix/qj-host-local-net-arp-leak

fix: host local net arp leak

go.mod

@@ -19,8 +19,8 @@ require (
 	google.golang.org/protobuf v1.27.1
 	yunion.io/x/jsonutils v1.0.1-0.20240203102553-4096f103b401
 	yunion.io/x/log v1.0.1-0.20240305175729-7cf2d6cd5a91
-	yunion.io/x/onecloud v0.0.0-20240614113442-2d07eeef247f
-	yunion.io/x/pkg v1.10.1-0.20240601050854-9e3452bf4d47
+	yunion.io/x/onecloud v0.0.0-20240824114415-077e7975f242
+	yunion.io/x/pkg v1.10.1-0.20240812013427-0163ba9c86b1
 )
 
 require (
@@ -83,7 +83,7 @@ require (
 	github.com/tjfoc/gmsm v1.4.1 // indirect
 	github.com/tklauser/go-sysconf v0.3.10 // indirect
 	github.com/tklauser/numcpus v0.4.0 // indirect
-	github.com/tredoe/osutil/v2 v2.0.0-rc.16 // indirect
+	github.com/tredoe/osutil v1.5.0 // indirect
 	github.com/ugorji/go/codec v1.1.7 // indirect
 	github.com/ulikunitz/xz v0.5.12 // indirect
 	github.com/vmware/govmomi v0.37.1 // indirect
@@ -118,10 +118,10 @@ require (
 	moul.io/http2curl/v2 v2.3.0 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.0.1 // indirect
 	sigs.k8s.io/yaml v1.2.0 // indirect
-	yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240611023744-6cfb14a28b9f // indirect
+	yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240823015832-84392f4b7c49 // indirect
 	yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32 // indirect
 	yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e // indirect
-	yunion.io/x/sqlchemy v1.1.3-0.20240530085133-5058648977dd // indirect
+	yunion.io/x/sqlchemy v1.1.3-0.20240823033059-be6fe90dab22 // indirect
 	yunion.io/x/structarg v0.0.0-20231017124457-df4d5009457c // indirect
 )
 

go.sum

@@ -398,7 +398,6 @@ github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVs
 github.com/smartystreets/assertions v0.0.0-20180927180507-b2de0cb4f26d/go.mod h1:OnSkiWE9lh6wB0YB77sQom3nweQdgAjqCqsofrRNTgc=
 github.com/smartystreets/assertions v1.2.0 h1:42S6lae5dvLc7BrLu/0ugRtcFVjoJNMC/N3yZFZkDFs=
 github.com/smartystreets/goconvey v0.0.0-20190330032615-68dc04aab96a/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
-github.com/smartystreets/goconvey v1.6.4/go.mod h1:syvi0/a8iFYH4r/RixwvyeAJjdLS9QV7WQ/tjFTllLA=
 github.com/smartystreets/goconvey v1.7.2 h1:9RBaZCeXEQ3UselpuwUQHltGVXvdwm6cv1hgR6gDIPg=
 github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B0CQ=
 github.com/spf13/afero v1.2.2 h1:5jhuqJyZCZf2JRofRvN/nIFgIWNzPa3/Vz8mYylgbWc=
@@ -442,8 +441,8 @@ github.com/tklauser/go-sysconf v0.3.10 h1:IJ1AZGZRWbY8T5Vfk04D9WOA5WSejdflXxP03O
 github.com/tklauser/go-sysconf v0.3.10/go.mod h1:C8XykCvCb+Gn0oNCWPIlcb0RuglQTYaQ2hGm7jmxEFk=
 github.com/tklauser/numcpus v0.4.0 h1:E53Dm1HjH1/R2/aoCtXtPgzmElmn51aOkhCFSuZq//o=
 github.com/tklauser/numcpus v0.4.0/go.mod h1:1+UI3pD8NW14VMwdgJNJ1ESk2UnwhAnz5hMwiKKqXCQ=
-github.com/tredoe/osutil/v2 v2.0.0-rc.16 h1:5A2SKvyB2c3lhPYUIHyFtu6jbaXlaA3Hu5gWIam8Pik=
-github.com/tredoe/osutil/v2 v2.0.0-rc.16/go.mod h1:uLRVx/3pb7Y4RQhG8cQFbPE9ha5r81e6MXpBsxbTAYc=
+github.com/tredoe/osutil v1.5.0 h1:UGVxbbHRoZi8xXVmbNZ2vgG6XoJ15ndE4LniiQ3rJKg=
+github.com/tredoe/osutil v1.5.0/go.mod h1:TEzphzUUunysbdDRfdOgqkg10POQbnfIPV50ynqOfIg=
 github.com/ugorji/go v1.1.7/go.mod h1:kZn38zHttfInRq0xu/PH0az30d+z6vm202qpg1oXVMw=
 github.com/ugorji/go/codec v0.0.0-20181204163529-d75b2dcb6bc8/go.mod h1:VFNgLljTbGfSG7qAOspJ7OScBnGdDN/yBr0sguwnwf0=
 github.com/ugorji/go/codec v1.1.7 h1:2SvQaVZ1ouYrrKKwoSk2pzd4A9evlKJb9oTL+OaLUSs=
@@ -888,8 +887,8 @@ sigs.k8s.io/structured-merge-diff/v4 v4.0.1/go.mod h1:bJZC9H9iH24zzfZ/41RGcq60oK
 sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0 h1:kr/MCeFWJWTwyaHoR9c8EjH9OumOmoF9YGiZd7lFm/Q=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
-yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240611023744-6cfb14a28b9f h1:JpZpsVjbP+8VlLKBPSfDKUBDxZrCA3Lmwm1iWq1jmbY=
-yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240611023744-6cfb14a28b9f/go.mod h1:quoJjGTJ2PjAY0+3YeN5JuN136whECKmfkJQwIsXKjM=
+yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240823015832-84392f4b7c49 h1:iNH2uDxJJkzq9NkQZYUXJxE+Cjay6YN6Ap/2suSs958=
+yunion.io/x/cloudmux v0.3.10-0-alpha.1.0.20240823015832-84392f4b7c49/go.mod h1:iLoBHVR2Eur/1WJSGcbZaEwpzh/iqXvbFCsX9/xt8CI=
 yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32 h1:v7POYkQwo1XzOxBoIoRVr/k0V9Y5JyjpshlIFa9raug=
 yunion.io/x/executor v0.0.0-20230705125604-c5ac3141db32/go.mod h1:Uxuou9WQIeJXNpy7t2fPLL0BYLvLiMvGQwY7Qc6aSws=
 yunion.io/x/go-openvswitch v0.0.20240615 h1:ZCpc1OZ1cUULmsq6Q03DmyS4HFhLB0KhMhyXsQqJugI=
@@ -901,15 +900,15 @@ yunion.io/x/log v0.0.0-20190514041436-04ce53b17c6b/go.mod h1:+gauLs73omeJAPlsXce
 yunion.io/x/log v0.0.0-20190629062853-9f6483a7103d/go.mod h1:LC6f/4FozL0iaAbnFt2eDX9jlsyo3WiOUPm03d7+U4U=
 yunion.io/x/log v1.0.1-0.20240305175729-7cf2d6cd5a91 h1:inY5o3LDa/zgsIZuPN0HmpzKIsu/lLgsBmMttuDPGj4=
 yunion.io/x/log v1.0.1-0.20240305175729-7cf2d6cd5a91/go.mod h1:LC6f/4FozL0iaAbnFt2eDX9jlsyo3WiOUPm03d7+U4U=
-yunion.io/x/onecloud v0.0.0-20240614113442-2d07eeef247f h1:e9kparXnxa969VdMvuQUsUawNb08Wt2RFQCnU6vfC6A=
-yunion.io/x/onecloud v0.0.0-20240614113442-2d07eeef247f/go.mod h1:pgL7o/WcP6jKKRid7zmcLKkDL7LkbBEgW08xZoG2iR0=
+yunion.io/x/onecloud v0.0.0-20240824114415-077e7975f242 h1:uosofAi69ryj3Rli7t5u4orA78ARatuuxzKpt/QGrRI=
+yunion.io/x/onecloud v0.0.0-20240824114415-077e7975f242/go.mod h1:lXgxJel30t6wZHD2YOq1zeCG477tsdZuhIrSmU7FNBQ=
 yunion.io/x/pkg v0.0.0-20190620104149-945c25821dbf/go.mod h1:t6rEGG2sQ4J7DhFxSZVOTjNd0YO/KlfWQyK1W4tog+E=
 yunion.io/x/pkg v0.0.0-20190628082551-f4033ba2ea30/go.mod h1:t6rEGG2sQ4J7DhFxSZVOTjNd0YO/KlfWQyK1W4tog+E=
-yunion.io/x/pkg v1.10.1-0.20240601050854-9e3452bf4d47 h1:uh8OUgdycVKVORSoWNj2w9gMBEaOPgRePSlGqyKYa9s=
-yunion.io/x/pkg v1.10.1-0.20240601050854-9e3452bf4d47/go.mod h1:+3nFKJt+O4xWboiDAv2EqvMM0rmm3tPJaOuQSHFkcY8=
+yunion.io/x/pkg v1.10.1-0.20240812013427-0163ba9c86b1 h1:UJ5mmoZWrO3golljJaMchFQNzSZdRWGM32Xf3lI5YVk=
+yunion.io/x/pkg v1.10.1-0.20240812013427-0163ba9c86b1/go.mod h1:0Bwxqd9MA3ACi119/l02FprY/o9gHahmYC2bsSbnVpM=
 yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e h1:v+EzIadodSwkdZ/7bremd7J8J50Cise/HCylsOJngmo=
 yunion.io/x/s3cli v0.0.0-20190917004522-13ac36d8687e/go.mod h1:0iFKpOs1y4lbCxeOmq3Xx/0AcQoewVPwj62eRluioEo=
-yunion.io/x/sqlchemy v1.1.3-0.20240530085133-5058648977dd h1:5y2pHZ4+cDIuh5MTI853yulkgdADRLWKeyYaaFGArcQ=
-yunion.io/x/sqlchemy v1.1.3-0.20240530085133-5058648977dd/go.mod h1:5W8ghvJ4TNt/r2yDjjD3i4QsZgIiJX45dhRQBGWPHsQ=
+yunion.io/x/sqlchemy v1.1.3-0.20240823033059-be6fe90dab22 h1:H+lxDpb8e2y2DwMRvo6Ujq3NK1zbR0gfVS9tdvjG4X0=
+yunion.io/x/sqlchemy v1.1.3-0.20240823033059-be6fe90dab22/go.mod h1:5W8ghvJ4TNt/r2yDjjD3i4QsZgIiJX45dhRQBGWPHsQ=
 yunion.io/x/structarg v0.0.0-20231017124457-df4d5009457c h1:QuLab2kSRECZRxo4Lo2KcYn6XjQFDGaZ1+x0pYDVVwQ=
 yunion.io/x/structarg v0.0.0-20231017124457-df4d5009457c/go.mod h1:EP6NSv2C0zzqBDTKumv8hPWLb3XvgMZDHQRfyuOrQng=

pkg/agent/server/hostlocal.go

@@ -44,6 +44,8 @@ func (hl *HostLocal) updateFlows(ctx context.Context) {
 			Ifname:     hcn.Ifname,
 			IP:         ip,
 			MAC:        mac,
+
+			HostLocalNets: hcn.HostLocalNets,
 		}
 		flows, err := hostLocal.FlowsMap()
 		if err != nil {

pkg/agent/utils/flowsource.go

@@ -25,6 +25,7 @@ import (
 
 	"yunion.io/x/log"
 	"yunion.io/x/pkg/errors"
+	"yunion.io/x/pkg/util/netutils"
 )
 
 type FlowSource interface {
@@ -90,6 +91,7 @@ func (h *HostLocal) FlowsMap() (map[string][]*ovs.Flow, error) {
 	}
 	T := t(m)
 	flows := []*ovs.Flow{
+		// allow ipv6
 		// F(0, 40000, "ipv6", "drop"),
 	}
 	flows = append(flows,
@@ -130,6 +132,18 @@ func (h *HostLocal) FlowsMap() (map[string][]*ovs.Flow, error) {
 			F(9, 1000, "", "drop"),
 		)
 	}
+	{
+		// prevent hostlocal IPs leaking outside of host
+		for i := range h.HostLocalNets {
+			netConf := h.HostLocalNets[i]
+			ip4, _ := netutils.NewIPV4Addr(netConf.GuestIpStart)
+			addrMask := fmt.Sprintf("%s/%d", ip4.NetAddr(int8(netConf.GuestIpMask)).String(), netConf.GuestIpMask)
+			flows = append(flows,
+				F(0, 39000, T(fmt.Sprintf("in_port={{.PortNoPhy}},arp,arp_tpa=%s", addrMask)), "drop"),
+				F(0, 39001, T(fmt.Sprintf("in_port={{.PortNoPhy}},arp,arp_spa=%s", addrMask)), "drop"),
+			)
+		}
+	}
 	// NOTE we do not do check of existence of a "switch" guest and
 	// silently "AllowSwitchVMs" here.  That could be deemed as unexpected
 	// compromise for other guests.  Intentions must be explicit

pkg/agent/utils/hostconfig.go

@@ -22,19 +22,23 @@ import (
 	"strings"
 	"time"
 
+	"yunion.io/x/jsonutils"
 	"yunion.io/x/log"
 
 	apis "yunion.io/x/onecloud/pkg/apis/compute"
 	"yunion.io/x/onecloud/pkg/apis/identity"
 	"yunion.io/x/onecloud/pkg/hostman/options"
 	"yunion.io/x/onecloud/pkg/mcclient/auth"
+	"yunion.io/x/onecloud/pkg/util/fileutils2"
 )
 
 type HostConfigNetwork struct {
 	Bridge string
 	Ifname string
 	IP     net.IP
 	mac    net.HardwareAddr
+
+	HostLocalNets []apis.NetworkDetails
 }
 
 func NewHostConfigNetwork(network string) (*HostConfigNetwork, error) {
@@ -78,6 +82,30 @@ func (hcn *HostConfigNetwork) IPMAC() (net.IP, net.HardwareAddr, error) {
 	return nil, nil, fmt.Errorf("cannot find proper ip/mac")
 }
 
+func (hcn *HostConfigNetwork) loadHostLocalNetconfs(hc *HostConfig) {
+	log.Infof("HostConfigNetwork loadHostLocalNetconfs!!!")
+	if hcn.IP == nil {
+		return
+	}
+	fn := hc.HostLocalNetconfPath(hcn.Bridge)
+	confStr, err := fileutils2.FileGetContents(fn)
+	if err != nil {
+		log.Warningf("fail to load host local netconfs %s: %s", fn, err)
+		return
+	}
+	confJson, err := jsonutils.ParseString(confStr)
+	if err != nil {
+		log.Warningf("fail to parse host local netconfs %s: %s", fn, err)
+		return
+	}
+	hcn.HostLocalNets = make([]apis.NetworkDetails, 0)
+	err = confJson.Unmarshal(&hcn.HostLocalNets)
+	if err != nil {
+		log.Warningf("fail to unmarshal host local netconfs %s: %s", fn, err)
+		return
+	}
+}
+
 type HostConfig struct {
 	options.SHostOptions
 
@@ -104,6 +132,7 @@ func NewHostConfig() (*HostConfig, error) {
 			// NOTE error ignored
 			continue
 		}
+		hcn.loadHostLocalNetconfs(hc)
 		hc.networks = append(hc.networks, hcn)
 	}
 

pkg/agent/utils/hostlocal.go

@@ -16,6 +16,8 @@ package utils
 
 import (
 	"net"
+
+	"yunion.io/x/onecloud/pkg/apis/compute"
 )
 
 type HostLocal struct {
@@ -24,4 +26,6 @@ type HostLocal struct {
 	Ifname     string
 	IP         net.IP
 	MAC        net.HardwareAddr
+
+	HostLocalNets []compute.NetworkDetails
 }