From ccd564c2328a086b326957fdde8b07ca560bd6b2 Mon Sep 17 00:00:00 2001
From: Christian Breunig <christian@breunig.cc>
Date: Sun, 26 May 2024 10:06:02 +0200
Subject: dhcpv6-server: T3493: add proper validation for prefix-delegation
 start/stop address

ISC DHCP server expects a string: "prefix6 2001:db8:290:: 2001:db8:29f:: /64;"
where the IPv6 prefix/range must be :: terminaated with a delegated prefix
length at the end.

This commit changes the validator that the IPv6 address defined on the CLI must
always end with ::. In addition a verify() step is added to check that the
stop address is greater than start address.
---
 src/conf_mode/service_dhcpv6-server.py | 19 +++++++++++++------
 1 file changed, 13 insertions(+), 6 deletions(-)

(limited to 'src')

diff --git a/src/conf_mode/service_dhcpv6-server.py b/src/conf_mode/service_dhcpv6-server.py
index 560251336..25f19285c 100755
--- a/src/conf_mode/service_dhcpv6-server.py
+++ b/src/conf_mode/service_dhcpv6-server.py
@@ -105,22 +105,29 @@ def verify(dhcpv6):
                 if 'prefix' in subnet_config:
                     for prefix in subnet_config['prefix']:
                         if ip_network(prefix) not in ip_network(subnet):
-                            raise ConfigError(f'address-range prefix "{prefix}" is not in subnet "{subnet}""')
+                            raise ConfigError(f'address-range prefix "{prefix}" is not in subnet "{subnet}"!')
 
             # Prefix delegation sanity checks
             if 'prefix_delegation' in subnet_config:
                 if 'start' not in subnet_config['prefix_delegation']:
-                    raise ConfigError('prefix-delegation start address not defined!')
+                        raise ConfigError(f'Start address of delegated IPv6 prefix range "{prefix}" '\
+                                          f'must be configured!')
 
                 for prefix, prefix_config in subnet_config['prefix_delegation']['start'].items():
                     if 'stop' not in prefix_config:
-                        raise ConfigError(f'Stop address of delegated IPv6 '\
-                                          f'prefix range "{prefix}" '\
-                                          f'must be configured')
+                        raise ConfigError(f'Stop address of delegated IPv6 prefix range "{prefix}" '\
+                                          f'must be configured!')
+
+                    start_addr = prefix
+                    stop_addr = prefix_config['stop']
+
+                    if ip_address(stop_addr) <= ip_address(start_addr):
+                        raise ConfigError(f'Stop address of delegated IPv6 prefix range "{prefix}" '\
+                                          f'must be greater than start address!')
 
                     if 'prefix_length' not in prefix_config:
                         raise ConfigError(f'Length of delegated IPv6 prefix '\
-                                          f'must be configured')
+                                          f'must be configured!')
 
             # Static mappings don't require anything (but check if IP is in subnet if it's set)
             if 'static_mapping' in subnet_config:
-- 
cgit v1.2.3