diff options
| author | Christian Poessinger <christian@poessinger.com> | 2021-04-21 19:28:55 +0200 |
|---|---|---|
| committer | Christian Poessinger <christian@poessinger.com> | 2021-04-21 19:28:55 +0200 |
| commit | fae397c69391295dbca272d6e58f95f81b95737d (patch) | |
| tree | f722adbb705c26a646af8950bf740a0ad55ddb42 | |
| parent | 255216b4470b0a25dded0edc1e8acd8e0fbf34b5 (diff) | |
| download | vyos-1x-fae397c69391295dbca272d6e58f95f81b95737d.tar.gz vyos-1x-fae397c69391295dbca272d6e58f95f81b95737d.zip | |
containers: T2216: used "address" must belong to the used container network
| -rwxr-xr-x | src/conf_mode/containers.py | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/src/conf_mode/containers.py b/src/conf_mode/containers.py index 3d5795016..ded82d155 100755 --- a/src/conf_mode/containers.py +++ b/src/conf_mode/containers.py @@ -17,6 +17,9 @@ import os import json +from ipaddress import ip_address +from ipaddress import ip_network + from vyos.config import Config from vyos.configdict import dict_merge from vyos.configdict import node_changed @@ -99,11 +102,28 @@ def verify(container): if len(container_config['network']) > 1: raise ConfigError(f'Only one network can be specified for container "{name}"!') + # Check if the specified container network exists network_name = list(container_config['network'])[0] - if network_name not in container_config['network']: + if network_name not in container['network']: raise ConfigError('Container network "{network_name}" does not exist!') + if 'address' in container_config['network'][network_name]: + if 'network' not in container_config: + raise ConfigError(f'Can not use "address" without "network" for container "{name}"!') + + address = container_config['network'][network_name]['address'] + network = container['network'][network_name]['prefix'] + + network = None + if is_ipv4(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv4(x)][0] + elif is_ipv6(address): + network = [x for x in container['network'][network_name]['prefix'] if is_ipv6(x)][0] + + if ip_address(address) not in ip_network(network): + raise ConfigError(f'Used container address "{address}" not in network "{network}"!') + # Container image is a mandatory option if 'image' not in container_config: raise ConfigError(f'Container image for "{name}" is mandatory!') |