summaryrefslogtreecommitdiff
path: root/src/conf_mode/nat64.py
diff options
context:
space:
mode:
authorAndrew Topp <andrewt@telekinetica.net>2024-06-01 20:42:36 +1000
committerAndrew Topp <andrewt@telekinetica.net>2024-06-01 20:42:36 +1000
commit3ad333fc62807f5816f826d7bc0c4c8e0ac96167 (patch)
tree02f4eb00022e2d0a63118c3fa494307b33f86407 /src/conf_mode/nat64.py
parentd150067ef254a266aef2758e8e92b43c1f22956b (diff)
downloadvyos-1x-3ad333fc62807f5816f826d7bc0c4c8e0ac96167.tar.gz
vyos-1x-3ad333fc62807f5816f826d7bc0c4c8e0ac96167.zip
nat64: T6403: validate source prefix for RFC compliance
Simplest fix is to comply with RFC6052. The code change is just masking out the relevant bits and ensuring they're zeroed.
Diffstat (limited to 'src/conf_mode/nat64.py')
-rwxr-xr-xsrc/conf_mode/nat64.py10
1 files changed, 8 insertions, 2 deletions
diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py
index c1e7ebf85..32a1c47d1 100755
--- a/src/conf_mode/nat64.py
+++ b/src/conf_mode/nat64.py
@@ -20,7 +20,7 @@ import csv
import os
import re
-from ipaddress import IPv6Network
+from ipaddress import IPv6Network, IPv6Address
from json import dumps as json_write
from vyos import ConfigError
@@ -103,8 +103,14 @@ def verify(nat64) -> None:
# Verify that source.prefix is set and is a /96
if not dict_search("source.prefix", instance):
raise ConfigError(f"Source NAT64 rule {rule} missing source prefix")
- if IPv6Network(instance["source"]["prefix"]).prefixlen != 96:
+ src_prefix = IPv6Network(instance["source"]["prefix"])
+ if src_prefix.prefixlen != 96:
raise ConfigError(f"Source NAT64 rule {rule} source prefix must be /96")
+ if (int(src_prefix[0]) & int(IPv6Address('0:0:0:0:ff00::'))) != 0:
+ raise ConfigError(
+ f'Source NAT64 rule {rule} source prefix is not RFC6052-compliant: '
+ 'bits 64 to 71 (9th octet) must be zeroed'
+ )
pools = dict_search("translation.pool", instance)
if pools: