diff options
| author | Andrew Topp <andrewt@telekinetica.net> | 2024-06-01 20:42:36 +1000 |
|---|---|---|
| committer | Andrew Topp <andrewt@telekinetica.net> | 2024-06-01 20:42:36 +1000 |
| commit | 3ad333fc62807f5816f826d7bc0c4c8e0ac96167 (patch) | |
| tree | 02f4eb00022e2d0a63118c3fa494307b33f86407 /src | |
| parent | d150067ef254a266aef2758e8e92b43c1f22956b (diff) | |
| download | vyos-1x-3ad333fc62807f5816f826d7bc0c4c8e0ac96167.tar.gz vyos-1x-3ad333fc62807f5816f826d7bc0c4c8e0ac96167.zip | |
nat64: T6403: validate source prefix for RFC compliance
Simplest fix is to comply with RFC6052. The code change is just masking
out the relevant bits and ensuring they're zeroed.
Diffstat (limited to 'src')
| -rwxr-xr-x | src/conf_mode/nat64.py | 10 |
1 files changed, 8 insertions, 2 deletions
diff --git a/src/conf_mode/nat64.py b/src/conf_mode/nat64.py index c1e7ebf85..32a1c47d1 100755 --- a/src/conf_mode/nat64.py +++ b/src/conf_mode/nat64.py @@ -20,7 +20,7 @@ import csv import os import re -from ipaddress import IPv6Network +from ipaddress import IPv6Network, IPv6Address from json import dumps as json_write from vyos import ConfigError @@ -103,8 +103,14 @@ def verify(nat64) -> None: # Verify that source.prefix is set and is a /96 if not dict_search("source.prefix", instance): raise ConfigError(f"Source NAT64 rule {rule} missing source prefix") - if IPv6Network(instance["source"]["prefix"]).prefixlen != 96: + src_prefix = IPv6Network(instance["source"]["prefix"]) + if src_prefix.prefixlen != 96: raise ConfigError(f"Source NAT64 rule {rule} source prefix must be /96") + if (int(src_prefix[0]) & int(IPv6Address('0:0:0:0:ff00::'))) != 0: + raise ConfigError( + f'Source NAT64 rule {rule} source prefix is not RFC6052-compliant: ' + 'bits 64 to 71 (9th octet) must be zeroed' + ) pools = dict_search("translation.pool", instance) if pools: |