From 5aadf673497b93e2d4ad304e567de1cd571f9e25 Mon Sep 17 00:00:00 2001
From: Christian Poessinger <christian@poessinger.com>
Date: Fri, 8 Oct 2021 21:17:52 +0200
Subject: tunnel: T3893: harden logic when validating tunnel parameters
Different types of tunnels have different keys set in get_interface_config().
Thus it should be properly verified (by e.g. using dict_search()) that the key
in question esits to not raise KeyError.
---
src/conf_mode/interfaces-tunnel.py | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
(limited to 'src')
diff --git a/src/conf_mode/interfaces-tunnel.py b/src/conf_mode/interfaces-tunnel.py
index ef385d2e7..51127127d 100755
--- a/src/conf_mode/interfaces-tunnel.py
+++ b/src/conf_mode/interfaces-tunnel.py
@@ -108,18 +108,17 @@ def verify(tunnel):
# Prevent the same key for 2 tunnels with same source-address/encap. T2920
for tunnel_if in Section.interfaces('tunnel'):
tunnel_cfg = get_interface_config(tunnel_if)
- exist_encap = tunnel_cfg['linkinfo']['info_kind']
- exist_source_address = tunnel_cfg['address']
- exist_key = tunnel_cfg['linkinfo']['info_data']['ikey']
+ # no match on encapsulation - bail out
+ if dict_search('linkinfo.info_kind', tunnel_cfg) != tunnel['encapsulation']:
+ continue
new_source_address = tunnel['source_address']
# Convert tunnel key to ip key, format "ip -j link show"
# 1 => 0.0.0.1, 999 => 0.0.3.231
- orig_new_key = int(tunnel['parameters']['ip']['key'])
- new_key = IPv4Address(orig_new_key)
+ orig_new_key = dict_search('parameters.ip.key', tunnel)
+ new_key = IPv4Address(int(orig_new_key))
new_key = str(new_key)
- if tunnel['encapsulation'] == exist_encap and \
- new_source_address == exist_source_address and \
- new_key == exist_key:
+ if dict_search('address', tunnel_cfg) == new_source_address and \
+ dict_search('linkinfo.info_data.ikey', tunnel_cfg) == new_key:
raise ConfigError(f'Key "{orig_new_key}" for source-address "{new_source_address}" ' \
f'is already used for tunnel "{tunnel_if}"!')
--
cgit v1.2.3