Verify that EgressIPs are on the expected subnet

danwinship · danwinship · commit 154b0e082113 · 2017-10-13T12:54:57.000-04:00
diff --git a/pkg/network/node/egressip.go b/pkg/network/node/egressip.go
@@ -52,6 +52,7 @@ type egressIPWatcher struct {
 	namespacesByEgressIP map[string]*namespaceEgress
 
 	localEgressLink      netlink.Link
+	localEgressNet       *net.IPNet
 	localEgressIPMaskLen int
 
 	testModeChan chan string
@@ -269,6 +270,12 @@ func (eip *egressIPWatcher) claimEgressIP(egressIP, egressHex string) error {
 
 			for _, addr := range addrs {
 				if addr.IP.String() == eip.localIP {
+					_, eip.localEgressNet, err = net.ParseCIDR(addr.IPNet.String())
+					if err != nil {
+						glog.Warningf("Could not parse CIDR network from address %q: %v", addr.IP.String(), err)
+						break linkLoop
+					}
+
 					eip.localEgressLink = link
 					eip.localEgressIPMaskLen, _ = addr.Mask.Size()
 					break linkLoop
@@ -286,6 +293,9 @@ func (eip *egressIPWatcher) claimEgressIP(egressIP, egressHex string) error {
 	if err != nil {
 		return fmt.Errorf("could not parse egress IP %q: %v", egressIPNet, err)
 	}
+	if !eip.localEgressNet.Contains(addr.IP) {
+		return fmt.Errorf("egress IP %q is not in local network %s of interface %s", egressIP, eip.localEgressNet.String(), eip.localEgressLink.Attrs().Name)
+	}
 	err = netlink.AddrAdd(eip.localEgressLink, addr)
 	if err != nil {
 		return fmt.Errorf("could not add egress IP %q to %s: %v", egressIPNet, eip.localEgressLink.Attrs().Name, err)
