Verify that EgressIPs are on the expected subnet

danwinship · danwinship · commit 84109c9f7693 · 2017-10-13T16:42:41.000-04:00
diff --git a/pkg/network/node/egressip.go b/pkg/network/node/egressip.go
@@ -52,6 +52,7 @@ type egressIPWatcher struct {
 	namespacesByEgressIP map[string]*namespaceEgress
 
 	localEgressLink      netlink.Link
+	localEgressNet       *net.IPNet
 	localEgressIPMaskLen int
 
 	testModeChan chan string
@@ -97,6 +98,10 @@ func (eip *egressIPWatcher) findEgressLink() error {
 
 		for _, addr := range addrs {
 			if addr.IP.String() == eip.localIP {
+				_, eip.localEgressNet, err = net.ParseCIDR(addr.IPNet.String())
+				if err != nil {
+					return fmt.Errorf("could not parse CIDR network from address %q: %v", addr.IP.String(), err)
+				}
 				eip.localEgressLink = link
 				eip.localEgressIPMaskLen, _ = addr.Mask.Size()
 				return nil
@@ -287,6 +292,9 @@ func (eip *egressIPWatcher) claimEgressIP(egressIP, egressHex string) error {
 	if err != nil {
 		return fmt.Errorf("could not parse egress IP %q: %v", egressIPNet, err)
 	}
+	if !eip.localEgressNet.Contains(addr.IP) {
+		return fmt.Errorf("egress IP %q is not in local network %s of interface %s", egressIP, eip.localEgressNet.String(), eip.localEgressLink.Attrs().Name)
+	}
 	err = netlink.AddrAdd(eip.localEgressLink, addr)
 	if err != nil {
 		return fmt.Errorf("could not add egress IP %q to %s: %v", egressIPNet, eip.localEgressLink.Attrs().Name, err)
