Leak external host-routes to private network (#49)

Closes #48
metal-stack · May 18, 2021 · 2016cb1 · 2016cb1
1 parent fbc3f9d
commit 2016cb1
Show file tree

Hide file tree

Showing 6 changed files with 17 additions and 7 deletions.
diff --git a/pkg/netconf/routemap.go b/pkg/netconf/routemap.go
@@ -39,6 +39,7 @@ func importRulesForNetwork(kb KnowledgeBase, network models.V1MachineNetwork) *i
 		// reach out from private network into public networks
 		i.importVRFs = vrfNamesOf(externalNets)
 		i.importPrefixes = getDestinationPrefixes(externalNets)
+		i.importPrefixes = append(i.importPrefixes, prefixesOfNetworks(externalNets)...)
 
 		// reach out from private network into shared private networks
 		i.importVRFs = append(i.importVRFs, vrfNamesOf(privateSecondarySharedNets)...)

diff --git a/pkg/netconf/routemap_test.go b/pkg/netconf/routemap_test.go
@@ -80,7 +80,7 @@ func Test_importRulesForNetwork(t *testing.T) {
 				{
 					targetVRF:      private.vrf,
 					importVRFs:     []string{inet.vrf, external.vrf, shared.vrf},
-					importPrefixes: concatPfxSlices(inet.destinations, external.destinations, shared.prefixes),
+					importPrefixes: concatPfxSlices(inet.destinations, external.destinations, inet.prefixes, external.prefixes, shared.prefixes),
 				},
 				{
 					targetVRF:      shared.vrf,
@@ -109,7 +109,7 @@ func Test_importRulesForNetwork(t *testing.T) {
 				{
 					targetVRF:      shared.vrf,
 					importVRFs:     []string{inet.vrf},
-					importPrefixes: concatPfxSlices(inet.destinations),
+					importPrefixes: concatPfxSlices(inet.destinations, inet.prefixes),
 				},
 				{
 					targetVRF:              inet.vrf,
@@ -127,7 +127,7 @@ func Test_importRulesForNetwork(t *testing.T) {
 				{
 					targetVRF:      private.vrf,
 					importVRFs:     []string{inet.vrf, dmz.vrf},
-					importPrefixes: concatPfxSlices(inet.destinations, dmz.prefixes),
+					importPrefixes: concatPfxSlices(inet.destinations, inet.prefixes, dmz.prefixes),
 				},
 				{
 					targetVRF:      dmz.vrf,
@@ -167,7 +167,7 @@ func Test_importRulesForNetwork(t *testing.T) {
 				{
 					targetVRF:      private6.vrf,
 					importVRFs:     []string{inet.vrf, external.vrf, shared.vrf},
-					importPrefixes: concatPfxSlices(inet6.destinations, external.destinations, shared.prefixes),
+					importPrefixes: concatPfxSlices(inet6.destinations, external.destinations, inet6.prefixes, external.prefixes, shared.prefixes),
 				},
 				{
 					targetVRF:      shared.vrf,

diff --git a/pkg/netconf/testdata/frr.conf.firewall b/pkg/netconf/testdata/frr.conf.firewall
@@ -148,7 +148,10 @@ router bgp 4200003073 vrf vrf104010
 !
 ip prefix-list vrf3981-import-prefixes seq 100 permit 0.0.0.0/0
 ip prefix-list vrf3981-import-prefixes seq 101 permit 100.127.1.0/24 le 32
-ip prefix-list vrf3981-import-prefixes seq 102 permit 10.0.18.0/22 le 32
+ip prefix-list vrf3981-import-prefixes seq 102 permit 185.1.2.0/24 le 32
+ip prefix-list vrf3981-import-prefixes seq 103 permit 185.27.0.0/22 le 32
+ip prefix-list vrf3981-import-prefixes seq 104 permit 100.127.129.0/24 le 32
+ip prefix-list vrf3981-import-prefixes seq 105 permit 10.0.18.0/22 le 32
 route-map vrf3981-import-map permit 10
  match ip address prefix-list vrf3981-import-prefixes
 route-map vrf3981-import-map deny 20

diff --git a/pkg/netconf/testdata/frr.conf.firewall_dmz b/pkg/netconf/testdata/frr.conf.firewall_dmz
@@ -125,7 +125,9 @@ router bgp 4200003073 vrf vrf104009
  exit-address-family
 !
 ip prefix-list vrf3981-import-prefixes seq 100 permit 0.0.0.0/0
-ip prefix-list vrf3981-import-prefixes seq 101 permit 10.0.20.0/22 le 32
+ip prefix-list vrf3981-import-prefixes seq 101 permit 185.1.2.0/24 le 32
+ip prefix-list vrf3981-import-prefixes seq 102 permit 185.27.0.0/22 le 32
+ip prefix-list vrf3981-import-prefixes seq 103 permit 10.0.20.0/22 le 32
 route-map vrf3981-import-map permit 10
  match ip address prefix-list vrf3981-import-prefixes
 route-map vrf3981-import-map deny 20

diff --git a/pkg/netconf/testdata/frr.conf.firewall_ipv6 b/pkg/netconf/testdata/frr.conf.firewall_ipv6
@@ -147,8 +147,10 @@ router bgp 4200003073 vrf vrf104010
  exit-address-family
 !
 ip prefix-list vrf3981-import-prefixes seq 100 permit 100.127.1.0/24 le 32
-ip prefix-list vrf3981-import-prefixes seq 101 permit 10.0.18.0/22 le 32
+ip prefix-list vrf3981-import-prefixes seq 101 permit 100.127.129.0/24 le 32
+ip prefix-list vrf3981-import-prefixes seq 102 permit 10.0.18.0/22 le 32
 ipv6 prefix-list vrf3981-import-prefixes-ipv6 seq 100 permit ::/0
+ipv6 prefix-list vrf3981-import-prefixes-ipv6 seq 101 permit 2a02:c00:20::/45 le 128
 route-map vrf3981-import-map permit 10
  match ipv6 address prefix-list vrf3981-import-prefixes-ipv6
 route-map vrf3981-import-map permit 20

diff --git a/pkg/netconf/testdata/frr.conf.firewall_shared b/pkg/netconf/testdata/frr.conf.firewall_shared
@@ -95,6 +95,8 @@ router bgp 4200003073 vrf vrf104009
  exit-address-family
 !
 ip prefix-list vrf3982-import-prefixes seq 100 permit 0.0.0.0/0
+ip prefix-list vrf3982-import-prefixes seq 101 permit 185.1.2.0/24 le 32
+ip prefix-list vrf3982-import-prefixes seq 102 permit 185.27.0.0/22 le 32
 route-map vrf3982-import-map permit 10
  match ip address prefix-list vrf3982-import-prefixes
 route-map vrf3982-import-map deny 20