Closed jrussett closed 1 month ago
Adding acceptance steps here
[
{
"protocol": "tcp",
"destination": "010.0.0.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.000.0.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.0.000.53",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "10.0.0.053",
"ports": "443"
},
{
"protocol": "tcp",
"destination": "010.000.000.053",
"ports": "443"
}
]
cf create-security-group asg asg.json
Rules[0]: destination octets cannot contain leading zeros, Rules[1]: destination octets cannot contain leading zeros, Rules[2]: destination octets cannot contain leading zeros, Rules[3]: destination octets cannot contain leading zeros, Rules[4]: destination octets cannot contain leading zeros
FAILED
A short explanation of the proposed change:
This change adds validation logic to prevent the creation of ASGs with leading zeros in addresses. e.g.
10.0.0.0/8
and192.168.1.156
are valid010.000.000.0/0
10.0.000.10
are no longer valid.The motivation for this change in behavior is to prevent malformed IPs from making their way into the CC database to begin with. We only want to accept valid addresses in ASG destinations going forward.
An explanation of the use cases your change solves
Cloud controller blindly stores the ASG destinations in the database and then passes the value off to downstream clients. Not all downstream clients have the same IP parsing functionality that ruby does, therefore jobs like
vxlan-policy-agent
in silk can stop working when a destination with leading zeros is bound viacf bind-security-group
; when these problems happen, they tend to also take down the diego cell too by preventing routing to all running containers.Links to any other associated PRs, etc...
Checkboxes
[X] I have reviewed the contributing guide
[X] I have viewed, signed, and submitted the Contributor License Agreement
[X] I have made this pull request to the
main
branch[X] I have run all the unit tests using
bundle exec rake
[ ] I have run CF Acceptance Tests