networkservicemesh · NikitaSkrynnik · Jul 17, 2024 · Jul 17, 2024 · Jul 17, 2024 · Jul 18, 2024
diff --git a/pkg/networkservice/ipam/filteripam/server.go b/pkg/networkservice/ipam/filteripam/server.go
@@ -0,0 +1,153 @@
+// Copyright (c) 2024 Cisco and its affiliates.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+// Package filteripam provides a networkservice.NetworkService Server chain element for building an IPAM server that
+// filters some invalid addresses and routes in IP context
+package filteripam
+
+import (
+	"context"
+	"net"
+	"net/netip"
+
+	"github.com/golang/protobuf/ptypes/empty"
+	"github.com/networkservicemesh/api/pkg/api/networkservice"
+
+	"github.com/networkservicemesh/sdk/pkg/networkservice/core/next"
+	"github.com/networkservicemesh/sdk/pkg/tools/ippool"
+)
+
+type filterIPAMServer struct {
+	ipPool *ippool.IPPool
+}
+
+// NewServer - creates a new filter IPAM server
+func NewServer(newIPAMServer func(...*net.IPNet) networkservice.NetworkServiceServer, prefixes ...*net.IPNet) networkservice.NetworkServiceServer {
+	if newIPAMServer == nil {
+		panic("newIPAMServer should not be nil")
+	}
+	ipPool := ippool.New(net.IPv6len)
+	for _, p := range prefixes {
+		ipPool.AddNet(ipNetToIpv6Net(p))
+	}
+	return next.NewNetworkServiceServer(
+		&filterIPAMServer{ipPool: ipPool},
+		newIPAMServer(prefixes...),
+	)
+}
+
+func (s *filterIPAMServer) Request(ctx context.Context, request *networkservice.NetworkServiceRequest) (*networkservice.Connection, error) {
+	s.validateIPContext(request.Connection.Context.IpContext)
+	conn, err := next.Server(ctx).Request(ctx, request)
+	if err != nil {
+		return nil, err
+	}
+
+	s.pullAddrs(conn.Context.IpContext)
+	return conn, nil
+}
+
+func (s *filterIPAMServer) Close(ctx context.Context, conn *networkservice.Connection) (*empty.Empty, error) {
+	s.free(conn.Context.IpContext)
+	return next.Server(ctx).Close(ctx, conn)
+}
+
+func ipNetToIpv6Net(ipNet *net.IPNet) *net.IPNet {
+	if len(ipNet.IP) == net.IPv6len {
+		return ipNet
+	}
+	ipv6Net := new(net.IPNet)
+	ipv6Net.IP = ipNet.IP.To16()
+	ipv6Net.Mask = make([]byte, 16)
+	copy(ipv6Net.Mask[12:], ipNet.Mask)
+
+	return ipv6Net
+}
+
+func (s *filterIPAMServer) getInvalidAddrs(addrs []string) []string {
+	invalidAddrs := make([]string, 0)
-	invalidAddrs := make([]string, 0)
+	invalidAddrs := []string(nil)
-	invalidAddrs := make([]string, 0)
+	invalidAddrs := []string(nil)
+	for _, prefixString := range addrs {
+		prefix, parseErr := netip.ParsePrefix(prefixString)
+		if parseErr != nil {
+			invalidAddrs = append(invalidAddrs, prefixString)
+			continue
+		}
+
+		if !s.ipPool.ContainsString(prefix.Addr().String()) {
+			invalidAddrs = append(invalidAddrs, prefixString)
+		}
+	}
+
+	return invalidAddrs
+}
+
+func (s *filterIPAMServer) validateIPContext(ipContext *networkservice.IPContext) {
+	for _, addr := range s.getInvalidAddrs(ipContext.SrcIpAddrs) {
+		deleteAddr(&ipContext.SrcIpAddrs, addr)
+		deleteRoute(&ipContext.DstRoutes, addr)
+	}
+
+	for _, addr := range s.getInvalidAddrs(ipContext.DstIpAddrs) {
+		deleteAddr(&ipContext.DstIpAddrs, addr)
+		deleteRoute(&ipContext.SrcRoutes, addr)
+	}
+}
+
+func deleteRoute(routes *[]*networkservice.Route, prefix string) {
+	for i, route := range *routes {
+		if route.Prefix == prefix {
+			*routes = append((*routes)[:i], (*routes)[i+1:]...)
+			return
+		}
+	}
+}
+
+func deleteAddr(addrs *[]string, addr string) {
+	for i, a := range *addrs {
+		if a == addr {
+			*addrs = append((*addrs)[:i], (*addrs)[i+1:]...)
+			return
+		}
+	}
+}
+
+func (s *filterIPAMServer) pullAddrs(ipContext *networkservice.IPContext) {
+	for _, addr := range ipContext.SrcIpAddrs {
+		_, _ = s.ipPool.PullIPString(addr)
+	}
+
+	for _, addr := range ipContext.DstIpAddrs {
+		_, _ = s.ipPool.PullIPString(addr)
+	}
+}
+
+func (s *filterIPAMServer) free(ipContext *networkservice.IPContext) {
+	for _, addr := range ipContext.SrcIpAddrs {
+		_, ipNet, err := net.ParseCIDR(addr)
+		if err != nil {
+			return
+		}
+		s.ipPool.AddNet(ipNetToIpv6Net(ipNet))
+	}
+
+	for _, addr := range ipContext.DstIpAddrs {
+		_, ipNet, err := net.ParseCIDR(addr)
+		if err != nil {
+			return
+		}
+		s.ipPool.AddNet(ipNetToIpv6Net(ipNet))
+	}
+}
diff --git a/pkg/networkservice/ipam/filteripam/server_test.go b/pkg/networkservice/ipam/filteripam/server_test.go
@@ -0,0 +1,114 @@
+// Copyright (c) 2024 Cisco and/or its affiliates.
+//
+// SPDX-License-Identifier: Apache-2.0
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at:
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package filteripam_test
+
+import (
+	"context"
+	"net"
+	"testing"
+
+	"github.com/networkservicemesh/api/pkg/api/networkservice"
+	"github.com/stretchr/testify/require"
+
+	"github.com/networkservicemesh/sdk/pkg/networkservice/core/next"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/filteripam"
+	"github.com/networkservicemesh/sdk/pkg/networkservice/ipam/point2pointipam"
+)
+
+func newRequest(connID string) *networkservice.NetworkServiceRequest {
+	return &networkservice.NetworkServiceRequest{
+		Connection: &networkservice.Connection{
+			Id: connID,
+			Context: &networkservice.ConnectionContext{
+				IpContext: new(networkservice.IPContext),
+			},
+		},
+	}
+}
+func validateConns(t *testing.T, conn *networkservice.Connection, dsts, srcs []string) {
+	for i, dst := range dsts {
+		require.Equal(t, conn.Context.IpContext.DstIpAddrs[i], dst)
+		require.Equal(t, conn.Context.IpContext.SrcRoutes[i].Prefix, dst)
+	}
+	for i, src := range srcs {
+		require.Equal(t, conn.Context.IpContext.SrcIpAddrs[i], src)
+		require.Equal(t, conn.Context.IpContext.DstRoutes[i].Prefix, src)
+	}
+}
+
+// nolint: dupl
+func TestOverlappingAddresses(t *testing.T) {
+	_, ipNet, err := net.ParseCIDR("172.16.0.0/24")
+	require.NoError(t, err)
+
+	srv := next.NewNetworkServiceServer(filteripam.NewServer(point2pointipam.NewServer, ipNet))
+
+	emptyRequest := newRequest("empty")
+
+	request := newRequest("id")
+	request.Connection.Context.IpContext.SrcIpAddrs = []string{"172.16.0.1/32", "172.16.0.25/32"}
+	request.Connection.Context.IpContext.DstIpAddrs = []string{"172.16.0.0/32", "172.16.0.24/32"}
+	request.Connection.Context.IpContext.SrcRoutes = []*networkservice.Route{{Prefix: "172.16.0.0/32"}, {Prefix: "172.16.0.24/32"}}
+	request.Connection.Context.IpContext.DstRoutes = []*networkservice.Route{{Prefix: "172.16.0.1/32"}, {Prefix: "172.16.0.25/32"}}
+
+	conn1, err := srv.Request(context.Background(), emptyRequest)
+	require.NoError(t, err)
+	validateConns(t, conn1, []string{"172.16.0.0/32"}, []string{"172.16.0.1/32"})
+
+	conn2, err := srv.Request(context.Background(), request.Clone())
+	require.NoError(t, err)
+	validateConns(t, conn2, []string{"172.16.0.24/32"}, []string{"172.16.0.25/32"})
+
+	_, err = srv.Close(context.Background(), conn1)
+	require.NoError(t, err)
+
+	conn2, err = srv.Request(context.Background(), request)
+	require.NoError(t, err)
+	validateConns(t, conn2, []string{"172.16.0.0/32", "172.16.0.24/32"}, []string{"172.16.0.1/32", "172.16.0.25/32"})
+}
+
+// nolint: dupl
+func TestOverlappingAddressesIPv6(t *testing.T) {
+	_, ipNet, err := net.ParseCIDR("fe80::/64")
+	require.NoError(t, err)
+
+	srv := next.NewNetworkServiceServer(filteripam.NewServer(point2pointipam.NewServer, ipNet))
+
+	emptyRequest := newRequest("empty")
+
+	request := newRequest("id")
+	request.Connection.Id = "id"
+	request.Connection.Context.IpContext.SrcIpAddrs = []string{"fe80::1/128", "fe80::fa01/128"}
+	request.Connection.Context.IpContext.DstIpAddrs = []string{"fe80::/128", "fe80::fa00/128"}
+	request.Connection.Context.IpContext.SrcRoutes = []*networkservice.Route{{Prefix: "fe80::/128"}, {Prefix: "fe80::fa00/128"}}
+	request.Connection.Context.IpContext.DstRoutes = []*networkservice.Route{{Prefix: "fe80::1/128"}, {Prefix: "fe80::fa01/128"}}
+
+	conn1, err := srv.Request(context.Background(), emptyRequest)
+	require.NoError(t, err)
+	validateConns(t, conn1, []string{"fe80::/128"}, []string{"fe80::1/128"})
+
+	conn2, err := srv.Request(context.Background(), request.Clone())
+	require.NoError(t, err)
+	validateConns(t, conn2, []string{"fe80::fa00/128"}, []string{"fe80::fa01/128"})
+
+	_, err = srv.Close(context.Background(), conn1)
+	require.NoError(t, err)
+
+	conn2, err = srv.Request(context.Background(), request)
+	require.NoError(t, err)
+	validateConns(t, conn2, []string{"fe80::/128", "fe80::fa00/128"}, []string{"fe80::1/128", "fe80::fa01/128"})
+}
diff --git a/pkg/networkservice/ipam/point2pointipam/server.go b/pkg/networkservice/ipam/point2pointipam/server.go
@@ -1,6 +1,6 @@
 // Copyright (c) 2020-2022 Doc.ai and/or its affiliates.
 //
-// Copyright (c) 2022-2023 Cisco and/or its affiliates.
+// Copyright (c) 2022-2024 Cisco and/or its affiliates.
 //
 // SPDX-License-Identifier: Apache-2.0
 //

diff --git a/pkg/networkservice/ipam/strictipam/server.go b/pkg/networkservice/ipam/strictipam/server.go
@@ -39,7 +39,7 @@ func NewServer(newIPAMServer func(...*net.IPNet) networkservice.NetworkServiceSe
 	}
 	var ipPool = ippool.New(net.IPv6len)
 	for _, p := range prefixes {
-		ipPool.AddNet(p)
+		ipPool.AddNet(ipNetToIpv6Net(p))
 	}
 	return next.NewNetworkServiceServer(
 		&strictIPAMServer{ipPool: ipPool},
@@ -68,3 +68,15 @@ func (n *strictIPAMServer) Request(ctx context.Context, request *networkservice.
 func (n *strictIPAMServer) Close(ctx context.Context, conn *networkservice.Connection) (*empty.Empty, error) {
 	return next.Server(ctx).Close(ctx, conn)
 }
+
+func ipNetToIpv6Net(ipNet *net.IPNet) *net.IPNet {
+	if len(ipNet.IP) == net.IPv6len {
+		return ipNet
+	}
+	ipv6Net := new(net.IPNet)
+	ipv6Net.IP = ipNet.IP.To16()
+	ipv6Net.Mask = make([]byte, 16)
+	copy(ipv6Net.Mask[12:], ipNet.Mask)
+
+	return ipv6Net
+}