istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-iptables/pkg/config/validation.go

istio.io/istio@v0.0.0-20240520182934-d79c90f27776/tools/istio-iptables/pkg/config/validation.go (about)

     1  // Copyright Istio Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package config
    16  
    17  import (
    18  	"fmt"
    19  	"net/netip"
    20  )
    21  
    22  const (
    23  	// Due to implementation constraints, we have to impose a limit on the
    24  	// number of owner groups whose outgoing traffic should be redirected
    25  	// to Envoy.
    26  	//
    27  	// Since all included groups will be translated into a single Iptables
    28  	// rule that combines N match expressions `-m owner ! --gid-owner <GID>`,
    29  	// we need to be sure it won't be too long.
    30  	//
    31  	// Most common Linux distributions allow no more than 128-1200
    32  	// match expressions per rule.
    33  	maxOwnerGroupsInclude = 64
    34  )
    35  
    36  func ValidateOwnerGroups(include, exclude string) error {
    37  	filter := ParseInterceptFilter(include, exclude)
    38  	if !filter.Except && len(filter.Values) > maxOwnerGroupsInclude {
    39  		return fmt.Errorf("number of owner groups whose outgoing traffic "+
    40  			"should be redirected to Envoy cannot exceed %d, got %d: %v",
    41  			maxOwnerGroupsInclude, len(filter.Values), filter.Values)
    42  	}
    43  	return nil
    44  }
    45  
    46  func ValidateIPv4LoopbackCidr(cidr string) error {
    47  	ipp, err := netip.ParsePrefix(cidr)
    48  	if err != nil {
    49  		return fmt.Errorf("failed to parse CIDR %s: %v", cidr, err)
    50  	}
    51  
    52  	if !ipp.Addr().Is4() || !ipp.Addr().IsLoopback() {
    53  		return fmt.Errorf("expected valid IPv4 loopback address in CIDR %s; found %v", cidr, ipp.Addr())
    54  	}
    55  
    56  	ones := ipp.Bits()
    57  	if ones < 8 || ones > 32 {
    58  		return fmt.Errorf("expected CIDR %s to have mask in range [8, 32]; found %v", cidr, ones)
    59  	}
    60  	return nil
    61  }