[pve-devel] [PATCH common 2/2] net: add name checks when creating bridge and veth interfaces

From: Daniel Kral <d.kral@proxmox.com>
To: pve-devel@lists.proxmox.com
Subject: [pve-devel] [PATCH common 2/2] net: add name checks when creating bridge and veth interfaces
Date: Wed, 25 Sep 2024 13:39:30 +0200	[thread overview]
Message-ID: <20240925113930.92754-2-d.kral@proxmox.com> (raw)
In-Reply-To: <20240925113930.92754-1-d.kral@proxmox.com>

Adds checks when creating interfaces with `veth_create`, which is used
when creating the veth interface for Linux firewall bridges, and
`iface_create`, which is used when creating Linux / OVS firewall bridges
and VLAN bridges.

There are no functional changes in `veth_create` except the added check.

Without these checks, the following cases:

- When creating more than 10 Linux firewall bridges on a VM with 9
  digits, e.g. 'fwbr999999999i10' is too long for an interface name
- When creating a VLAN bridge on a bridge that has already a long name,
  e.g. the bridge 'abcdefghjklm' will try to create 'abcdefghijklmv249'

will fail with a rather unhelpful error message from the kernel:

> Error: Attribute failed policy validation.

Signed-off-by: Daniel Kral <d.kral@proxmox.com>
---
This change was not part of the initial bug report #5454, which is why I
split it up. It is in no part essential for patch #1, but rather to add
preliminary checks at other places where similar errors could happen.

 src/PVE/Network.pm | 26 +++++++++++++++++---------
 1 file changed, 17 insertions(+), 9 deletions(-)

diff --git a/src/PVE/Network.pm b/src/PVE/Network.pm
index dd627f2..cde7949 100644
--- a/src/PVE/Network.pm
+++ b/src/PVE/Network.pm
@@ -190,6 +190,10 @@ sub iface_delete :prototype($) {
 
 sub iface_create :prototype($$@) {
     my ($iface, $type, @args) = @_;
+
+    eval { check_iface_name($iface) };
+    die "failed to create interface '$iface' - $@" if $@;
+
     run_command(['/sbin/ip', 'link', 'add', $iface, 'type', $type, @args], noerr => 1)
 	== 0 or die "failed to create interface '$iface'\n";
     return;
@@ -376,17 +380,21 @@ sub veth_create {
 
     # create veth pair
     if (! -d "/sys/class/net/$veth") {
-	my $cmd = ['/sbin/ip', 'link', 'add'];
-	# veth device + MTU
-	push @$cmd, 'name', $veth;
-	push @$cmd, 'mtu', $bridgemtu;
-	push @$cmd, 'type', 'veth';
-	# peer device + MTU
-	push @$cmd, 'peer', 'name', $vethpeer, 'mtu', $bridgemtu;
+	eval {
+	    check_iface_name($veth);
 
-	push @$cmd, 'addr', $mac if $mac;
+	    my $cmd = ['/sbin/ip', 'link', 'add'];
+	    # veth device + MTU
+	    push @$cmd, 'name', $veth;
+	    push @$cmd, 'mtu', $bridgemtu;
+	    push @$cmd, 'type', 'veth';
+	    # peer device + MTU
+	    push @$cmd, 'peer', 'name', $vethpeer, 'mtu', $bridgemtu;
 
-	eval { run_command($cmd) };
+	    push @$cmd, 'addr', $mac if $mac;
+
+	    run_command($cmd);
+	};
 	die "can't create interface $veth - $@\n" if $@;
     }
 
-- 
2.39.5



_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel

