From 4f233cd0f430af2172ec4e596f70181a8c6f62ef Mon Sep 17 00:00:00 2001
From: "William A. Kennington III" <wak@google.com>
Date: Fri, 7 May 2021 03:25:25 -0700
Subject: meta-google: gbmc-bridge: Look at IP bytes instead of regex

Change-Id: Ie3a20df633346692039103edc882e202b7c3309b
Signed-off-by: William A. Kennington III <wak@google.com>
---
 .../networking/gbmc-bridge/gbmc-br-gw-src.sh              | 13 +++++++++++--
 .../recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh  | 15 ++++++++++++---
 2 files changed, 23 insertions(+), 5 deletions(-)

diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-gw-src.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-gw-src.sh
index 1364efd7b..f765b0d10 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-gw-src.sh
+++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-gw-src.sh
@@ -14,6 +14,8 @@
 
 [ -z "${gbmc_br_gw_src_lib-}" ] || return
 
+source /usr/share/network/lib.sh || exit
+
 gbmc_br_gw_src_ip=
 declare -A gbmc_br_gw_src_routes=()
 
@@ -48,8 +50,15 @@ gbmc_br_gw_src_hook() {
   # prefix (<mpfx>:fd00:). So 2002:af4:3480:2248:fd00:6345:3069:9186 would be
   # matched as the preferred source IP for outoging traffic.
   elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' -a "$scope" = 'global' ] &&
-       [[ "$fam" == 'inet6' && "$ip" =~ ^([^:]+:){4}fd00:.*$ ]] &&
-       [[ "$flags" != *tentative* ]]; then
+       [[ "$fam" == 'inet6' && "$flags" != *tentative* ]]; then
+    local ip_bytes=()
+    if ! ip_to_bytes ip_bytes "$ip"; then
+      echo "gBMC Bridge Ensure RA Invalid IP: $ip" >&2
+      return 1
+    fi
+    if (( ip_bytes[9] != 0xfd || ip_bytes[10] != 0 )); then
+      return 0
+    fi
     if [ "$action" = 'add' -a "$ip" != "$gbmc_br_gw_src_ip" ]; then
       gbmc_br_gw_src_ip="$ip"
       gbmc_br_gw_src_update
diff --git a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
index 2099185e8..185d78b81 100644
--- a/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
+++ b/meta-google/recipes-google/networking/gbmc-bridge/gbmc-br-nft.sh
@@ -14,6 +14,8 @@
 
 [ -z "${gbmc_br_nft_lib-}" ] || return
 
+source /usr/share/network/lib.sh || exit
+
 gbmc_br_nft_init=
 gbmc_br_nft_pfx=
 
@@ -48,9 +50,16 @@ gbmc_br_nft_hook() {
   # (<mpfx>:fdxx:). So 2002:af4:3480:2248:fd02:6345:3069:9186 would become
   # a 2002:af4:3480:2248:fd00/72 rule.
   elif [ "$change" = 'addr' -a "$intf" = 'gbmcbr' -a "$scope" = 'global' ] &&
-       [[ "$fam" == 'inet6' && "$ip" =~ ^(([^:]+:){4}fd)[^:]{2}:.*$ ]] &&
-       [[ "$flags" != *tentative* ]]; then
-    pfx="${BASH_REMATCH[1]}00::/72"
+       [[ "$fam" == 'inet6' && "$flags" != *tentative* ]]; then
+    local ip_bytes=()
+    if ! ip_to_bytes ip_bytes "$ip"; then
+      echo "gBMC Bridge NFT Invalid IP: $ip" >&2
+      return 1
+    fi
+    if (( ip_bytes[9] != 0xfd )); then
+      return 0
+    fi
+    pfx="$(printf '%02x%02x:%02x%02x:%02x%02x:%02x%02x:fd00::/72' "${ip_bytes[@]}")"
     if [ "$action" = "add" -a "$pfx" != "$gbmc_br_nft_pfx" ]; then
       gbmc_br_nft_pfx="$pfx"
       gbmc_br_nft_update
-- 
cgit v1.2.3