From abc68bf79c2c25e47931d0261ca09e86a1923bd5 Mon Sep 17 00:00:00 2001
From: Stoiko Ivanov <s.ivanov@proxmox.com>
Date: Tue, 12 Mar 2019 16:07:40 +0100
Subject: [PATCH] mac_prefix: do not allow multicast prefixes

MAC-addresses having the LSB of the first octet set, are considered
multicast-addresses (see [0,1]). LXC (the kernel) does not allow
such a mac-address to be set for a device, thus preventing containers from
starting if a multicast prefix is set (reported in [2] by Alexandre)

This patch introduces 'mac-prefix' (permitting only unicast prefixes) via
register_format and uses it instead of the pattern.

[0] https://lists.linuxcontainers.org/pipermail/lxc-users/2010-August/000783.html
[1] https://en.wikipedia.org/wiki/MAC_address
[2] https://pve.proxmox.com/pipermail/pve-devel/2019-March/035996.html

Signed-off-by: Stoiko Ivanov <s.ivanov@proxmox.com>
---
 data/PVE/Cluster.pm | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/data/PVE/Cluster.pm b/data/PVE/Cluster.pm
index e52bf9d..5c71c1c 100644
--- a/data/PVE/Cluster.pm
+++ b/data/PVE/Cluster.pm
@@ -1348,6 +1348,16 @@ my $ha_format = {
     }
 };
 
+PVE::JSONSchema::register_format('mac-prefix', \&pve_verify_mac_prefix);
+sub pve_verify_mac_prefix {
+    my ($mac_prefix, $noerr) = @_;
+
+    if ($mac_prefix !~ m/^[a-f0-9][02468ace](?::[a-f0-9]{2}){0,2}:?$/i) {
+	return undef if $noerr;
+	die "value is not a valid unicast MAC address prefix\n";
+    }
+    return $mac_prefix;
+}
 
 my $datacenter_schema = {
     type => "object",
@@ -1440,7 +1450,7 @@ my $datacenter_schema = {
 	mac_prefix => {
 	    optional => 1,
 	    type => 'string',
-	    pattern => qr/[a-f0-9]{2}(?::[a-f0-9]{2}){0,2}:?/i,
+	    format => 'mac-prefix',
 	    description => 'Prefix for autogenerated MAC addresses.',
 	},
 	bwlimit => PVE::JSONSchema::get_standard_option('bwlimit'),
-- 
2.39.2