Add port validator to ensure configurable ports are valid

Signed-off-by: Lan Luo <[email protected]>

Author: luolanzone

cmd/antrea-agent/options.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -34,6 +35,7 @@ import (
 	agentconfig "antrea.io/antrea/pkg/config/agent"
 	"antrea.io/antrea/pkg/features"
 	"antrea.io/antrea/pkg/ovs/ovsconfig"
+	"antrea.io/antrea/pkg/util/checks"
 	"antrea.io/antrea/pkg/util/env"
 	"antrea.io/antrea/pkg/util/flowexport"
 	"antrea.io/antrea/pkg/util/ip"
@@ -193,7 +195,7 @@ func (o *Options) setDefaults() {
 	if o.config.OVSRunDir == "" {
 		o.config.OVSRunDir = ovsconfig.DefaultOVSRunDir
 	}
-	if o.config.APIPort == 0 {
+	if !checks.IsValidPort(o.config.APIPort) {
 		o.config.APIPort = apis.AntreaAgentAPIPort
 	}
 	if o.config.NodeType == "" {
@@ -430,13 +432,13 @@ func (o *Options) setK8sNodeDefaultOptions() {
 	if o.config.AntreaProxy.DefaultLoadBalancerMode == "" {
 		o.config.AntreaProxy.DefaultLoadBalancerMode = config.LoadBalancerModeNAT.String()
 	}
-	if o.config.ClusterMembershipPort == 0 {
+	if !checks.IsValidPort(o.config.ClusterMembershipPort) {
 		o.config.ClusterMembershipPort = apis.AntreaAgentClusterMembershipPort
 	}
 	if o.config.EnablePrometheusMetrics == nil {
 		o.config.EnablePrometheusMetrics = ptr.To(true)
 	}
-	if o.config.WireGuard.Port == 0 {
+	if !checks.IsValidPort(o.config.WireGuard.Port) {
 		o.config.WireGuard.Port = apis.WireGuardListenPort
 	}
 
@@ -534,6 +536,10 @@ func (o *Options) validateK8sNodeOptions() error {
 		o.config.TunnelType != ovsconfig.GRETunnel && o.config.TunnelType != ovsconfig.STTTunnel {
 		return fmt.Errorf("tunnel type %s is invalid", o.config.TunnelType)
 	}
+	// Zero for tunnelPort means Antrea will use the assigned IANA port for a given tunnel protocol.
+	if o.config.TunnelPort != 0 && !checks.IsValidPort(int(o.config.TunnelPort)) {
+		return fmt.Errorf("tunnel port %d is invalid", o.config.TunnelPort)
+	}
 	ok, encryptionMode := config.GetTrafficEncryptionModeFromStr(o.config.TrafficEncryptionMode)
 	if !ok {
 		return fmt.Errorf("TrafficEncryptionMode %s is unknown", o.config.TrafficEncryptionMode)
@@ -605,8 +611,9 @@ func (o *Options) validateK8sNodeOptions() error {
 
 	if o.config.DNSServerOverride != "" {
 		hostPort := ip.AppendPortIfMissing(o.config.DNSServerOverride, "53")
-		_, _, err := net.SplitHostPort(hostPort)
-		if err != nil {
+		_, port, err := net.SplitHostPort(hostPort)
+		portNum, parseErr := strconv.Atoi(port)
+		if err != nil || !checks.IsValidPort(portNum) || parseErr != nil {
 			return fmt.Errorf("dnsServerOverride %s is invalid: %v", o.config.DNSServerOverride, err)
 		}
 		o.dnsServerOverride = hostPort
@@ -706,7 +713,7 @@ func (o *Options) setExternalNodeDefaultOptions() {
 func (o *Options) setMulticlusterDefaultOptions() {
 	_, trafficEncryptionModeType := config.GetTrafficEncryptionModeFromStr(o.config.Multicluster.TrafficEncryptionMode)
 	if trafficEncryptionModeType == config.TrafficEncryptionModeWireGuard {
-		if o.config.Multicluster.WireGuard.Port == 0 {
+		if !checks.IsValidPort(o.config.Multicluster.WireGuard.Port) {
 			o.config.Multicluster.WireGuard.Port = apis.MulticlusterWireGuardListenPort
 		}
 	}

cmd/antrea-agent/options_linux_test.go

@@ -88,6 +88,7 @@ func TestMulticlusterOptions(t *testing.T) {
 				FeatureGates:     map[string]bool{"Multicluster": tt.featureGate},
 				TrafficEncapMode: tt.encapMode,
 				Multicluster:     tt.mcConfig,
+				TunnelPort:       6081,
 			}
 			if tt.encryptionMode != "" {
 				config.TrafficEncryptionMode = tt.encryptionMode

pkg/util/checks/checks.go

@@ -0,0 +1,23 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+// IsValidPort checks if the given port number is within the valid range of 1 to 65535.
+func IsValidPort(port int) bool {
+	if port < 1 || port > 65535 {
+		return false
+	}
+	return true
+}

pkg/util/checks/checks_test.go

@@ -0,0 +1,52 @@
+// Copyright 2025 Antrea Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package checks
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsValidPort(t *testing.T) {
+	tests := []struct {
+		name     string
+		port     int
+		expected bool
+	}{
+		{
+			name:     "invalid port 0",
+			port:     0,
+			expected: false,
+		},
+		{
+			name:     "invalid port 70000",
+			port:     70000,
+			expected: false,
+		},
+		{
+			name:     "valid port",
+			port:     65500,
+			expected: true,
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			result := IsValidPort(tc.port)
+			assert.Equal(t, tc.expected, result)
+		})
+	}
+}

pkg/util/flowexport/flowexport.go

@@ -17,10 +17,12 @@ package flowexport
 import (
 	"fmt"
 	"regexp"
+	"strconv"
 	"strings"
 	"time"
 
 	flowaggregatorconfig "antrea.io/antrea/pkg/config/flowaggregator"
+	"antrea.io/antrea/pkg/util/checks"
 )
 
 // ParseFlowCollectorAddr parses the flow collector address input for flow exporter and aggregator
@@ -44,6 +46,10 @@ func ParseFlowCollectorAddr(addr string, defaultPort string, defaultProtocol str
 			port = defaultPort
 		} else {
 			port = strSlice[1]
+			portNum, err := strconv.Atoi(port)
+			if !checks.IsValidPort(portNum) || err != nil {
+				port = defaultPort
+			}
 		}
 		if (strSlice[2] != "tls") && (strSlice[2] != "tcp") && (strSlice[2] != "udp") {
 			return host, port, proto, fmt.Errorf("connection over %s transport proto is not supported", strSlice[2])

pkg/util/flowexport/flowexport_test.go

@@ -67,6 +67,20 @@ func TestParseFlowCollectorAddr(t *testing.T) {
 			expectedProto: "tcp",
 			expectedError: nil,
 		},
+		{
+			addr:          "flow-aggregator/flow-aggregator:str:tcp",
+			expectedHost:  "flow-aggregator/flow-aggregator",
+			expectedPort:  defaultFlowCollectorPort,
+			expectedProto: "tcp",
+			expectedError: nil,
+		},
+		{
+			addr:          "flow-aggregator/flow-aggregator:78900:tcp",
+			expectedHost:  "flow-aggregator/flow-aggregator",
+			expectedPort:  defaultFlowCollectorPort,
+			expectedProto: "tcp",
+			expectedError: nil,
+		},
 		{
 			addr:          ":abbbsctp::",
 			expectedHost:  "",

pkg/util/k8s/client.go

@@ -18,6 +18,7 @@ import (
 	"fmt"
 	"net"
 	"os"
+	"strconv"
 	"strings"
 
 	discovery "k8s.io/api/discovery/v1"
@@ -33,6 +34,7 @@ import (
 
 	mcclientset "antrea.io/antrea/multicluster/pkg/client/clientset/versioned"
 	crdclientset "antrea.io/antrea/pkg/client/clientset/versioned"
+	"antrea.io/antrea/pkg/util/checks"
 )
 
 const (
@@ -125,6 +127,10 @@ func OverrideKubeAPIServer(kubeAPIServerOverride string) {
 		host = hostPort
 		port = "443"
 	}
+	portNum, err := strconv.Atoi(port)
+	if !checks.IsValidPort(portNum) || err != nil {
+		port = "443"
+	}
 	os.Setenv(kubeServiceHostEnvKey, host)
 	os.Setenv(kubeServicePortEnvKey, port)
 }