We use cookies to ensure you get the best experience on our website
Home Explore Help
Register Sign In
0ct0pu5
/
moby
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

Merge pull request #31170 from aboch/c1.13.x

[1.13.x/17.03.x] Vendoring libnetwork @ce28404
Victor Vieux 8 years ago
parent
8b1112be3b 855eb121aa
commit
d1c1b391bc
3 changed files with 37 additions and 1 deletions
Split View Show Diff Stats
  1. 1 1
      vendor.conf
  2. 34 0
      vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
  3. 2 0
      vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go

+ 1 - 1
vendor.conf
View File 

@@ -23,7 +23,7 @@ github.com/RackSec/srslog 456df3a81436d29ba874f3590eeeee25d666f8a5
 
 github.com/imdario/mergo 0.2.1
 
 
 #get libnetwork packages
 
-github.com/docker/libnetwork bba65e5e191eccfbc8e2f6455c527b407c2be5ff
 
+github.com/docker/libnetwork ce28404512e8fac9b8103b9072e75cf8d4339302
 
 github.com/docker/go-events 18b43f1bc85d9cdd42c05a6cd2d444c7a200a894
 
 github.com/armon/go-radix e39d623f12e8e41c7b5529e9a9dd67a1e2261f80
 
 github.com/armon/go-metrics eb0af217e5e9747e41dd5303755356b62d28e3ec

+ 34 - 0
vendor/github.com/docker/libnetwork/drivers/overlay/encryption.go
View File 

@@ -138,6 +138,11 @@ func setupEncryption(localIP, advIP, remoteIP net.IP, vni uint32, em *encrMap, k
 
 		logrus.Warn(err)
 
 	}
 
 
+	err = programInput(vni, true)
 
+	if err != nil {
 
+		logrus.Warn(err)
 
+	}
 
+
 
 	for i, k := range keys {
 
 		spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
 
 		dir := reverse
 
@@ -219,6 +224,35 @@ func programMangle(vni uint32, add bool) (err error) {
 
 	return
 
 }
 
 
+func programInput(vni uint32, add bool) (err error) {
 
+	var (
 
+		port       = strconv.FormatUint(uint64(vxlanPort), 10)
 
+		vniMatch   = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
 
+		plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"}
 
+		ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
 
+		block      = append(plainVxlan, "DROP")
 
+		accept     = append(ipsecVxlan, "ACCEPT")
 
+		chain      = "INPUT"
 
+		action     = iptables.Append
 
+		msg        = "add"
 
+	)
 
+
 
+	if !add {
 
+		action = iptables.Delete
 
+		msg = "remove"
 
+	}
 
+
 
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil {
 
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
 
+	}
 
+
 
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil {
 
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
 
+	}
 
+
 
+	return
 
+}
 
+
 
 func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
 
 	var (
 
 		action      = "Removing"

+ 2 - 0
vendor/github.com/docker/libnetwork/drivers/overlay/ov_network.go
View File 

@@ -154,6 +154,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d
 
 	if !n.secure {
 
 		for _, vni := range vnis {
 
 			programMangle(vni, false)
 
+			programInput(vni, false)
 
 		}
 
 	}
 
 
@@ -204,6 +205,7 @@ func (d *driver) DeleteNetwork(nid string) error {
 
 	if n.secure {
 
 		for _, vni := range vnis {
 
 			programMangle(vni, false)
 
+			programInput(vni, false)
 
 		}
 
 	}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5