We use cookies to ensure you get the best experience on our website
Главная Обзор Помощь
Регистрация Вход
0ct0pu5
/
moby
1
0
Ответвить 0
Файлы Задачи 0 Запросы на слияние 0 Вики
Просмотр исходного кода

Merge pull request #1652 from aboch/iec

Once a network is encrypted, do not accept clear packets from it
Madhu Venugopal 8 лет назад
Родитель
1b8c4b421b 91f5b1669e
Сommit
f6b3b3675c
2 измененных файлов с 36 добавлено и 0 удалено
Единый вид Показать статистику Diff
  1. 34 0
      libnetwork/drivers/overlay/encryption.go
  2. 2 0
      libnetwork/drivers/overlay/ov_network.go

+ 34 - 0
libnetwork/drivers/overlay/encryption.go
Просмотреть файл 

@@ -138,6 +138,11 @@ func setupEncryption(localIP, advIP, remoteIP net.IP, vni uint32, em *encrMap, k
 
 		logrus.Warn(err)
 
 		logrus.Warn(err)
 
 	}
 
 	}
 
 
 
+	err = programInput(vni, true)
 
+	if err != nil {
 
+		logrus.Warn(err)
 
+	}
 
+
 
 	for i, k := range keys {
 
 	for i, k := range keys {
 
 		spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
 
 		spis := &spi{buildSPI(advIP, remoteIP, k.tag), buildSPI(remoteIP, advIP, k.tag)}
 
 		dir := reverse
 
 		dir := reverse
 
@@ -219,6 +224,35 @@ func programMangle(vni uint32, add bool) (err error) {
 
 	return
 
 	return
 
 }
 
 }
 
 
 
+func programInput(vni uint32, add bool) (err error) {
 
+	var (
 
+		port       = strconv.FormatUint(uint64(vxlanPort), 10)
 
+		vniMatch   = fmt.Sprintf("0>>22&0x3C@12&0xFFFFFF00=%d", int(vni)<<8)
 
+		plainVxlan = []string{"-p", "udp", "--dport", port, "-m", "u32", "--u32", vniMatch, "-j"}
 
+		ipsecVxlan = append([]string{"-m", "policy", "--dir", "in", "--pol", "ipsec"}, plainVxlan...)
 
+		block      = append(plainVxlan, "DROP")
 
+		accept     = append(ipsecVxlan, "ACCEPT")
 
+		chain      = "INPUT"
 
+		action     = iptables.Append
 
+		msg        = "add"
 
+	)
 
+
 
+	if !add {
 
+		action = iptables.Delete
 
+		msg = "remove"
 
+	}
 
+
 
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, accept); err != nil {
 
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
 
+	}
 
+
 
+	if err := iptables.ProgramRule(iptables.Filter, chain, action, block); err != nil {
 
+		logrus.Errorf("could not %s input rule: %v. Please do it manually.", msg, err)
 
+	}
 
+
 
+	return
 
+}
 
+
 
 func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
 
 func programSA(localIP, remoteIP net.IP, spi *spi, k *key, dir int, add bool) (fSA *netlink.XfrmState, rSA *netlink.XfrmState, err error) {
 
 	var (
 
 	var (
 
 		action      = "Removing"
 
 		action      = "Removing"

+ 2 - 0
libnetwork/drivers/overlay/ov_network.go
Просмотреть файл 

@@ -154,6 +154,7 @@ func (d *driver) CreateNetwork(id string, option map[string]interface{}, nInfo d
 
 	if !n.secure {
 
 	if !n.secure {
 
 		for _, vni := range vnis {
 
 		for _, vni := range vnis {
 
 			programMangle(vni, false)
 
 			programMangle(vni, false)
 
+			programInput(vni, false)
 
 		}
 
 		}
 
 	}
 
 	}
 
 
 
@@ -204,6 +205,7 @@ func (d *driver) DeleteNetwork(nid string) error {
 
 	if n.secure {
 
 	if n.secure {
 
 		for _, vni := range vnis {
 
 		for _, vni := range vnis {
 
 			programMangle(vni, false)
 
 			programMangle(vni, false)
 
+			programInput(vni, false)
 
 		}
 
 		}
 
 	}
 
 	}

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5