libn/d/overlay: support encryption on any port
While the VXLAN interface and the iptables rules to mark outgoing VXLAN
packets for encryption are configured to use the Swarm data path port,
the XFRM policies for actually applying the encryption are hardcoded to
match packets with destination port 4789/udp. Consequently, encrypted
overlay networks do not pass traffic when the Swarm is configured with
any other data path port: encryption is not applied to the outgoing
VXLAN packets and the destination host drops the received cleartext
packets. Use the configured data path port instead of hardcoding port
4789 in the XFRM policies.
Signed-off-by: Cory Snider <csnider@mirantis.com>
(cherry picked from commit 9a692a3802)
Signed-off-by: Cory Snider <csnider@mirantis.com>
This commit is contained in:
Cory Snider
parent
659604f9ee
commit
042f0799db
1 changed files with 4 additions and 4 deletions
|
|
@ -375,8 +375,8 @@ func programSP(fSA *netlink.XfrmState, rSA *netlink.XfrmState, add bool) error {
|
|||
Src: &net.IPNet{IP: s, Mask: fullMask},
|
||||
Dst: &net.IPNet{IP: d, Mask: fullMask},
|
||||
Dir: netlink.XFRM_DIR_OUT,
|
||||
Proto: 17,
|
||||
DstPort: 4789,
|
||||
Proto: syscall.IPPROTO_UDP,
|
||||
DstPort: int(overlayutils.VXLANUDPPort()),
|
||||
Mark: &spMark,
|
||||
Tmpls: []netlink.XfrmPolicyTmpl{
|
||||
{
|
||||
|
|
@ -589,8 +589,8 @@ func updateNodeKey(lIP, aIP, rIP net.IP, idxs []*spi, curKeys []*key, newIdx, pr
|
|||
Src: &net.IPNet{IP: s, Mask: fullMask},
|
||||
Dst: &net.IPNet{IP: d, Mask: fullMask},
|
||||
Dir: netlink.XFRM_DIR_OUT,
|
||||
Proto: 17,
|
||||
DstPort: 4789,
|
||||
Proto: syscall.IPPROTO_UDP,
|
||||
DstPort: int(overlayutils.VXLANUDPPort()),
|
||||
Mark: &spMark,
|
||||
Tmpls: []netlink.XfrmPolicyTmpl{
|
||||
{
|
||||
|
|
|
|||
Loading…
Reference in a new issue